McAfee > Theat Center > Virus Detail Page

Overview

-- Update June 20, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.vnunet.com/vnunet/news/2158638/worm-sticks-boot-world-cup

This mass-mailing virus spreads attached to email messages claiming to contain enticing pictures (such as World Cup related images, and naked photos).  The virus also attempts to terminate security software, download other malicious files, and relay harvested email messages back to the virus author.

Aliases

• W32.Sixem.A@mm (Symantec)

• W32/Sixem-A (Sophos)

• Win32.Delf.V@mm (AVX)

• Win32.HLLM.Soccer (DrWeb)

• Worm/Soccer.A.1 (Avira)

• WORM_STAC.A (Trend)

Characteristics

This threat was proactively detected as New Malware.b with DAT files that were more than 6 months old.  Additionally, email scanners may detect the infectious messages as Exploit-MIME.gen.

This worm may be received in an email message exhibiting the following characteristics:

From: (one of the following forged addresses)

• hotnews@cnn.com
• todaynews@cnn.com
• kellyjast@hotmail.com
• lindasal@gmail.com
• newsreader@hotmail.com
• mr.robs@yahoo.com

Subject: (one of the following)

• Soccer fans killed five teens
• Crazy soccer fans
• Please reply me Tomas
• My tricks for you
• Naked World Cup game set
• My sister whores, s**t i dont know

Body: (one of the following)

• Soccer fans killed five teens, watch what they make on photos. Please report on this all who know.
• Crazy soccer fans killed two teens, watch what they make on photos. Please report on this all who know.
• Halo Markus, i sent my nude pics. Please reply me with you nude photos ;). Best regard You Sweet Kitty
• I wait you photos from New York. I sent my pics where i naked for you. Please reply me. Linda Salivan
• Nudists are organising their own tribute to the world cup, by staging their own nude soccer game, though it is not clear how the teams will tell each other apart. Good photos ;)
• Emily Carr was an artist known for her prudery, but now the Portrait Gallery of Canada has acquired a nude self-portrait. View photos.

Attachment: (one of the following)

• soccer_fans.jpg.exe
• soccer_pics.jpg.exe
• kelly_nude_imgs.jpg.exe
• linda_bigtit.gif.exe
• soccer_nudist.bmp.exe
• emily_selfphoto.jpg.exe

The virus hopes to exploit the old MS01-020 vulnerability.  If that fails, the virus must be executed manually.  When the attached file is executed, the virus appears to do nothing at all.  In the background, the virus contacts a remote website to download and run another malicious file:

• couplesexxx.com/tumbs/[censored]

Symptoms

The virus installs itself in the WINDOWS SYSTEM directory as msctools.exe:

• c:\Windows\System32\msctools.exe

Several registry run keys are created to load the worm at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "nsdevice"="C:\WINDOWS\SYSTEM32\msctools.exe"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Run "nsdevice"="C:\WINDOWS\SYSTEM32\msctools.exe"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  RunServices "nsdevice"="C:\WINDOWS\SYSTEM32\msctools.exe"

An additional registry marker change is made

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL
  "mls"=run count

When the virus runs, it incriments the run count.  If the run count is greater than 1, the virus will mass-mail itself.  If run count is greater than 5, the virus will delete itself (but not remove the registry entries) and exit.

The virus tries to terminate processes with the following names:

• _AVP32.EXE
• _AVPCC.EXE
• _AVPM.EXE
• AVP32.EXE
• AVPCC.EXE
• AVPM.EXE
• AVP.EXE
• iamapp.exe
• iamserv.exe
• FRW.EXE
• blackice.exe
• blackd.exe
• zonealarm.exe
• vsmon.exe
• VSHWIN32.EXE
• VSECOMR.EXE
• WEBSCANX.EXE
• AVCONSOL.EXE
• VSSTAT.EXE
• OUTPOST.EXE
• REGEDIT.EXE
• NETSTAT.EXE
• TASKMGR.EXE
• MSCONFIG.EXE
• NAVAPW32.EXE
• NAVW32.EXE
• UPDATE.EXE

Method of Infection

This virus spreads by email copies of itself to email addresses harvested from the infected system.  The virus targets addresses contained within files using the following file extensions:

• wab
• adb
• msg
• dbx
• mbx
• mdx
• eml
• nch
• txt
• tbb
• tbi
• html
• htm
• xml
• doc
• rtf
• xls
• sht

Addresses containing the following strings are avoided by the virus:

• spam
• abuse
• root
• .mil
• .gov
• admin
• webmaster
• support
• submit
• service
• sendmail
• secur
• samples
• ripe.
• privacy
• postmaster
• pgp
• panda
• page
• nothing
• not
• nodomai
• nobody
• mydomai
• mozilla
• linux
• kernel
• info
• inpris
• icrosof
• ibm.com
• help
• gov.
• google
• foo.
• aol
• fido
• example
• contact
• certific
• bug
• bsd
• borlan
• berkeley
• avp
• anyone
• .edu
• policy
• anti
• apache
• cops
• fbi
• webmin
• webmist
• random
• local
• -@
• @-
• echo
• anonymous
• addres
• user
• defend
• kaspersk
• mcafee
• microsof
• norton
• symantec
• virus
• reply
• report

Harvested addresses are saved to a file named cats2.jpg in the WINDOWS SYSTEM directory:

• c:\Windows\System32\cats2.jpg

The virus also posts harvested email addresses to a remote script page:

• sextraf.com\ms\[censored]

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update June 20, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.vnunet.com/vnunet/news/2158638/worm-sticks-boot-world-cup

This mass-mailing virus spreads attached to email messages claiming to contain enticing pictures (such as World Cup related images, and naked photos).  The virus also attempts to terminate security software, download other malicious files, and relay harvested email messages back to the virus author.

Aliases

• W32.Sixem.A@mm (Symantec)

• W32/Sixem-A (Sophos)

• Win32.Delf.V@mm (AVX)

• Win32.HLLM.Soccer (DrWeb)

• Worm/Soccer.A.1 (Avira)

• WORM_STAC.A (Trend)

Characteristics

Characteristics -

This threat was proactively detected as New Malware.b with DAT files that were more than 6 months old.  Additionally, email scanners may detect the infectious messages as Exploit-MIME.gen.

This worm may be received in an email message exhibiting the following characteristics:

From: (one of the following forged addresses)

• hotnews@cnn.com
• todaynews@cnn.com
• kellyjast@hotmail.com
• lindasal@gmail.com
• newsreader@hotmail.com
• mr.robs@yahoo.com

Subject: (one of the following)

• Soccer fans killed five teens
• Crazy soccer fans
• Please reply me Tomas
• My tricks for you
• Naked World Cup game set
• My sister whores, s**t i dont know

Body: (one of the following)

• Soccer fans killed five teens, watch what they make on photos. Please report on this all who know.
• Crazy soccer fans killed two teens, watch what they make on photos. Please report on this all who know.
• Halo Markus, i sent my nude pics. Please reply me with you nude photos ;). Best regard You Sweet Kitty
• I wait you photos from New York. I sent my pics where i naked for you. Please reply me. Linda Salivan
• Nudists are organising their own tribute to the world cup, by staging their own nude soccer game, though it is not clear how the teams will tell each other apart. Good photos ;)
• Emily Carr was an artist known for her prudery, but now the Portrait Gallery of Canada has acquired a nude self-portrait. View photos.

Attachment: (one of the following)

• soccer_fans.jpg.exe
• soccer_pics.jpg.exe
• kelly_nude_imgs.jpg.exe
• linda_bigtit.gif.exe
• soccer_nudist.bmp.exe
• emily_selfphoto.jpg.exe

The virus hopes to exploit the old MS01-020 vulnerability.  If that fails, the virus must be executed manually.  When the attached file is executed, the virus appears to do nothing at all.  In the background, the virus contacts a remote website to download and run another malicious file:

• couplesexxx.com/tumbs/[censored]

Symptoms

Symptoms -

The virus installs itself in the WINDOWS SYSTEM directory as msctools.exe:

• c:\Windows\System32\msctools.exe

Several registry run keys are created to load the worm at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "nsdevice"="C:\WINDOWS\SYSTEM32\msctools.exe"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Run "nsdevice"="C:\WINDOWS\SYSTEM32\msctools.exe"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  RunServices "nsdevice"="C:\WINDOWS\SYSTEM32\msctools.exe"

An additional registry marker change is made

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL
  "mls"=run count

When the virus runs, it incriments the run count.  If the run count is greater than 1, the virus will mass-mail itself.  If run count is greater than 5, the virus will delete itself (but not remove the registry entries) and exit.

The virus tries to terminate processes with the following names:

• _AVP32.EXE
• _AVPCC.EXE
• _AVPM.EXE
• AVP32.EXE
• AVPCC.EXE
• AVPM.EXE
• AVP.EXE
• iamapp.exe
• iamserv.exe
• FRW.EXE
• blackice.exe
• blackd.exe
• zonealarm.exe
• vsmon.exe
• VSHWIN32.EXE
• VSECOMR.EXE
• WEBSCANX.EXE
• AVCONSOL.EXE
• VSSTAT.EXE
• OUTPOST.EXE
• REGEDIT.EXE
• NETSTAT.EXE
• TASKMGR.EXE
• MSCONFIG.EXE
• NAVAPW32.EXE
• NAVW32.EXE
• UPDATE.EXE

Method of Infection

Method of Infection -

This virus spreads by email copies of itself to email addresses harvested from the infected system.  The virus targets addresses contained within files using the following file extensions:

• wab
• adb
• msg
• dbx
• mbx
• mdx
• eml
• nch
• txt
• tbb
• tbi
• html
• htm
• xml
• doc
• rtf
• xls
• sht

Addresses containing the following strings are avoided by the virus:

• spam
• abuse
• root
• .mil
• .gov
• admin
• webmaster
• support
• submit
• service
• sendmail
• secur
• samples
• ripe.
• privacy
• postmaster
• pgp
• panda
• page
• nothing
• not
• nodomai
• nobody
• mydomai
• mozilla
• linux
• kernel
• info
• inpris
• icrosof
• ibm.com
• help
• gov.
• google
• foo.
• aol
• fido
• example
• contact
• certific
• bug
• bsd
• borlan
• berkeley
• avp
• anyone
• .edu
• policy
• anti
• apache
• cops
• fbi
• webmin
• webmist
• random
• local
• -@
• @-
• echo
• anonymous
• addres
• user
• defend
• kaspersk
• mcafee
• microsof
• norton
• symantec
• virus
• reply
• report

Harvested addresses are saved to a file named cats2.jpg in the WINDOWS SYSTEM directory:

• c:\Windows\System32\cats2.jpg

The virus also posts harvested email addresses to a remote script page:

• sextraf.com\ms\[censored]

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A