McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

--- Update February 13, 2003 ---
This assessment of this threat was updated to Low-Profiled due to the article @ The Register.co.uk: P2P virus fakes nude Zeta Jones pics

McAfee products using the 4198 - 4246 DATs proactively detect the worm/backdoor server component of this threat as 'virus or variant New BackDoor1' with program heuristics enabled.

This detection is for a remote access trojan whose server component is a worm, intended to propagate via two channels:

• KaZaa P2P file-sharing networks (under various enticing filenames)
• mIRC channels (as RealWayToHack.exe)

The worm terminates processes relating to a significant number of anti-virus and security products if they are running.

Once running on the victim machine, the worm opens a port (default = 31337, but this is configurable) which enables the hacker to connect (using the client component, described below). A public script library is used in order to send a notification to the hacker via HTTP. The noification contains the following information (obviously IP address and port number will vary):

Configuration Component

This component enables the hacker to configure the port opened by the server component, and the target recipient UIN number for the notification upon successful installation.

Client Component

This is the component used by the hacker to access the compromised machine. Once connected the hacker can perform various actions, some trivial, others highly damaging. Functionality includes:

• display messages
• show/hide taskbar, desktop etc.
• clear CMOS
• crash machine
• consume memory
• find file
• upload file
• file manager
• initiate keylogger
• capture screen
• retrieve OS details
• retrieve PC details

Symptoms

• existence of the directory C:\WINDOWS\SYS32, containing many identical copies of the worm with enticing filenames (see list below)
• an unexpected port open on the machine
• AV and/or security software unexpectedly terminated on machine
• existence of the files and Registry keys mentioned below

Method of Infection

The server terminates processes relating to a significant number of anti-virus and security products if they are running.

It copies itself into the Windows System directory as EXPLORER.EXE and REALWAYTOHACK.EXE, and sets a Registry key to hook system startup, for example:

The server also drops a VBS script, EXPLORER.VBS (7,425 bytes), in order to spread via mIRC channels. This script component is detected as VBS/Dismissed with the indicated DATs. The activity of this script is described below.

The following key is also added:

KaZaa Propagation

In its attempt to spread via KaZaa networks, the server makes multiple copies of itself in the following directory, using filenames designed to entice other users.

A selection of the possible 224 filenames are listed below:

• Britney.jpg.exe
• host_faker.jpg.exe
• host_spoofer.jpg.exe
• ip_spoofer.jpg.exe
• ip_faker.jpg.exe
• ident_spoofer.jpg.exe
• ident_faker.jpg.exe
• tripod_hacker.jpg.exe
• tripod_cracker.jpg.exe
• hotmailhacker.jpg.exe
• hotmailcracker.jpg.exe
• hotmail_account_sniffer.jpg.exe
• aimhacker.jpg.exe
• aimcracker.jpg.exe
• icqhacker.jpg.exe
• icqcracker.jpg.exe
• msnhacker.jpg.exe
• msncracker.jpg.exe
• winxp_hacker.jpg.exe
• winxp_cracker.jpg.exe
• winxphack.jpg.exe
• winxp_crack.jpg.exe
• win2k_serial.jpg.exe
• yahoo_cracker.jpg.exe
• yahoo_hacker.jpg.exe
• divx_fix.jpg.exe
• divx_repair.jpg.exe
• ftp_hacker.jpg.exe
• ftp_cracker.jpg.exe
• porn_account_hacker.jpg.exe
• porn_account_cracker.jpg.exe
• catherine_zeta_jones_nude.jpg.exe
• catherine_zeta_jones_naked.jpg.exe
• pamela_anderson_nude.jpg.exe
• pamela_anderson_naked.jpg.exe
• buttman.jpg.exe
• sarah_michelle_gellar_nude.jpg.exe
• sarah_michelle_gellar_naked.jpg.exe
• sandra_bullock_nude.jpg.exe
• sandra_bullock_naked.jpg.exe
• anastasia_anal.jpg.exe
• anastasia_naked.jpg.exe
• anastasia_nude.jpg.exe

The following Registry keys are set such that the relevant directory is shared over the KaZaa network:

all set to:

The following key is set to ensure file-sharing is enabled:

mIRC Propagation

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

--- Update February 13, 2003 ---
This assessment of this threat was updated to Low-Profiled due to the article @ The Register.co.uk: P2P virus fakes nude Zeta Jones pics

McAfee products using the 4198 - 4246 DATs proactively detect the worm/backdoor server component of this threat as 'virus or variant New BackDoor1' with program heuristics enabled.

This detection is for a remote access trojan whose server component is a worm, intended to propagate via two channels:

• KaZaa P2P file-sharing networks (under various enticing filenames)
• mIRC channels (as RealWayToHack.exe)

The worm terminates processes relating to a significant number of anti-virus and security products if they are running.

Once running on the victim machine, the worm opens a port (default = 31337, but this is configurable) which enables the hacker to connect (using the client component, described below). A public script library is used in order to send a notification to the hacker via HTTP. The noification contains the following information (obviously IP address and port number will vary):

Configuration Component

This component enables the hacker to configure the port opened by the server component, and the target recipient UIN number for the notification upon successful installation.

Client Component

This is the component used by the hacker to access the compromised machine. Once connected the hacker can perform various actions, some trivial, others highly damaging. Functionality includes:

• display messages
• show/hide taskbar, desktop etc.
• clear CMOS
• crash machine
• consume memory
• find file
• upload file
• file manager
• initiate keylogger
• capture screen
• retrieve OS details
• retrieve PC details

Symptoms

Symptoms -

• existence of the directory C:\WINDOWS\SYS32, containing many identical copies of the worm with enticing filenames (see list below)
• an unexpected port open on the machine
• AV and/or security software unexpectedly terminated on machine
• existence of the files and Registry keys mentioned below

Method of Infection

Method of Infection -

The server terminates processes relating to a significant number of anti-virus and security products if they are running.

It copies itself into the Windows System directory as EXPLORER.EXE and REALWAYTOHACK.EXE, and sets a Registry key to hook system startup, for example:

The server also drops a VBS script, EXPLORER.VBS (7,425 bytes), in order to spread via mIRC channels. This script component is detected as VBS/Dismissed with the indicated DATs. The activity of this script is described below.

The following key is also added:

KaZaa Propagation

In its attempt to spread via KaZaa networks, the server makes multiple copies of itself in the following directory, using filenames designed to entice other users.

A selection of the possible 224 filenames are listed below:

• Britney.jpg.exe
• host_faker.jpg.exe
• host_spoofer.jpg.exe
• ip_spoofer.jpg.exe
• ip_faker.jpg.exe
• ident_spoofer.jpg.exe
• ident_faker.jpg.exe
• tripod_hacker.jpg.exe
• tripod_cracker.jpg.exe
• hotmailhacker.jpg.exe
• hotmailcracker.jpg.exe
• hotmail_account_sniffer.jpg.exe
• aimhacker.jpg.exe
• aimcracker.jpg.exe
• icqhacker.jpg.exe
• icqcracker.jpg.exe
• msnhacker.jpg.exe
• msncracker.jpg.exe
• winxp_hacker.jpg.exe
• winxp_cracker.jpg.exe
• winxphack.jpg.exe
• winxp_crack.jpg.exe
• win2k_serial.jpg.exe
• yahoo_cracker.jpg.exe
• yahoo_hacker.jpg.exe
• divx_fix.jpg.exe
• divx_repair.jpg.exe
• ftp_hacker.jpg.exe
• ftp_cracker.jpg.exe
• porn_account_hacker.jpg.exe
• porn_account_cracker.jpg.exe
• catherine_zeta_jones_nude.jpg.exe
• catherine_zeta_jones_naked.jpg.exe
• pamela_anderson_nude.jpg.exe
• pamela_anderson_naked.jpg.exe
• buttman.jpg.exe
• sarah_michelle_gellar_nude.jpg.exe
• sarah_michelle_gellar_naked.jpg.exe
• sandra_bullock_nude.jpg.exe
• sandra_bullock_naked.jpg.exe
• anastasia_anal.jpg.exe
• anastasia_naked.jpg.exe
• anastasia_nude.jpg.exe

The following Registry keys are set such that the relevant directory is shared over the KaZaa network:

all set to:

The following key is set to ensure file-sharing is enabled:

mIRC Propagation

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A