McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.HLLW.Affee (Symantec)

• W32/Steph (Panda)

• W32/Steph.A (F-Secure)

• W32/Steph.a.worm

• W32/Steph.worm

• Worm.P2P.Steph (AVP)

• WORM_STEPH.A (Trend)

Characteristics

This is a peer-to-peer worm that spreads via KaZaa. The only purpose of the worm is to spread. It does not contain a damaging payload. When run, it copies itself to the %WinDir%\System32 directory as DirectXset.exe and creates a registry run key to load itself at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "DirectX64" =C:\WINDOWS\System32\DirectXset.exe

The HKEY_CURRENT_USER\Software\KAZAA\LocalContent registry key is queried to locate the last "Dir" that is shared. The worm then creates a new shared directory, such as Dir4 = 012345:C:\WINDOWS\System32\Setup32\. 26 copies of the worm are saved to this directory using the following filenames:

• Audio Catalyst 2.1.exe
• Borland Delphi 7 Crack.exe
• CladDVD XP 2 by fosi.exe
• GFI Languard V4 Beta.exe
• How to use Languard.exe
• Mc Affee anti Virus Scan Patch.exe
• Medal of Honor by TNT Keygenerator.exe
• Movie Jack 2.exe
• MS Windows Keygenerator all Versions_XP_2k_ME_98_95 .exe
• Nero 5.5.9.14 Full + All Plugins Updates + Serial Keygen.exe
• Norton AntiVirus 2003 Crack by Reality.exe
• Office XP Keygenerator.exe
• Partition Magic 7.exe
• PowerDVD 5 - Keygenerator.exe
• ProgDVB 3.29.exe
• Quake all Versions Keygenerator.exe
• Sim City 4 Download FULL.exe
• SimCity 4 No CD Crack.exe
• Ultra edit 32 new version + serial.exe
• Unreal 2003 cd Crack 4 Ver 2166.exe
• Unreal 2003.exe
• Unreal Tournament 2003 internet Keygenerator-NEW.exe
• Winamp 4 Beta.exe
• Windows Longhorn Alpha Security Patch.exe
• WinDVD Platinum all languages.exe
• Zone Alarm Security Patch - 2003.exe

A file, readthisworld.txt, is also saved to this directory, containing the text Steph.With nice brown eyes .. 4 ever.

Symptoms

Presence of the aforementioned files.

Method of Infection

This worm spreads via the KaZaa peer-to-peer file-sharing network. When run, it creates a new KaZaa shared folder and copies itself to that location.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.HLLW.Affee (Symantec)

• W32/Steph (Panda)

• W32/Steph.A (F-Secure)

• W32/Steph.a.worm

• W32/Steph.worm

• Worm.P2P.Steph (AVP)

• WORM_STEPH.A (Trend)

Characteristics

Characteristics -

This is a peer-to-peer worm that spreads via KaZaa. The only purpose of the worm is to spread. It does not contain a damaging payload. When run, it copies itself to the %WinDir%\System32 directory as DirectXset.exe and creates a registry run key to load itself at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "DirectX64" =C:\WINDOWS\System32\DirectXset.exe

The HKEY_CURRENT_USER\Software\KAZAA\LocalContent registry key is queried to locate the last "Dir" that is shared. The worm then creates a new shared directory, such as Dir4 = 012345:C:\WINDOWS\System32\Setup32\. 26 copies of the worm are saved to this directory using the following filenames:

• Audio Catalyst 2.1.exe
• Borland Delphi 7 Crack.exe
• CladDVD XP 2 by fosi.exe
• GFI Languard V4 Beta.exe
• How to use Languard.exe
• Mc Affee anti Virus Scan Patch.exe
• Medal of Honor by TNT Keygenerator.exe
• Movie Jack 2.exe
• MS Windows Keygenerator all Versions_XP_2k_ME_98_95 .exe
• Nero 5.5.9.14 Full + All Plugins Updates + Serial Keygen.exe
• Norton AntiVirus 2003 Crack by Reality.exe
• Office XP Keygenerator.exe
• Partition Magic 7.exe
• PowerDVD 5 - Keygenerator.exe
• ProgDVB 3.29.exe
• Quake all Versions Keygenerator.exe
• Sim City 4 Download FULL.exe
• SimCity 4 No CD Crack.exe
• Ultra edit 32 new version + serial.exe
• Unreal 2003 cd Crack 4 Ver 2166.exe
• Unreal 2003.exe
• Unreal Tournament 2003 internet Keygenerator-NEW.exe
• Winamp 4 Beta.exe
• Windows Longhorn Alpha Security Patch.exe
• WinDVD Platinum all languages.exe
• Zone Alarm Security Patch - 2003.exe

A file, readthisworld.txt, is also saved to this directory, containing the text Steph.With nice brown eyes .. 4 ever.

Symptoms

Symptoms -

Presence of the aforementioned files.

Method of Infection

Method of Infection -

This worm spreads via the KaZaa peer-to-peer file-sharing network. When run, it creates a new KaZaa shared folder and copies itself to that location.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A