McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

-- Update March 14, 2003 --
Low-Profiled notification was sent out on this virus variant. It was later determined that W32/Bibrog.c@MM is McAfee's designation for the variant described in the press.

This mass-mailing worm sends itself to all users found in the Outlook Address Book using MAPI. It also spreads via KaZaa, Grokster, Morpheus, and ICQ and attempts to steal passwords for access to various websites/services. It poses as a Big Brother game and contains a destructive payload.

Email Propagation
The worm arrives in an email message containing the following information:

      Subject: FwdLa Academia Azteca
          Body: La cacademia azteca (muy bueno) ¡no es virus!
Attachment: academia.exe

When the attachment is run, a shooting game is displayed:

The game functions as expected, only the virus is working in the background performing the following tasks:

1. Copies itself to the START UP folder as ITCH.EXE and ITCJ.EXE
2. Copies itself to the WINDOWS (%WinDir%) directory as manzana.exe
3. Copies itself to the SYSTEM (%SysDir%) directory as academia.exe
4. Creates a 2 byte text file, %WinDir%\mai.vbs
5. Creates several copies of webpages in the %My Documents% folder
   • acafug.htm
   • banamex.htm
   • citibank.htm
   • hotmail.htm
   • msn.htm
   • yahoo.htm

Upon reboot, the ITCH.EXE file and ITCJ.EXE file is run, which results in the creation of 2 marker registry keys:

• HKEY_CURRENT_USER\Software\
  VB and VBA Program Settings\ezzey\varia "cuento"
• HKEY_CURRENT_USER\Software\
  VB and VBA Program Settings\ezzey\varia "UpdateRegistry"

These registry keys are intended to monitor the number of times that the virus has run. However, during testing the virus failed to increment the "cuento" counter key beyond 0. Therefore, the intended payload is never carried out. The first time the virus is run, these keys are not created. It is only after the system is restarted and ITCH.EXE in the START UP folder is called that the keys get created. The "CUENTO" key is an incremental value for the number of times ITCH.EXE is run. When various "trigger" point occur, the virus carries out various payloads.

Payload

1. The first time ITCH.EXE is run, the mass-mailing routine is carried out, two image files are dropped and one of them is set as the desktop wallpaper.

   

   

   Each time the system is restarted, the wallpaper image is changed.
2. At some point later, the virus is intended to delete all .DBF, .DLL, .EXE, .GIF, .HTML, .JPG, .MP3, .MPG, and .ZIP files. This was not observed during testing.

Peer-To-Peer Propagation
The virus also spreads via KaZaa, Grokster, Morpheus, and ICQ by copying itself to the following locations:

• KaZaA\My Shared Folder\Kylie_Minogue_screensaver.exe
• KaZaA\My Shared Folder\Shakira_screensaver.exe
• Grokster\My Grokster\Kylie_Minogue_screensaver.exe
• Grokster\My Grokster\Shakira_screensaver.exe
• Morpheus\My Shared Folder\Kylie_Minogue_screensaver.exe
• Morpheus\My Shared Folder\Shakira_screensaver.exe
• ICQ\shared files\Kylie_Minogue_screensaver.exe
• ICQ\shared files\Shakira_screensaver.exe

Password Stealing
The virus drops several HTML documents in the MY DOCUMENTS folder. The documents contain forged copies of popular websites login pages (HOTMAIL, MSN, YAHOO, etc). The form actions have been replaced to send entered usernames and passwords to the author, via a Yahoo greetings form.

• acafug.htm
• banamex.htm
• citibank.htm
• hotmail.htm
• msn.htm
• yahoo.htm

Symptoms

Presence of the following files:

• %WinDir%\mai.vbs
• %WinDir%\manzana.exe
• %WinDir%\osiris.bmp
• %WinDir%\quiettime.bmp
• %Start Up Folder%\itch.exe
• %Start Up Folder%\itcj.exe
• %SysDir%\academia.exe

Method of Infection

This worm spreads via email. Once run, it installs itself on the local system, which is then used to spread the virus the next time Windows is restarted.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

-- Update March 14, 2003 --
Low-Profiled notification was sent out on this virus variant. It was later determined that W32/Bibrog.c@MM is McAfee's designation for the variant described in the press.

This mass-mailing worm sends itself to all users found in the Outlook Address Book using MAPI. It also spreads via KaZaa, Grokster, Morpheus, and ICQ and attempts to steal passwords for access to various websites/services. It poses as a Big Brother game and contains a destructive payload.

Email Propagation
The worm arrives in an email message containing the following information:

      Subject: FwdLa Academia Azteca
          Body: La cacademia azteca (muy bueno) ¡no es virus!
Attachment: academia.exe

When the attachment is run, a shooting game is displayed:

The game functions as expected, only the virus is working in the background performing the following tasks:

1. Copies itself to the START UP folder as ITCH.EXE and ITCJ.EXE
2. Copies itself to the WINDOWS (%WinDir%) directory as manzana.exe
3. Copies itself to the SYSTEM (%SysDir%) directory as academia.exe
4. Creates a 2 byte text file, %WinDir%\mai.vbs
5. Creates several copies of webpages in the %My Documents% folder
   • acafug.htm
   • banamex.htm
   • citibank.htm
   • hotmail.htm
   • msn.htm
   • yahoo.htm

Upon reboot, the ITCH.EXE file and ITCJ.EXE file is run, which results in the creation of 2 marker registry keys:

• HKEY_CURRENT_USER\Software\
  VB and VBA Program Settings\ezzey\varia "cuento"
• HKEY_CURRENT_USER\Software\
  VB and VBA Program Settings\ezzey\varia "UpdateRegistry"

These registry keys are intended to monitor the number of times that the virus has run. However, during testing the virus failed to increment the "cuento" counter key beyond 0. Therefore, the intended payload is never carried out. The first time the virus is run, these keys are not created. It is only after the system is restarted and ITCH.EXE in the START UP folder is called that the keys get created. The "CUENTO" key is an incremental value for the number of times ITCH.EXE is run. When various "trigger" point occur, the virus carries out various payloads.

Payload

1. The first time ITCH.EXE is run, the mass-mailing routine is carried out, two image files are dropped and one of them is set as the desktop wallpaper.

   

   

   Each time the system is restarted, the wallpaper image is changed.
2. At some point later, the virus is intended to delete all .DBF, .DLL, .EXE, .GIF, .HTML, .JPG, .MP3, .MPG, and .ZIP files. This was not observed during testing.

Peer-To-Peer Propagation
The virus also spreads via KaZaa, Grokster, Morpheus, and ICQ by copying itself to the following locations:

• KaZaA\My Shared Folder\Kylie_Minogue_screensaver.exe
• KaZaA\My Shared Folder\Shakira_screensaver.exe
• Grokster\My Grokster\Kylie_Minogue_screensaver.exe
• Grokster\My Grokster\Shakira_screensaver.exe
• Morpheus\My Shared Folder\Kylie_Minogue_screensaver.exe
• Morpheus\My Shared Folder\Shakira_screensaver.exe
• ICQ\shared files\Kylie_Minogue_screensaver.exe
• ICQ\shared files\Shakira_screensaver.exe

Password Stealing
The virus drops several HTML documents in the MY DOCUMENTS folder. The documents contain forged copies of popular websites login pages (HOTMAIL, MSN, YAHOO, etc). The form actions have been replaced to send entered usernames and passwords to the author, via a Yahoo greetings form.

• acafug.htm
• banamex.htm
• citibank.htm
• hotmail.htm
• msn.htm
• yahoo.htm

Symptoms

Symptoms -

Presence of the following files:

• %WinDir%\mai.vbs
• %WinDir%\manzana.exe
• %WinDir%\osiris.bmp
• %WinDir%\quiettime.bmp
• %Start Up Folder%\itch.exe
• %Start Up Folder%\itcj.exe
• %SysDir%\academia.exe

Method of Infection

Method of Infection -

This worm spreads via email. Once run, it installs itself on the local system, which is then used to spread the virus the next time Windows is restarted.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A