McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Nicehello@mm (Symantec)

Characteristics

--Update March 17, 2003--
Due to a decrease in prevalence, the Home User risk assessment has bee lowered from Medium to Low-Profiled.

-- Update March 12, 2003--
This worm has been raised to a Medium Risk Assessment for home users due to an increase in prevalence among home users only. Corporate Risk Assessment have been updated to Low-Profiled as well. Users with Hotmail addresses in MSN Messenger are especially vulnerable to this worm. The latest DATs released today will detect and clean this worm.

This mass-mailing worm emails itself to all addresses found on the MSN Messenger contact list. It also sends the MSN Messenger username and password to the virus author in an email message. The virus does contain several errors, but replication was observed with the English version of Windows. It arrives in an email message with the following information:

Subject: Animaciones en flash de nuestros politicos
Body: Mira las animacio nes sobre la clase politica del pais, recuerda que es solo para vos
Attachment: Politicos.exe
or
Subject: Video de la ultima reunion de amigos, recuerda que es solo para vos
Body: Hola, te mando el video de la ultima fiesta, no se ve muy bien pero algo es algo, recuerda que es solo para vos
Attachment: Video.exe
or
Subject: Fotos ultima fiesta
Body: Hola, como estas, te mando las fotos de la ultima fiesta, por cierto tienes una cara!!!. , recuerda que es solo para vos. bye
Attachment: Fotos.exe
or
Subject: ahora el juego va a funcionar
Body: El parche para el juego que mas te gusta, esta comprimido, recuerda que es solo para vos
Attachment: ParcheJuego.exe
or
Subject: Presentaciones PowerPoint
Body: Las presentaciones en power point que tenia que mandarte, estan comprimidas en el archivo adjunto, recuerda que es solo para vos
Attachment: Presentaciones.exe
or
Subject: Datos ultimo trimistre
Body: Los datos del ultimo trimestre esta en el archivo adjunto, estan comprimidos, recuerda que es solo para vos
Attachment: Datos.exe
or
Subject: Actualizacion de programa
Body: Recien puedo enviarte la actualizacion, es que tuve mucho trabajo, recuerda que es solo para vos
Attachment: Actualizacion.exe
or
Subject: parche
Body: El parche del programa que me pediste. Cualquier cosa estoy para ayudarte. recuerda que es solo para vos
Attachment: Parche.exe
or
Subject: Mis primeras animaciones
Body: Te mando la primera animación en flash sobre nuestros amigos; espero tus comentarios, recuerda que es solo para vos
Attachment: Animacion.exe
or
Subject: Codigo fuente
Body: Hola, te mando el codigo fuente que te prometi, esta comprimido; ya sabes esto es solo para vos!!. Saludos
Attachment: Codigo.exe

The mail header contains the field:

• X-Library: Indy 8.0.25

(This is hardcoded in the virus)

When the attachment is run, a fake error message may be displayed (under WinNT/2K/XP):

The virus attempts to copy itself, as Sys64dvr.exe , to the following locations:

• c:\windows\system
• c:\winnt\system32

Due to a bug in the code, this file may be written as:

• c:\windows\systemsys64dvr.exe
• c:\winnt\system32sys64dvr.exe

A registry key is created to run the worm with the intended filename:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "System 64 Driver for Games" = sys64dvr.exe

Symptoms

Presence of the following files:

• sys64dvr.exe
• systemsys64dvr.exe
• system32sys64dvr.exe

Method of Infection

The worm sends an email message to each address found on the MSN Messenger contact list using its own SMTP engine. It also sends the following message:

From: nemesis@olimpo.com
To: jcrivas77@yahoo.com
Subject: Hello World :-) have a nice day %infected user's MSN Messenger logon name%
Body: %infected user's MSN Messenger logon name/password encrypted%

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Nicehello@mm (Symantec)

Characteristics

Characteristics -

--Update March 17, 2003--
Due to a decrease in prevalence, the Home User risk assessment has bee lowered from Medium to Low-Profiled.

-- Update March 12, 2003--
This worm has been raised to a Medium Risk Assessment for home users due to an increase in prevalence among home users only. Corporate Risk Assessment have been updated to Low-Profiled as well. Users with Hotmail addresses in MSN Messenger are especially vulnerable to this worm. The latest DATs released today will detect and clean this worm.

This mass-mailing worm emails itself to all addresses found on the MSN Messenger contact list. It also sends the MSN Messenger username and password to the virus author in an email message. The virus does contain several errors, but replication was observed with the English version of Windows. It arrives in an email message with the following information:

Subject: Animaciones en flash de nuestros politicos
Body: Mira las animacio nes sobre la clase politica del pais, recuerda que es solo para vos
Attachment: Politicos.exe
or
Subject: Video de la ultima reunion de amigos, recuerda que es solo para vos
Body: Hola, te mando el video de la ultima fiesta, no se ve muy bien pero algo es algo, recuerda que es solo para vos
Attachment: Video.exe
or
Subject: Fotos ultima fiesta
Body: Hola, como estas, te mando las fotos de la ultima fiesta, por cierto tienes una cara!!!. , recuerda que es solo para vos. bye
Attachment: Fotos.exe
or
Subject: ahora el juego va a funcionar
Body: El parche para el juego que mas te gusta, esta comprimido, recuerda que es solo para vos
Attachment: ParcheJuego.exe
or
Subject: Presentaciones PowerPoint
Body: Las presentaciones en power point que tenia que mandarte, estan comprimidas en el archivo adjunto, recuerda que es solo para vos
Attachment: Presentaciones.exe
or
Subject: Datos ultimo trimistre
Body: Los datos del ultimo trimestre esta en el archivo adjunto, estan comprimidos, recuerda que es solo para vos
Attachment: Datos.exe
or
Subject: Actualizacion de programa
Body: Recien puedo enviarte la actualizacion, es que tuve mucho trabajo, recuerda que es solo para vos
Attachment: Actualizacion.exe
or
Subject: parche
Body: El parche del programa que me pediste. Cualquier cosa estoy para ayudarte. recuerda que es solo para vos
Attachment: Parche.exe
or
Subject: Mis primeras animaciones
Body: Te mando la primera animación en flash sobre nuestros amigos; espero tus comentarios, recuerda que es solo para vos
Attachment: Animacion.exe
or
Subject: Codigo fuente
Body: Hola, te mando el codigo fuente que te prometi, esta comprimido; ya sabes esto es solo para vos!!. Saludos
Attachment: Codigo.exe

The mail header contains the field:

• X-Library: Indy 8.0.25

(This is hardcoded in the virus)

When the attachment is run, a fake error message may be displayed (under WinNT/2K/XP):

The virus attempts to copy itself, as Sys64dvr.exe , to the following locations:

• c:\windows\system
• c:\winnt\system32

Due to a bug in the code, this file may be written as:

• c:\windows\systemsys64dvr.exe
• c:\winnt\system32sys64dvr.exe

A registry key is created to run the worm with the intended filename:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "System 64 Driver for Games" = sys64dvr.exe

Symptoms

Symptoms -

Presence of the following files:

• sys64dvr.exe
• systemsys64dvr.exe
• system32sys64dvr.exe

Method of Infection

Method of Infection -

The worm sends an email message to each address found on the MSN Messenger contact list using its own SMTP engine. It also sends the following message:

From: nemesis@olimpo.com
To: jcrivas77@yahoo.com
Subject: Hello World :-) have a nice day %infected user's MSN Messenger logon name%
Body: %infected user's MSN Messenger logon name/password encrypted%

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A