McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• TROJ_TAMPONAI.A (Trend)

• W32.HLLW.Kullan (Symantec)

Characteristics

This is a share-jumping worm (copies itself from system to system through Windows file-sharing functionality) that spreads to Win2K/XP systems. It also captures system and personal information. The worm does not spread via email. When run, the worm copies itself to the WINDOWS SYSTEM (%SysDir%) directory as Services.exe and creates a registry run key to load itself at system startup.

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Run "Services" = %VirusPath%

On Windows 9x, the following WIN.INI and SYSTEM.INI changes are made:

• win.ini, [windows] "load" = %VirusPath%
• win.ini, [windows] "run" = %VirusPath%
• system.ini, [boot] "shell" = Explorer.exe %VirusPath%

On WinNT/2K/XP, the following additional registry keys are created:

• HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\
  Windows "run" = %VirusPath%
• HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\
  Winlogon "shell" = Explorer.exe %VirusPath%
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Services" = %VirusPath%

The virus uses the NET VIEW command to locate other systems on the local area network. It then attempts to copy itself to the following folder on those systems:

• Documents and Settings\All Users\Start Menu\Programlar\BASLANGIÇ\ (Turkey start menu)
• Documents and Settings\All Users\Start Menu\Programs\Startup

The virus creates a TEMP folder in the WINDOWS SYSTEM directory. It captures typed keystrokes and logs them to a file (encrypted) within this directory. The log file uses a 17 character random filename, followed by a 3 character random extension. Periodically, the virus attempts to contact a CJB.NET user site to upload captured information. Additional information captured includes:

• Windows version
• Number, type, and speed of CPUs
• Amount of RAM
• Size of Page File
• Victim's default SMTP server, POP3 Server, POP3 username, and email address (specified in the victim's registry Internet Account Manager settings)

This CJB.NET user site redirects to a devel.gazi.edu.tr user site.

Symptoms

Presence of a file named services.exe (232,960 bytes) in the SYSTEM directory

Method of Infection

This worm spreads by copying itself to the STARTUP folder of accessible networked Win2K/XP systems.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• TROJ_TAMPONAI.A (Trend)

• W32.HLLW.Kullan (Symantec)

Characteristics

Characteristics -

This is a share-jumping worm (copies itself from system to system through Windows file-sharing functionality) that spreads to Win2K/XP systems. It also captures system and personal information. The worm does not spread via email. When run, the worm copies itself to the WINDOWS SYSTEM (%SysDir%) directory as Services.exe and creates a registry run key to load itself at system startup.

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Run "Services" = %VirusPath%

On Windows 9x, the following WIN.INI and SYSTEM.INI changes are made:

• win.ini, [windows] "load" = %VirusPath%
• win.ini, [windows] "run" = %VirusPath%
• system.ini, [boot] "shell" = Explorer.exe %VirusPath%

On WinNT/2K/XP, the following additional registry keys are created:

• HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\
  Windows "run" = %VirusPath%
• HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\
  Winlogon "shell" = Explorer.exe %VirusPath%
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Services" = %VirusPath%

The virus uses the NET VIEW command to locate other systems on the local area network. It then attempts to copy itself to the following folder on those systems:

• Documents and Settings\All Users\Start Menu\Programlar\BASLANGIÇ\ (Turkey start menu)
• Documents and Settings\All Users\Start Menu\Programs\Startup

The virus creates a TEMP folder in the WINDOWS SYSTEM directory. It captures typed keystrokes and logs them to a file (encrypted) within this directory. The log file uses a 17 character random filename, followed by a 3 character random extension. Periodically, the virus attempts to contact a CJB.NET user site to upload captured information. Additional information captured includes:

• Windows version
• Number, type, and speed of CPUs
• Amount of RAM
• Size of Page File
• Victim's default SMTP server, POP3 Server, POP3 username, and email address (specified in the victim's registry Internet Account Manager settings)

This CJB.NET user site redirects to a devel.gazi.edu.tr user site.

Symptoms

Symptoms -

Presence of a file named services.exe (232,960 bytes) in the SYSTEM directory

Method of Infection

Method of Infection -

This worm spreads by copying itself to the STARTUP folder of accessible networked Win2K/XP systems.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A