McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This threat is proactively detected as New MSVB P2P worm when using the 4266 DAT files with the 4.2.40 scan engine and scanning compressed executables (a default scan option).

This variant of the worm is very similar to previous variants. It is intended to propagate via email and sharing itself over P2P networks.

The worm consists of a 3-file sandwich:

DROPPER COMPONENT | PROPAGATION COMPONENT | SMTP LIBRARY

The dropper component is intended to drop and run the other components:

• Propagation component: 56,614 bytes
• SMTP library: 25,737 bytes

Strings within the dropper and propagation components suggest the worm is intended to arrive in a message with the following characteristics:

From: Dispatch@McAfee.com

Various subject lines and message bodies are carried within the worm:

'''*< Love Speaks it all >*'''
Hii Try this great program allowing u to translate 100 languages . just write a passage in english and chose a language to get the traslation one of my friends used it with his arabian gf and it worked successfully ;) so , Now we can say ' Love Speaks it All ' :)

Co0o0o0o0oL
i thing the subject is enough to describe the attached file ! check it out and replay your opinion Cya

Fw:
You're gonna love it ;) delete it after reading , Professor :P

Heeeeeeeeeeeeeeeey
i've got this surprise from a friend :) it really deserves a few minutes of your time. Bye

Wussaaaaaaaap?
Should i email u first to email me? u don't know how much ur emails mean to me. i wish u like this email and plzz don't forget me :)

WoW But not for NoW
coz i couldn't get the other part of it , any way , check it out having alil thing is better than nothing :P

y0 Ain't Got Shyt !
All u can get is burning ur self Coz all we can do is to watch, nothing for us to touch :(

Why Do We FOk?
let me answer ,,, hummmmmmmmm Coz we Burn Our selves by watching ********** like the one i attached :P

Heeelllooo , anybody home????
i tried many times to send u this email but ur account was out of storage as i think any way , make sure that i didn't and i won't forget u :) Cya Forgotten :P

Why did u send me this shyt?
THANX BUT I DON'T ACCEPT SEX MATERIALS FROM STRANGERS. I SAW THEM N I WONDERED HOW U COULD DO SO ? I REATTACHED THE SHYT U SENT PLEASE DON'T EMAIL ME ,

Re:Hi
No thanx , keep it for you :)

Lo0o0o0o0o0o0o0o0o0o0o0o0oL
Measure your intelligence , the power of your mind and the speed of your reaction by answering several Qs , don't forget to send me your mark. I took 3.5/10 :P Let's see who is more intelligent than the other! Good Luck

hurry up !!!
this is the last one i could find , Don't forget , send me the project in a zipped file :) Bye

To Early To Have Sex!
When i saw it i didn't believe that she was only 8 yrs old. but when i saw the blood and heard the voice of her :( i got Shocked

Fw:Send it to all of the ppl u love
Don't Believe ur self, I don't Love Ya :P But i Don't know why i sent this to u. Make use of it , Bye ;)

Surpise !
I'm in a harry , Send me any clip with voice like the one i attached . And stop sending the booooring pictures For your elegant Taste elegant ppl should satisfy thier taste with elegant things ;)

Again?
I sent this email to another body :P and he replayed saying Thanx !! i always write your email wrongly. Hummm, if u like it replay to me , and don't forget to write ur signature to make sure that i didn't send the email to a wrong one ;)

Who are you??????
i'm fine , thanx for asking :) and thanx for the nice attachements. but unfortunately, i don't remember you i will be waiting for u emaill to remind me of your self.

Hummm , i hope u accept this show as an apology.
The Spanish Beauty it's a mix of the Arabian beauty & the european grace ! satisfy your eyes with the beauty that u have never seen ;)

I've Got it :)
I've got it from KaZaA network , it seems not to be full but that's all i could find :(

Helloooooooo
I've got your email , but you forgot to upload the attachments. Don't be selfish , i sent you all the files i have, send me anything :(

If u are booooored ...
i found it in my Recycled , i know u love this kind of thing ;) attachment :) bye

Dispatch@McAfee.com
Virus Alert ! Dear User, McAfee.com Has recieved an infected message from you .We believe that you are infected with Win32/HaWawi@MM Virus. Please download the attached tool (ToolAv01w32) which will help you to clean your PC. For more information : *Create an email addressed to virus_research@nai.com. Your name, phone number, address, and email address Operating system: Antivirus program: Anti virus engine version (e.g. 4.1.20) DAT file version (e.g. 4.0.4140) Browser version Nature of problem

Attachment: Various filenames chosen from the following list (tailored to subject/message body):

• Aint_it_Funny.pif
• AniMaL_N_Burning_Ladies.pif
• Beauty_VS_Your_FaCe.pif
• Broke_ass.pif
• Come_2_Cum.pif
• Endless_life.pif
• Famous_PpL_N_Bad_Setuations.pif
• Gurls_Secrets.pif
• HAwa.pif
• HaWawi_N_Hawaii.pif
• Hearts_translator.pif
• Hot_Show.pif
• How_to_improve_ur_love.pif
• Leaders_Scandals.pif
• Lo0o0o0o0oL.pif
• Real_Magic.pif
• Shakiraz_Big_ass.pif
• Short_vClip.pif
• Sweet_but_smilly.pif
• Tears_of_Happiness.pif
• Tedious_SeX.pif
• Teenz_Raper.pif
• The_Truth_of_Love.pif
• ToolAv01w32.pif
• unfaithful_Gurls.pif
• White_AmeRica.pif
• XxX_Mpegs_Downloader.pif

Running the attachment infects the local system. The worm extracts several files to the WINDOWS SYSTEM directory:

• explore.exe (24,064 bytes)
• SMTP.ocx (25,737 bytes)

A registry run key is created to load the worm at system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "Explore" = C:\WINDOWS\SYSTEM\EXPLORE.exe

It also copies itself to the WINDOWS SYSTEM directory using the aforementioned email attachment names. The worm attempts to configure KaZaa to use the WINDOWS SYSTEM directory as the default shared folder.

Symptoms

- Presence of the aforementioned filenames
- The virus creates a counter registry value:

• HKEY_CURRENT_USER\DeathTime = %Run count%

If the run count exceeds 30, the worm attempts to delete all files on the local system, and displays several message boxes, one at a time. After OK has been clicked on the last box, the system is restarted.

Method of Infection

This worm spreads via email and the KaZaa P2P file-sharing network.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This threat is proactively detected as New MSVB P2P worm when using the 4266 DAT files with the 4.2.40 scan engine and scanning compressed executables (a default scan option).

This variant of the worm is very similar to previous variants. It is intended to propagate via email and sharing itself over P2P networks.

The worm consists of a 3-file sandwich:

DROPPER COMPONENT | PROPAGATION COMPONENT | SMTP LIBRARY

The dropper component is intended to drop and run the other components:

• Propagation component: 56,614 bytes
• SMTP library: 25,737 bytes

Strings within the dropper and propagation components suggest the worm is intended to arrive in a message with the following characteristics:

From: Dispatch@McAfee.com

Various subject lines and message bodies are carried within the worm:

'''*< Love Speaks it all >*'''
Hii Try this great program allowing u to translate 100 languages . just write a passage in english and chose a language to get the traslation one of my friends used it with his arabian gf and it worked successfully ;) so , Now we can say ' Love Speaks it All ' :)

Co0o0o0o0oL
i thing the subject is enough to describe the attached file ! check it out and replay your opinion Cya

Fw:
You're gonna love it ;) delete it after reading , Professor :P

Heeeeeeeeeeeeeeeey
i've got this surprise from a friend :) it really deserves a few minutes of your time. Bye

Wussaaaaaaaap?
Should i email u first to email me? u don't know how much ur emails mean to me. i wish u like this email and plzz don't forget me :)

WoW But not for NoW
coz i couldn't get the other part of it , any way , check it out having alil thing is better than nothing :P

y0 Ain't Got Shyt !
All u can get is burning ur self Coz all we can do is to watch, nothing for us to touch :(

Why Do We FOk?
let me answer ,,, hummmmmmmmm Coz we Burn Our selves by watching ********** like the one i attached :P

Heeelllooo , anybody home????
i tried many times to send u this email but ur account was out of storage as i think any way , make sure that i didn't and i won't forget u :) Cya Forgotten :P

Why did u send me this shyt?
THANX BUT I DON'T ACCEPT SEX MATERIALS FROM STRANGERS. I SAW THEM N I WONDERED HOW U COULD DO SO ? I REATTACHED THE SHYT U SENT PLEASE DON'T EMAIL ME ,

Re:Hi
No thanx , keep it for you :)

Lo0o0o0o0o0o0o0o0o0o0o0o0oL
Measure your intelligence , the power of your mind and the speed of your reaction by answering several Qs , don't forget to send me your mark. I took 3.5/10 :P Let's see who is more intelligent than the other! Good Luck

hurry up !!!
this is the last one i could find , Don't forget , send me the project in a zipped file :) Bye

To Early To Have Sex!
When i saw it i didn't believe that she was only 8 yrs old. but when i saw the blood and heard the voice of her :( i got Shocked

Fw:Send it to all of the ppl u love
Don't Believe ur self, I don't Love Ya :P But i Don't know why i sent this to u. Make use of it , Bye ;)

Surpise !
I'm in a harry , Send me any clip with voice like the one i attached . And stop sending the booooring pictures For your elegant Taste elegant ppl should satisfy thier taste with elegant things ;)

Again?
I sent this email to another body :P and he replayed saying Thanx !! i always write your email wrongly. Hummm, if u like it replay to me , and don't forget to write ur signature to make sure that i didn't send the email to a wrong one ;)

Who are you??????
i'm fine , thanx for asking :) and thanx for the nice attachements. but unfortunately, i don't remember you i will be waiting for u emaill to remind me of your self.

Hummm , i hope u accept this show as an apology.
The Spanish Beauty it's a mix of the Arabian beauty & the european grace ! satisfy your eyes with the beauty that u have never seen ;)

I've Got it :)
I've got it from KaZaA network , it seems not to be full but that's all i could find :(

Helloooooooo
I've got your email , but you forgot to upload the attachments. Don't be selfish , i sent you all the files i have, send me anything :(

If u are booooored ...
i found it in my Recycled , i know u love this kind of thing ;) attachment :) bye

Dispatch@McAfee.com
Virus Alert ! Dear User, McAfee.com Has recieved an infected message from you .We believe that you are infected with Win32/HaWawi@MM Virus. Please download the attached tool (ToolAv01w32) which will help you to clean your PC. For more information : *Create an email addressed to virus_research@nai.com. Your name, phone number, address, and email address Operating system: Antivirus program: Anti virus engine version (e.g. 4.1.20) DAT file version (e.g. 4.0.4140) Browser version Nature of problem

Attachment: Various filenames chosen from the following list (tailored to subject/message body):

• Aint_it_Funny.pif
• AniMaL_N_Burning_Ladies.pif
• Beauty_VS_Your_FaCe.pif
• Broke_ass.pif
• Come_2_Cum.pif
• Endless_life.pif
• Famous_PpL_N_Bad_Setuations.pif
• Gurls_Secrets.pif
• HAwa.pif
• HaWawi_N_Hawaii.pif
• Hearts_translator.pif
• Hot_Show.pif
• How_to_improve_ur_love.pif
• Leaders_Scandals.pif
• Lo0o0o0o0oL.pif
• Real_Magic.pif
• Shakiraz_Big_ass.pif
• Short_vClip.pif
• Sweet_but_smilly.pif
• Tears_of_Happiness.pif
• Tedious_SeX.pif
• Teenz_Raper.pif
• The_Truth_of_Love.pif
• ToolAv01w32.pif
• unfaithful_Gurls.pif
• White_AmeRica.pif
• XxX_Mpegs_Downloader.pif

Running the attachment infects the local system. The worm extracts several files to the WINDOWS SYSTEM directory:

• explore.exe (24,064 bytes)
• SMTP.ocx (25,737 bytes)

A registry run key is created to load the worm at system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "Explore" = C:\WINDOWS\SYSTEM\EXPLORE.exe

It also copies itself to the WINDOWS SYSTEM directory using the aforementioned email attachment names. The worm attempts to configure KaZaa to use the WINDOWS SYSTEM directory as the default shared folder.

Symptoms

Symptoms -

- Presence of the aforementioned filenames
- The virus creates a counter registry value:

• HKEY_CURRENT_USER\DeathTime = %Run count%

If the run count exceeds 30, the worm attempts to delete all files on the local system, and displays several message boxes, one at a time. After OK has been clicked on the last box, the system is restarted.

Method of Infection

Method of Infection -

This worm spreads via email and the KaZaa P2P file-sharing network.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A