Content

W32/Pluto.A@MM

Type
Virus
SubType
Worm
Discovery Date
01/11/2002
Length
34,816 or 164,864 depending the variants
Minimum DAT
4235 (11/27/2002)
Updated DAT
4326 (02/18/2004)
Minimum Engine
5.1.00
Description Added
07/07/2003
Description Modified
07/08/2003 2:58 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This Borland Delphi worm propagates via:

  • mass-mailing itself to all recipients listed in the Outlook Address Book and the Windows Address Book (WAB).
  • peer-to-peer file-sharing networks like eDonkey2000, KaZaa, LimeWire, Morpheus, Shareaza and Xolox.

It is packed with UPX.

It arrives attached to emails and tries to use a known malformed MIME header exploit to execute the attachment. (see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp)

Email Propagation
Message subject lines may be one of the following:

  • Greets!!
  • Get 8 FREE issues - no risk!!
  • Hi!
  • Your News Alert!!
  • $150 FREE Bonus!!
  • Your Gift!
  • New bonus in your cash account!
  • Tools For Your Online Business!
  • Daily Email Reminder!
  • News
  • Free Shipping!
  • Its Easy!
  • Warning!
  • SCAM alert!!!
  • Sponsors needed!
  • New Reading
  • CALL FOR INFORMATION!
  • 25 merchants and rising!
  • Cows
  • My eBay ads!
  • Empty account!
  • Market Update Report!
  • Click on this!
  • Fantastic!
  • Wow!
  • Bad news!!
  • Lost & Found!
  • New Contests!
  • Today Only!!
  • Get a FREE gift!
  • Membership Confirmation
  • Report
  • Please Help...
  • Stats
  • I need help about script!!!
  • Interesting...
  • Introduction
  • Various!
  • Announcement!
  • History screen!
  • Correction of errors!
  • Just a reminder!
  • Payment notices!
The message body may be one of the following :
  • Check the attachment!
  • See the attachement!
  • Enjoy the attachement!
  • More details attached!
  • Hi
    Check the Attachement ..
    See u
  • Hi
    Check the Attachement ..
  • Attached one Gift for u..
  • WOW CHECK THIS!
Attachments names may be one of the following:
  • screensaver
  • screensaver4u
  • screensaverforu
  • freescreensaver
  • love
  • lovers
  • lovescr
  • loverscreensaver
  • loversgang
  • loveshore
  • love4u
  • enjoylove
  • sharelove
  • shareit
  • checkfriends
  • urfriend
  • friendscircle
  • friendship
  • friends
  • friendscr
  • friends4u
  • friendship4u
  • friendshipbird
  • friendshipforu
  • friendsworld
  • werfriends
  • passion
  • bullsh**scr
  • shakeit
  • shakescr
  • shakinglove
  • shakingfriendship
  • passionup
  • rishtha
  • greetings
  • lovegreetings
  • friendsgreetings
  • friendsearch
  • lovefinder
  • truefriends
  • truelovers
  • f*cker
They have a double extension. The first is:
  • .bmp
  • .dat
  • .gif
  • .htm
  • .jpg
  • .mdb
  • .mpg
  • .zip
Ending with a second one:
  • .bat
  • .pif
  • .scr
When the virus attachment is run a fake error message is displayed. Such as one of the following:
  • This File is Corrupted!
  • This Software need more virtual memory!
  • Error: Low System Performance!
  • Error: Can Not Find Config.INI!
  • This software need MSIO32.DLL!
  • Application attempted to read memory at 0xFFFFFFFFh!
  • The system cannot find the file specified.
  • Stack overflow.
  • Cannot allocate memory.
  • A fatal exception 06 has occurred at :.
  • Fatal Exception 0E has occurred at memory address in module Vxd IOS(04) + memory address.
  • A fatal exception 0E has occurred at 0028:C02A0201 in VXD IOS(04)+00001FC9

Peer-to-peer Propagation
The worm generates file names that it uses to create copies of itself in the software download directory. Files have the « .exe » extension :

  • CKY3 - Bam Margera World Industries Alien Workshop
  • Cat Attacks Child
  • Windows XP
  • AIM Account Stealer
  • MSN Password Hacker and Stealer
  • Hacking Tool Collection
  • Macromedia Flash 5.0
  • DSL Modem Uncapper
  • Internet and Computer Speed Booster
  • ZoneAlarm Firewall
  • Borland Delphi 6
  • BORLAND Delphi 7
  • Shakira
  • Gladiator
  • AikaQuest3Hentai
  • MoviezChannelsInstaler
  • Zidane-ScreenInstaler
  • LordOfTheRingsr
  • SIMS
  • Quake 4 BETA
  • Xbox.info
  • GTA3
  • Battle.net
  • Warcraft 3 battle.net
  • Half-life WON
  • Winzip 8.0
  • Winrar 3.2
  • Warcraft 3 ONLINE
  • Half-life ONLINE
  • Grand Theft Auto 3
  • Macromedia
  • KaZaA Media Desktop v2.5 UNOFFICIAL
  • KaZaA Spyware Remover
  • Age Of Empires 2
  • Norton AntiVirus 2002
  • Macromedia Dreamweaver MX
  • Microsoft Office XP (English)
  • CloneCD
  • Windows XP SP1
  • The Neverending Story Part I
  • Free Virus Removal Tool From Symantec
  • The Sun Of All Fears
  • Crazy Taxi
  • Duke Nukem Manhattan Project
  • Industry Giant 2
  • F1 Grand Pix 4
  • Star Wars II Movie
  • Nero Burning Rom 5.8.0.1
  • Need For Speed 5 Porsche Unleashed
  • Half Life Blue Shift
  • Quake 3 Arena
  • Warcraft 3
  • Civilization 3
  • Black And White
  • Strike Fighter Project 1
  • Mafia
  • The Eye Of Kraken
  • Hoyle Card Games 2003
  • GTA 3
  • Hard Truck 18 Wheels of Steel
  • Comanche 4
  • Grand Prix 4
  • Age of Sail 2
  • Sudden Strike 2
  • Neverwinter Nights
  • Soldier Of Fortune 2
  • Valhalla Chronicles
  • International Cricket Captain 2003
  • Critical Point Manga game
  • Elder Scrolls III Morrowind THX Brrbrr
  • Unreal Tournament 3
  • Aliens versus Predator 2 Primal Hunt
  • Star Wars Starfighter
  • Norton Utilities 2002 XP
  • Hitman 2 Silent Assassin
  • MS Train Simulator
  • Cabelas Ultimate Deer Hunt 2
  • Dweebs 2
  • Age Of Wonders 2
  • Austerlitz Napoleons Greatest Victory
  • Emperor Rise Of the Middle Kingdom
  • Necromania Trap Of Darkness
  • Prisoner Of War
  • Squad Battles Eagles Strike
  • Stronghold Crusader
  • Tomb Raider 3
  • Deadly Dozen
  • Empire Earth
  • Freedom Force
  • Gearhead Garage
  • Red Ace Squadron
  • Clive Barkerús Undying
  • The Thing
  • Dark Age Of Camelot Shrouded Isles
  • Combat Flight Simulator 3
  • Soldiers Of Anarchy
  • FIFA 2003
  • Crack
  • Patch
  • Key Generator
  • Full Downloader
  • ISO - Full Downloader
  • Downloader

Software Termination
Running processes containing the following strings are terminated.

  • AGENTW.EXE
  • ACKWIN32.EXE
  • CLAW95.EXE
  • MONITOR.EXE
  • AVPM.EXE
  • EVPN.EXE
  • AVP32.EXE
  • F-STOPW.EXE
  • APVXDWIN.EXE
  • PAVPROXY.EXE
  • VBCONS.EXE
  • FSM32
  • AVPCC.EXE
  • GBPOLL.EXE
  • TAUMON.EXE
  • ZONEALARM.EXE
  • VSMON.EXE
  • AVKSERV
  • PERSWF.EXE
  • MPFAGENT.EXE
  • MPFSERVICE.EXE
  • MPFTRAY.EXE
  • PORTMONITOR.EXE
  • CPDCLNT.EXE
  • VSHWIN32.EXE
  • VSECOMR.EXE
  • WEBSCANX.EXE
  • VSSTAT.EXE
  • TCM
  • CPD.EXE
  • ALOGSERV.EXE
  • CMGRDIAN.EXE
  • RULAUNCH.EXE
  • VSMAIN.EXE
  • GBPOLL
  • CFGWIZ.EXE
  • IAMAPP.EXE
  • FRW.EXE
  • WRCTRL.EXE
  • WRADMIN.EXE
  • SPHINX.EXE
  • BLACKICE.EXE
  • BLACKD.EXE
  • RAPAPP.EXE
  • AVGCTRL
  • NISUM.EXE
  • IAMSTATS.EXE
  • LUSPT.EXE
  • CCAPP.EXE
  • CCEVTMGR.EXE
  • WIMMUN32
  • NISSERV.EXE
  • AUTODOWN.EXE
  • VET32.EXE
  • MWATCH.EXE
  • EFPEADM.EXE
  • FSGK32
  • CLEANER3.EXE
  • CLEANER.EXE
  • NAVW32.EXE
  • AVXMONITOR9X.EXE
  • TC
  • ICSUPPNT
  • AVXQUAR.EXE
  • NORMIST.EXE
  • NVC95.EXE
  • NUPGRADE.EXE
  • AVGCC32.EXE
  • FCH32
  • AVGCTRL.EXE
  • AVGSERV.EXE
  • ICLOADNT.EXE
  • IOMON98.EXE
  • VET95.EXE
  • FIH32
  • RESCUE.EXE
  • GUARD.EXE
  • DOORS.EXE
  • AVGSERV9
  • PCCIOMON.EXE
  • AVKSERV.EXE
  • MINILOG.EXE
  • FNRB32
  • NMAIN.EXE
  • IAMSERV.EXE
  • GUARDDOG.EXE
  • PERSFW.EXE
  • LOCKDOWN.EXE
  • SPYXX
  • NPROTECT.EXE
  • NDD32.EXE
  • SMC.EXE
  • NETUTILS.EXE
  • NTXCONFIG
  • LDNETMON.EXE
  • CONNECTIONMONITOR.EXE
  • NVSVC32
  • AVSYNMGR.EXE
  • MPFSERVICE
  • NAVENGNAVEX15
  • NAV AUTO-PROTECT
  • SYMPROXYSVC.EXE
  • SWEEPNET
  • DEFSCANGUI
  • AVSYNMGR
  • AVGSERV
  • _AVPM.EXE
  • AVP.EXE
  • NAVAPW32.EXE
  • NAVAP
  • DEFWATCH.EXE
  • VPC32.EXE
  • VPTRAY.EXE
  • POPROXY.EXE
  • NAVAPSVC.EXE
  • NTVDM
  • NAVLU32.EXE
  • NAVWNT.EXE
  • LUALL.EXE
  • SWNETSUP.EXE
  • ICLOAD95.EXE
  • TDS-3
  • ICMON.EXE
  • ICSUPP95.EXE
  • IFACE.EXE
  • ADVXDWIN.EXE
  • PADMIN.EXE
  • RAV7WIN
  • VETTRAY
  • AUTODOWN
  • RESCUE
  • WRCTRL
  • WRADMIN
  • GUARD
  • PCCIOMON
  • CLAW95
  • NWTOOL16.EXE
  • NTVDM.EXE
  • ANTI-TROJAN.EXE
  • TC.EXE
  • CDP.EXE
  • NAVW32
  • AVXMONITOR9X
  • AVXMONITORNT
  • AVXQUAR
  • NORMIST
  • NVC95
  • CLAW95C
  • TCA.EXE
  • TCM.EXE
  • MOOLIVE.EXE
  • MGHTML.EXE
  • MCMNHDLR.EXE
  • MCVSRTE.EXE
  • MGAVRTCL.EXE
  • MGAVRTE.EXE
  • SCAN32.EXE
  • SCRSCAN.EXE
  • SYMTRAY.EXE
  • AVPM
  • VSCHED.EXE
  • MCTOOL.EXE
  • AVXQUAR.EXE.EXE
  • AMON9X.EXE
  • AVGW.EXE
  • SBSERV
  • WEBTRAP.EXE
  • POP3TRAP.EXE
  • TDS-3.EXE
  • SS3EDIT.EXE
  • JEDI.EXE
  • APVXDWIN
  • RAV7WIN.EXE
  • RAV7.EXE
  • SWEEP95.EXE
  • MCAGENT.EXE
  • MCUPDATE.EXE
  • FSAV32
  • IFACE
  • ADVXDWIN
  • PADMIN
  • NWTOOL16
  • ANTS
  • ANTI-TROJAN
  • TCAúLOCKDOWN
  • AVSCHED32
  • DEFALERT
  • CLAW95CF.EXE
  • LDSCAN
  • VIR-HELP.EXE
  • SCRSCAN
  • SYMTRAY
  • VSCHED
  • MCTOOL
  • AVXW
  • AMON9X
  • PCCWIN98
  • ATUPDATER
  • POP3TRAP
  • SS3EDIT
  • JEDI
  • MONITOR
  • RAV7
  • SWEEP95
  • MCAGENT
  • ZAPRO.EXE
  • LOCKDOWN2000.EXE
  • CCPXYSVC.EXE
  • ETRUSTCIPE.EXE
  • VBCMSERV.EXE
  • ANTS.EXE
  • PCCWIN97.EXE
  • PCCNTMON.EXE
  • PCSCAN.EXE
  • NUI.EXE
  • AVKWCTL9
  • MCUPDATE
  • NTRTSCAN
  • PCCWIN97
  • PCCNTMON
  • PCSCAN
  • NUI
  • CLAW95CF
  • AVGW
  • AVKPOP
  • AVKSERVICE
  • VETTRAY.EXE
  • NTRTSCAN.EXE
  • VPTRAY
  • EXPERT
  • FP-WIN
  • F-STOPW
  • VIR-HELP
  • F-PROT
  • ATWATCH
  • DOORS
  • NAVAPSVC
  • GBMENU
  • FSAA
  • FSMA32
  • FSMB32
  • MCVSSHLD.EXE
  • PCCWIN98.EXE
  • LUALL
  • PAVPROXY
  • AVXMONITORNT.EXE
  • SWEEPSRV.SYS
  • _AVP32.EXE
  • AVCONSOL.EXE
  • ICSUPPNT.EXE
  • PVIEW95
  • WGFE95
  • CTRL
  • LDPROMENU
  • GENERICS
  • PROCESSMONITOR
  • AVXW.EXE
  • DVP95_0.EXE
  • F-PROT95.EX
  • EXPERT.EXE
  • P-WIN.EXE
  • FAMEH32
  • NAVWNT
  • NPSSVC
  • SWNETSUP
  • ICLOAD95
  • ICMON
  • ICSUPP95
  • SCAN32
  • MOOLIVE
  • MGHTML
  • MCMNHDLR
  • MCVSRTE
  • MGAVRTCL
  • MGAVRTE
  • AUTOTRACE.EXE
  • F-PROT.EXE
  • SPYXX.EXE
  • ATWATCH.EXE
  • ATUPDATER.EXE
  • ATCON.EXE
  • WEBTRAP
  • PROGRAMAUDITOR
  • TFAK
  • LUCOMSERVER
  • AUTOTRACE
  • NWSERVICE
  • NOTSTART.EXE
  • NEOWATCHLOG
  • NSCHED32
  • WATCHDOG
  • ISRV95
  • REALMON
  • AVWINNT
  • DVP95.EXE
  • BLACKD
  • IAMAPP
  • NISSERV
  • NISUM
  • IAMSTATS
  • LUSPT
  • NAVAPW32
  • CCEVTMGR
  • VSECOMR
  • WEBSCANX
  • AVCONSOL
  • VSSTAT
  • CPD
  • ALOGSERV
  • CMGRDIAN
  • AVP32
  • AVGCC32
  • ICLOADNT
  • IOMON98
  • VET95
  • ACKWIN32
  • VSHWIN32
  • VSMON
  • SMC
  • VBCMSERV
  • _AVPCC
  • TAUMON
  • ZONEALARM
  • ZAPRO
  • PERSWF
  • NAVLU32
  • PVIEW95.EXE
  • WGFE95.EXE
  • CTRL.EXE
  • LDSCAN.EXE
  • GENERICS.EXE
  • MCVSSHLD
  • FNRB32.EXE
  • FSAA.EXE
  • FSGK32.EXE
  • FSM32.EXE
  • FSMA32.EXE
  • FSMB32.EXE
  • DEFSCANGUI.EXE
  • DEFALERT.EXE
  • NPSCHECK.EXE
  • VBCONS
  • NOTSTART
  • MINILOG
  • NMAIN
  • IAMSERV
  • PERSFW
  • LOCKDOWN2000
  • SPHINX
  • NPROTECT
  • NETUTILS
  • LDNETMON
  • PORTMONITOR
  • CDP
  • CONNECTIONMONITOR
  • SYMPROXYSVC
  • _AVP32
  • _AVPM
  • AVPCC
  • AVP
  • NUPGRADE
  • PROCESSMONITOR.EXE
  • TFAK.EXE
  • LUCOMSERVER.EXE
  • WIMMUN32.EXE
  • FRWúVSMAIN
  • RTVSCN95
  • DEFWATCH
  • POPROXY
  • ALERTSVC
  • VPC32
  • NDD32
  • NWSERVICE.EXE
  • NTXCONFIG.EXE
  • NEOWATCHLOG.EXE
  • NSCHED32.EXE
  • F-PROT95
  • ISRV95.EXE
  • REALMON.EXE
  • AVWINNT.EXE
  • AVGSERV9.EXE
  • AVKPOP.EXE
  • ATCON
  • MWATCH
  • EFPEADM
  • CLEANER3
  • CLEANER
  • DVP95
  • AVKWCTL9.EXE
  • FSAV32.EXE
  • FAMEH32.EXE
  • FCH32.EXE
  • FIH32.EXE
  • GBMENU.EXE
  • EVPN
  • AVSCHED32.EXE
  • AVKSERVICE.EXE
  • RULAUNCH
  • GUARDDOG
  • CPDCLNT
  • CFGWIZ
  • VET32
  • BLACKICE
  • ETRUSTCIPE
  • MCSHIELD.EXE
  • RTVSCN95.EXE
  • F-AGNT95.EXE
  • LDPROMENU.EXE
  • DVP95_0
  • F-AGNT95
  • WATCHDOG.EXE
  • SBSERV.EXE
  • NPSSVC.EXE
  • ALERTSVC.EXE
  • PROGRAMAUDITOR.EXE

Symptoms

Existence of the files mentioned above.

Method of Infection

The worm propagates via emails and peer-to-peer network.

Removal

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Additional Windows ME/XP removal considerations


Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants

  • W32/Pluto.B@MM
  • W32/Pluto.C@MM

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This Borland Delphi worm propagates via:

  • mass-mailing itself to all recipients listed in the Outlook Address Book and the Windows Address Book (WAB).
  • peer-to-peer file-sharing networks like eDonkey2000, KaZaa, LimeWire, Morpheus, Shareaza and Xolox.

It is packed with UPX.

It arrives attached to emails and tries to use a known malformed MIME header exploit to execute the attachment. (see http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp)

Email Propagation
Message subject lines may be one of the following:

  • Greets!!
  • Get 8 FREE issues - no risk!!
  • Hi!
  • Your News Alert!!
  • $150 FREE Bonus!!
  • Your Gift!
  • New bonus in your cash account!
  • Tools For Your Online Business!
  • Daily Email Reminder!
  • News
  • Free Shipping!
  • Its Easy!
  • Warning!
  • SCAM alert!!!
  • Sponsors needed!
  • New Reading
  • CALL FOR INFORMATION!
  • 25 merchants and rising!
  • Cows
  • My eBay ads!
  • Empty account!
  • Market Update Report!
  • Click on this!
  • Fantastic!
  • Wow!
  • Bad news!!
  • Lost & Found!
  • New Contests!
  • Today Only!!
  • Get a FREE gift!
  • Membership Confirmation
  • Report
  • Please Help...
  • Stats
  • I need help about script!!!
  • Interesting...
  • Introduction
  • Various!
  • Announcement!
  • History screen!
  • Correction of errors!
  • Just a reminder!
  • Payment notices!
The message body may be one of the following :
  • Check the attachment!
  • See the attachement!
  • Enjoy the attachement!
  • More details attached!
  • Hi
    Check the Attachement ..
    See u
  • Hi
    Check the Attachement ..
  • Attached one Gift for u..
  • WOW CHECK THIS!
Attachments names may be one of the following:
  • screensaver
  • screensaver4u
  • screensaverforu
  • freescreensaver
  • love
  • lovers
  • lovescr
  • loverscreensaver
  • loversgang
  • loveshore
  • love4u
  • enjoylove
  • sharelove
  • shareit
  • checkfriends
  • urfriend
  • friendscircle
  • friendship
  • friends
  • friendscr
  • friends4u
  • friendship4u
  • friendshipbird
  • friendshipforu
  • friendsworld
  • werfriends
  • passion
  • bullsh**scr
  • shakeit
  • shakescr
  • shakinglove
  • shakingfriendship
  • passionup
  • rishtha
  • greetings
  • lovegreetings
  • friendsgreetings
  • friendsearch
  • lovefinder
  • truefriends
  • truelovers
  • f*cker
They have a double extension. The first is:
  • .bmp
  • .dat
  • .gif
  • .htm
  • .jpg
  • .mdb
  • .mpg
  • .zip
Ending with a second one:
  • .bat
  • .pif
  • .scr
When the virus attachment is run a fake error message is displayed. Such as one of the following:
  • This File is Corrupted!
  • This Software need more virtual memory!
  • Error: Low System Performance!
  • Error: Can Not Find Config.INI!
  • This software need MSIO32.DLL!
  • Application attempted to read memory at 0xFFFFFFFFh!
  • The system cannot find the file specified.
  • Stack overflow.
  • Cannot allocate memory.
  • A fatal exception 06 has occurred at :.
  • Fatal Exception 0E has occurred at memory address in module Vxd IOS(04) + memory address.
  • A fatal exception 0E has occurred at 0028:C02A0201 in VXD IOS(04)+00001FC9

Peer-to-peer Propagation
The worm generates file names that it uses to create copies of itself in the software download directory. Files have the « .exe » extension :

  • CKY3 - Bam Margera World Industries Alien Workshop
  • Cat Attacks Child
  • Windows XP
  • AIM Account Stealer
  • MSN Password Hacker and Stealer
  • Hacking Tool Collection
  • Macromedia Flash 5.0
  • DSL Modem Uncapper
  • Internet and Computer Speed Booster
  • ZoneAlarm Firewall
  • Borland Delphi 6
  • BORLAND Delphi 7
  • Shakira
  • Gladiator
  • AikaQuest3Hentai
  • MoviezChannelsInstaler
  • Zidane-ScreenInstaler
  • LordOfTheRingsr
  • SIMS
  • Quake 4 BETA
  • Xbox.info
  • GTA3
  • Battle.net
  • Warcraft 3 battle.net
  • Half-life WON
  • Winzip 8.0
  • Winrar 3.2
  • Warcraft 3 ONLINE
  • Half-life ONLINE
  • Grand Theft Auto 3
  • Macromedia
  • KaZaA Media Desktop v2.5 UNOFFICIAL
  • KaZaA Spyware Remover
  • Age Of Empires 2
  • Norton AntiVirus 2002
  • Macromedia Dreamweaver MX
  • Microsoft Office XP (English)
  • CloneCD
  • Windows XP SP1
  • The Neverending Story Part I
  • Free Virus Removal Tool From Symantec
  • The Sun Of All Fears
  • Crazy Taxi
  • Duke Nukem Manhattan Project
  • Industry Giant 2
  • F1 Grand Pix 4
  • Star Wars II Movie
  • Nero Burning Rom 5.8.0.1
  • Need For Speed 5 Porsche Unleashed
  • Half Life Blue Shift
  • Quake 3 Arena
  • Warcraft 3
  • Civilization 3
  • Black And White
  • Strike Fighter Project 1
  • Mafia
  • The Eye Of Kraken
  • Hoyle Card Games 2003
  • GTA 3
  • Hard Truck 18 Wheels of Steel
  • Comanche 4
  • Grand Prix 4
  • Age of Sail 2
  • Sudden Strike 2
  • Neverwinter Nights
  • Soldier Of Fortune 2
  • Valhalla Chronicles
  • International Cricket Captain 2003
  • Critical Point Manga game
  • Elder Scrolls III Morrowind THX Brrbrr
  • Unreal Tournament 3
  • Aliens versus Predator 2 Primal Hunt
  • Star Wars Starfighter
  • Norton Utilities 2002 XP
  • Hitman 2 Silent Assassin
  • MS Train Simulator
  • Cabelas Ultimate Deer Hunt 2
  • Dweebs 2
  • Age Of Wonders 2
  • Austerlitz Napoleons Greatest Victory
  • Emperor Rise Of the Middle Kingdom
  • Necromania Trap Of Darkness
  • Prisoner Of War
  • Squad Battles Eagles Strike
  • Stronghold Crusader
  • Tomb Raider 3
  • Deadly Dozen
  • Empire Earth
  • Freedom Force
  • Gearhead Garage
  • Red Ace Squadron
  • Clive Barkerús Undying
  • The Thing
  • Dark Age Of Camelot Shrouded Isles
  • Combat Flight Simulator 3
  • Soldiers Of Anarchy
  • FIFA 2003
  • Crack
  • Patch
  • Key Generator
  • Full Downloader
  • ISO - Full Downloader
  • Downloader

Software Termination
Running processes containing the following strings are terminated.

  • AGENTW.EXE
  • ACKWIN32.EXE
  • CLAW95.EXE
  • MONITOR.EXE
  • AVPM.EXE
  • EVPN.EXE
  • AVP32.EXE
  • F-STOPW.EXE
  • APVXDWIN.EXE
  • PAVPROXY.EXE
  • VBCONS.EXE
  • FSM32
  • AVPCC.EXE
  • GBPOLL.EXE
  • TAUMON.EXE
  • ZONEALARM.EXE
  • VSMON.EXE
  • AVKSERV
  • PERSWF.EXE
  • MPFAGENT.EXE
  • MPFSERVICE.EXE
  • MPFTRAY.EXE
  • PORTMONITOR.EXE
  • CPDCLNT.EXE
  • VSHWIN32.EXE
  • VSECOMR.EXE
  • WEBSCANX.EXE
  • VSSTAT.EXE
  • TCM
  • CPD.EXE
  • ALOGSERV.EXE
  • CMGRDIAN.EXE
  • RULAUNCH.EXE
  • VSMAIN.EXE
  • GBPOLL
  • CFGWIZ.EXE
  • IAMAPP.EXE
  • FRW.EXE
  • WRCTRL.EXE
  • WRADMIN.EXE
  • SPHINX.EXE
  • BLACKICE.EXE
  • BLACKD.EXE
  • RAPAPP.EXE
  • AVGCTRL
  • NISUM.EXE
  • IAMSTATS.EXE
  • LUSPT.EXE
  • CCAPP.EXE
  • CCEVTMGR.EXE
  • WIMMUN32
  • NISSERV.EXE
  • AUTODOWN.EXE
  • VET32.EXE
  • MWATCH.EXE
  • EFPEADM.EXE
  • FSGK32
  • CLEANER3.EXE
  • CLEANER.EXE
  • NAVW32.EXE
  • AVXMONITOR9X.EXE
  • TC
  • ICSUPPNT
  • AVXQUAR.EXE
  • NORMIST.EXE
  • NVC95.EXE
  • NUPGRADE.EXE
  • AVGCC32.EXE
  • FCH32
  • AVGCTRL.EXE
  • AVGSERV.EXE
  • ICLOADNT.EXE
  • IOMON98.EXE
  • VET95.EXE
  • FIH32
  • RESCUE.EXE
  • GUARD.EXE
  • DOORS.EXE
  • AVGSERV9
  • PCCIOMON.EXE
  • AVKSERV.EXE
  • MINILOG.EXE
  • FNRB32
  • NMAIN.EXE
  • IAMSERV.EXE
  • GUARDDOG.EXE
  • PERSFW.EXE
  • LOCKDOWN.EXE
  • SPYXX
  • NPROTECT.EXE
  • NDD32.EXE
  • SMC.EXE
  • NETUTILS.EXE
  • NTXCONFIG
  • LDNETMON.EXE
  • CONNECTIONMONITOR.EXE
  • NVSVC32
  • AVSYNMGR.EXE
  • MPFSERVICE
  • NAVENGNAVEX15
  • NAV AUTO-PROTECT
  • SYMPROXYSVC.EXE
  • SWEEPNET
  • DEFSCANGUI
  • AVSYNMGR
  • AVGSERV
  • _AVPM.EXE
  • AVP.EXE
  • NAVAPW32.EXE
  • NAVAP
  • DEFWATCH.EXE
  • VPC32.EXE
  • VPTRAY.EXE
  • POPROXY.EXE
  • NAVAPSVC.EXE
  • NTVDM
  • NAVLU32.EXE
  • NAVWNT.EXE
  • LUALL.EXE
  • SWNETSUP.EXE
  • ICLOAD95.EXE
  • TDS-3
  • ICMON.EXE
  • ICSUPP95.EXE
  • IFACE.EXE
  • ADVXDWIN.EXE
  • PADMIN.EXE
  • RAV7WIN
  • VETTRAY
  • AUTODOWN
  • RESCUE
  • WRCTRL
  • WRADMIN
  • GUARD
  • PCCIOMON
  • CLAW95
  • NWTOOL16.EXE
  • NTVDM.EXE
  • ANTI-TROJAN.EXE
  • TC.EXE
  • CDP.EXE
  • NAVW32
  • AVXMONITOR9X
  • AVXMONITORNT
  • AVXQUAR
  • NORMIST
  • NVC95
  • CLAW95C
  • TCA.EXE
  • TCM.EXE
  • MOOLIVE.EXE
  • MGHTML.EXE
  • MCMNHDLR.EXE
  • MCVSRTE.EXE
  • MGAVRTCL.EXE
  • MGAVRTE.EXE
  • SCAN32.EXE
  • SCRSCAN.EXE
  • SYMTRAY.EXE
  • AVPM
  • VSCHED.EXE
  • MCTOOL.EXE
  • AVXQUAR.EXE.EXE
  • AMON9X.EXE
  • AVGW.EXE
  • SBSERV
  • WEBTRAP.EXE
  • POP3TRAP.EXE
  • TDS-3.EXE
  • SS3EDIT.EXE
  • JEDI.EXE
  • APVXDWIN
  • RAV7WIN.EXE
  • RAV7.EXE
  • SWEEP95.EXE
  • MCAGENT.EXE
  • MCUPDATE.EXE
  • FSAV32
  • IFACE
  • ADVXDWIN
  • PADMIN
  • NWTOOL16
  • ANTS
  • ANTI-TROJAN
  • TCAúLOCKDOWN
  • AVSCHED32
  • DEFALERT
  • CLAW95CF.EXE
  • LDSCAN
  • VIR-HELP.EXE
  • SCRSCAN
  • SYMTRAY
  • VSCHED
  • MCTOOL
  • AVXW
  • AMON9X
  • PCCWIN98
  • ATUPDATER
  • POP3TRAP
  • SS3EDIT
  • JEDI
  • MONITOR
  • RAV7
  • SWEEP95
  • MCAGENT
  • ZAPRO.EXE
  • LOCKDOWN2000.EXE
  • CCPXYSVC.EXE
  • ETRUSTCIPE.EXE
  • VBCMSERV.EXE
  • ANTS.EXE
  • PCCWIN97.EXE
  • PCCNTMON.EXE
  • PCSCAN.EXE
  • NUI.EXE
  • AVKWCTL9
  • MCUPDATE
  • NTRTSCAN
  • PCCWIN97
  • PCCNTMON
  • PCSCAN
  • NUI
  • CLAW95CF
  • AVGW
  • AVKPOP
  • AVKSERVICE
  • VETTRAY.EXE
  • NTRTSCAN.EXE
  • VPTRAY
  • EXPERT
  • FP-WIN
  • F-STOPW
  • VIR-HELP
  • F-PROT
  • ATWATCH
  • DOORS
  • NAVAPSVC
  • GBMENU
  • FSAA
  • FSMA32
  • FSMB32
  • MCVSSHLD.EXE
  • PCCWIN98.EXE
  • LUALL
  • PAVPROXY
  • AVXMONITORNT.EXE
  • SWEEPSRV.SYS
  • _AVP32.EXE
  • AVCONSOL.EXE
  • ICSUPPNT.EXE
  • PVIEW95
  • WGFE95
  • CTRL
  • LDPROMENU
  • GENERICS
  • PROCESSMONITOR
  • AVXW.EXE
  • DVP95_0.EXE
  • F-PROT95.EX
  • EXPERT.EXE
  • P-WIN.EXE
  • FAMEH32
  • NAVWNT
  • NPSSVC
  • SWNETSUP
  • ICLOAD95
  • ICMON
  • ICSUPP95
  • SCAN32
  • MOOLIVE
  • MGHTML
  • MCMNHDLR
  • MCVSRTE
  • MGAVRTCL
  • MGAVRTE
  • AUTOTRACE.EXE
  • F-PROT.EXE
  • SPYXX.EXE
  • ATWATCH.EXE
  • ATUPDATER.EXE
  • ATCON.EXE
  • WEBTRAP
  • PROGRAMAUDITOR
  • TFAK
  • LUCOMSERVER
  • AUTOTRACE
  • NWSERVICE
  • NOTSTART.EXE
  • NEOWATCHLOG
  • NSCHED32
  • WATCHDOG
  • ISRV95
  • REALMON
  • AVWINNT
  • DVP95.EXE
  • BLACKD
  • IAMAPP
  • NISSERV
  • NISUM
  • IAMSTATS
  • LUSPT
  • NAVAPW32
  • CCEVTMGR
  • VSECOMR
  • WEBSCANX
  • AVCONSOL
  • VSSTAT
  • CPD
  • ALOGSERV
  • CMGRDIAN
  • AVP32
  • AVGCC32
  • ICLOADNT
  • IOMON98
  • VET95
  • ACKWIN32
  • VSHWIN32
  • VSMON
  • SMC
  • VBCMSERV
  • _AVPCC
  • TAUMON
  • ZONEALARM
  • ZAPRO
  • PERSWF
  • NAVLU32
  • PVIEW95.EXE
  • WGFE95.EXE
  • CTRL.EXE
  • LDSCAN.EXE
  • GENERICS.EXE
  • MCVSSHLD
  • FNRB32.EXE
  • FSAA.EXE
  • FSGK32.EXE
  • FSM32.EXE
  • FSMA32.EXE
  • FSMB32.EXE
  • DEFSCANGUI.EXE
  • DEFALERT.EXE
  • NPSCHECK.EXE
  • VBCONS
  • NOTSTART
  • MINILOG
  • NMAIN
  • IAMSERV
  • PERSFW
  • LOCKDOWN2000
  • SPHINX
  • NPROTECT
  • NETUTILS
  • LDNETMON
  • PORTMONITOR
  • CDP
  • CONNECTIONMONITOR
  • SYMPROXYSVC
  • _AVP32
  • _AVPM
  • AVPCC
  • AVP
  • NUPGRADE
  • PROCESSMONITOR.EXE
  • TFAK.EXE
  • LUCOMSERVER.EXE
  • WIMMUN32.EXE
  • FRWúVSMAIN
  • RTVSCN95
  • DEFWATCH
  • POPROXY
  • ALERTSVC
  • VPC32
  • NDD32
  • NWSERVICE.EXE
  • NTXCONFIG.EXE
  • NEOWATCHLOG.EXE
  • NSCHED32.EXE
  • F-PROT95
  • ISRV95.EXE
  • REALMON.EXE
  • AVWINNT.EXE
  • AVGSERV9.EXE
  • AVKPOP.EXE
  • ATCON
  • MWATCH
  • EFPEADM
  • CLEANER3
  • CLEANER
  • DVP95
  • AVKWCTL9.EXE
  • FSAV32.EXE
  • FAMEH32.EXE
  • FCH32.EXE
  • FIH32.EXE
  • GBMENU.EXE
  • EVPN
  • AVSCHED32.EXE
  • AVKSERVICE.EXE
  • RULAUNCH
  • GUARDDOG
  • CPDCLNT
  • CFGWIZ
  • VET32
  • BLACKICE
  • ETRUSTCIPE
  • MCSHIELD.EXE
  • RTVSCN95.EXE
  • F-AGNT95.EXE
  • LDPROMENU.EXE
  • DVP95_0
  • F-AGNT95
  • WATCHDOG.EXE
  • SBSERV.EXE
  • NPSSVC.EXE
  • ALERTSVC.EXE
  • PROGRAMAUDITOR.EXE

Symptoms

Symptoms -

Existence of the files mentioned above.

Method of Infection

Method of Infection -

The worm propagates via emails and peer-to-peer network.

Removal -

Removal -

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Additional Windows ME/XP removal considerations


Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants -

  • W32/Pluto.B@MM
  • W32/Pluto.C@MM