McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Wozer.worm.a

Characteristics

This is a detection for an internet worm that spreads by email, IRC and network shares.

After execution, the worm copies itself to %sysdir% as Explore.exe and eCard.zip.

This ZIP file is corrupted and can't be unpacked with common uncompressors like WinZIP, RAR or the integrated ZIP support in Windows XP.

The following registry key is changed to run the virus at startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "Explorer.exe Explore.exe"
  

Network spreading:
This worm browses network connections to spread to other machines that allow write access to the C drive using the credentials of the infected user. It copies itself as WINUPDATE.EXE. and adds a call to that file in the AUTOEXEC.BAT.

Email spreading:
The worm harvests email addresses from files on the local system with the following file-extensions :

*.HTM
*.WAB
*.EML
*.ODS
*.MMF
*.NCH
*.MBX
*.TBB
*.CPP
*.DPR
*.FRM
*.BAS
*.DOC
*.RTF
*.VBS
*.TXT
*.HTML
*.ASP

It uses its own SMTP engine to send emails directly to the MTA of the destination domain.
The From address is always 'Superzone eCard' 'ecard@superzone.com'
Subject: 'Superzone eCard from Secret Admirer'
An attachment named eCard.zip contains the worm.

Example:

IRC spreading:
If MIRC is installed on the local system, the worm drops a SCRIPT.INI into the MIRC folder. The worms offers the coruppted eCard.zip to anyone joining a channel where the infected user is present. This script is detected as MIRC/Generic .

The worm drops a file called CROW.TXT to C:\. This text file contains the string :

"i love u crow .... i do. "

Symptoms

• Existence of the registry keys mentioned above.
• Outgoing traffic on port 25 TCP (SMTP)
• Traffic to port 139 TCP (NetBIOS)
• Existance of the files mentioned above.

Method of Infection

W32/Wozer.worm@MM spreads by email and IRC, and copies itself to network shares.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Wozer.worm.a

Characteristics

Characteristics -

This is a detection for an internet worm that spreads by email, IRC and network shares.

After execution, the worm copies itself to %sysdir% as Explore.exe and eCard.zip.

This ZIP file is corrupted and can't be unpacked with common uncompressors like WinZIP, RAR or the integrated ZIP support in Windows XP.

The following registry key is changed to run the virus at startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "Explorer.exe Explore.exe"
  

Network spreading:
This worm browses network connections to spread to other machines that allow write access to the C drive using the credentials of the infected user. It copies itself as WINUPDATE.EXE. and adds a call to that file in the AUTOEXEC.BAT.

Email spreading:
The worm harvests email addresses from files on the local system with the following file-extensions :

*.HTM
*.WAB
*.EML
*.ODS
*.MMF
*.NCH
*.MBX
*.TBB
*.CPP
*.DPR
*.FRM
*.BAS
*.DOC
*.RTF
*.VBS
*.TXT
*.HTML
*.ASP

It uses its own SMTP engine to send emails directly to the MTA of the destination domain.
The From address is always 'Superzone eCard' 'ecard@superzone.com'
Subject: 'Superzone eCard from Secret Admirer'
An attachment named eCard.zip contains the worm.

Example:

IRC spreading:
If MIRC is installed on the local system, the worm drops a SCRIPT.INI into the MIRC folder. The worms offers the coruppted eCard.zip to anyone joining a channel where the infected user is present. This script is detected as MIRC/Generic .

The worm drops a file called CROW.TXT to C:\. This text file contains the string :

"i love u crow .... i do. "

Symptoms

Symptoms -

• Existence of the registry keys mentioned above.
• Outgoing traffic on port 25 TCP (SMTP)
• Traffic to port 139 TCP (NetBIOS)
• Existance of the files mentioned above.

Method of Infection

Method of Infection -

W32/Wozer.worm@MM spreads by email and IRC, and copies itself to network shares.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A