McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Epon (AVP)

• W32.HLLW.Epon@mm (NAV)

Characteristics

This detection is for a simple worm (packed with UPX) designed to propagate through the following vectors:

• Email - by dropping a VBS script to email itself (using Outlook) to recipients listed in the Outlook address book
• IRC - by sending itself to recipients over IRC (dcc send)
• P2P - by making multiple copies of itself with enticing filenames on the local machine, and reconfiguring P2P clients to share the folder

Proactive detection

Gateway products detect this threat as a variant of W32/Generic.c!p2p with the 4302 DATs or greater (with scanning of compressed files enabled).

The dropped EPYON.VBS script used for mailing is detected as VBS/Scrambler with the 4096 DATs or greater.

The dropped SCRIPT.INI script used for sending the worm over IRC is detected as MIRC/Generic with the 4091 DATs or greater.

Email Propagation

This is achieved via a VBS script dropped into the system temporary folder, for example:

C:\WINNT\TEMP\EPYON.VBS

This script is proactively detected as VBS/Scrambler, as detailed above.

The script uses Outlook to mail the worm to recipients listed in the Outlook address book (1000 limit per address list). Mails are constructed as follows:

Subject : Britney Spears poses nude in the Playboy!
Body :
This month were celebrating our 50th Anniversary!

Therefore we send to erveryone on the net a free example of our special 50th anniversary issue, especially for this issue Britney Spears takes off her clothes...

We even have a few surprises up our cuff-linked sleeve, including an unbelievable 50th Anniversary Playmate plucked from thousands of beautiful hopefuls. So whether you read it for the articles, the pictorials or both, we salute you.

Buy or Playboy magazine in stores now, or visit www.playboy.com !

Attachment : Britney Spears.jpg (many spaces) .exe

P2P Propagation

The worm makes multiple copies of itself using enticing filenames in a folder named EPYON within %SysDir%, for example:

C:\WINNT\SYSTEM32\EPYON

Many filenames are used, as typical for such P2P worms. The filenames include:

• Britney Spears.jpg.exe
• Anna Kournikova (HOT!).scr
• Buffy The Vampire Slayer Screensaver.scr
• Free XXX passwords.pif
• Grand Theft Auto Vice City - Multiplater patch.exe

This folder is shared for the following P2P applications:

• KaZaa
• Grokster
• iMesh
• Morpheus
• eDonkey2000
• Overnet

IRC Propagation

The worm drops a mIRC script (SCRIPT.INI) in the system mIRC folder. This script sends the following message to IRC users:

This is a global message to all users of mIRC, Please do not reply to this message. Please update mIRC to his latest version with this patch.

The worm is then sent (via dcc send) as:

mIRC UPDATE.EXE

File Deletion Payload

The worm is also intended to delete the following files:

• C:\IO.SYS
• C:\MSDOS.SYS
• C:\CONFIG.SYS
• C:\BOOT.INI

Symptoms

• Existence of the installed files and Registry hook detailed below
• Observation of the message box shown below
• Outgoing messages matching the characteristics described above

Method of Infection

Upon execution, the following message box is displayed:

The worm installs itself onto the victim machine into %SysDir%, for example:

C:\WINNT\SYSTEM32\KRNL32.EXE

The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "Kernel32" = C:\WINNT\SYSTEM32\KRNL32.EXE

EPYON.VBS and SCRIPT.INI are dropped (as described above) for facilitating email and IRC propagation respectively.

Mutliple copies of the worm are also dropped for P2P propagation (described above).

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Epon (AVP)

• W32.HLLW.Epon@mm (NAV)

Characteristics

Characteristics -

This detection is for a simple worm (packed with UPX) designed to propagate through the following vectors:

• Email - by dropping a VBS script to email itself (using Outlook) to recipients listed in the Outlook address book
• IRC - by sending itself to recipients over IRC (dcc send)
• P2P - by making multiple copies of itself with enticing filenames on the local machine, and reconfiguring P2P clients to share the folder

Proactive detection

Gateway products detect this threat as a variant of W32/Generic.c!p2p with the 4302 DATs or greater (with scanning of compressed files enabled).

The dropped EPYON.VBS script used for mailing is detected as VBS/Scrambler with the 4096 DATs or greater.

The dropped SCRIPT.INI script used for sending the worm over IRC is detected as MIRC/Generic with the 4091 DATs or greater.

Email Propagation

This is achieved via a VBS script dropped into the system temporary folder, for example:

C:\WINNT\TEMP\EPYON.VBS

This script is proactively detected as VBS/Scrambler, as detailed above.

The script uses Outlook to mail the worm to recipients listed in the Outlook address book (1000 limit per address list). Mails are constructed as follows:

Subject : Britney Spears poses nude in the Playboy!
Body :
This month were celebrating our 50th Anniversary!

Therefore we send to erveryone on the net a free example of our special 50th anniversary issue, especially for this issue Britney Spears takes off her clothes...

We even have a few surprises up our cuff-linked sleeve, including an unbelievable 50th Anniversary Playmate plucked from thousands of beautiful hopefuls. So whether you read it for the articles, the pictorials or both, we salute you.

Buy or Playboy magazine in stores now, or visit www.playboy.com !

Attachment : Britney Spears.jpg (many spaces) .exe

P2P Propagation

The worm makes multiple copies of itself using enticing filenames in a folder named EPYON within %SysDir%, for example:

C:\WINNT\SYSTEM32\EPYON

Many filenames are used, as typical for such P2P worms. The filenames include:

• Britney Spears.jpg.exe
• Anna Kournikova (HOT!).scr
• Buffy The Vampire Slayer Screensaver.scr
• Free XXX passwords.pif
• Grand Theft Auto Vice City - Multiplater patch.exe

This folder is shared for the following P2P applications:

• KaZaa
• Grokster
• iMesh
• Morpheus
• eDonkey2000
• Overnet

IRC Propagation

The worm drops a mIRC script (SCRIPT.INI) in the system mIRC folder. This script sends the following message to IRC users:

This is a global message to all users of mIRC, Please do not reply to this message. Please update mIRC to his latest version with this patch.

The worm is then sent (via dcc send) as:

mIRC UPDATE.EXE

File Deletion Payload

The worm is also intended to delete the following files:

• C:\IO.SYS
• C:\MSDOS.SYS
• C:\CONFIG.SYS
• C:\BOOT.INI

Symptoms

Symptoms -

• Existence of the installed files and Registry hook detailed below
• Observation of the message box shown below
• Outgoing messages matching the characteristics described above

Method of Infection

Method of Infection -

Upon execution, the following message box is displayed:

The worm installs itself onto the victim machine into %SysDir%, for example:

C:\WINNT\SYSTEM32\KRNL32.EXE

The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "Kernel32" = C:\WINNT\SYSTEM32\KRNL32.EXE

EPYON.VBS and SCRIPT.INI are dropped (as described above) for facilitating email and IRC propagation respectively.

Mutliple copies of the worm are also dropped for P2P propagation (described above).

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A