McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This is a mass-mailing worm that bears the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• contains a backdoor component (see below)
• contains a Denial of Service payload

The virus arrives in an email message as follows:

From: (Spoofed email sender)

Do not assume that the sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject and Message body: (Varies, may be chosen from the following list)

• Here it is
• Please, read and let me know what do you feel
• Full message is in the attached document
• Open the document
• Test
• Here is the document
• Please, reply
• Re:
• See you
• Okay
• Ok
• Look at the attached file
• Look at the document
• Read this
• See the attached document
• See the attached message
• See attachment
• See attachemnt
• Read the document
• Details are in the attached document
• Hi! Check the attachment for details
• Your file is attached
• Your document is attached
• See the attached file for details
• Please read the attached file
• Please have a look at the attached file
• Here is the file
• Read the attached message
• For your eyes only
• micro$oft must die. support us!
• Micro$oft
• some stuff
• Your profile
• just some stuff
• See you soon
• Auto-reply
• Address verification
• Your account is about to be expired
• Your account is expired
• Expired account
• Bank information
• Registration rejected
• Rejected
• excuse me
• photo
• my photos
• Alert
• Warning
• Attention
• hey!
• read!!!
• i can tell you the future
• your chance
• please read
• corrupted
• missed
• unknown
• Microsoft
• join
• we're unable to process your request
• i need you
• Interesting
• we're experiencing technical problems
• Empty
• Automatic notification
• Reply
• beauty
• kleopatra
• kate
• dear friend!
• Response
• Request
• notification
• anna
• price list
• hey
• fw:
• re:
• question
• report
• how are you?
• :-)
• :)
• hello! :)
• hi! :)
• confirmed
• Email verification
• verification
• see you
• You have been successfully registered
• Please, confirm the registration
• Registration
• Your details
• Your account details
• service
• melissa
• maria
• pamela
• jessica
• your website
• your text
• your music
• your letter
• your archive
• thank you
• thanks
• thanks!
• your document
• my details
• here is the document
• here
• hello
• spreadsheet
• excel
• Your request
• do you still love me
• do you love me
• greetings
• hello my friend
• hi!
• account details
• your account
• from me
• Daily Report
• summary
• price-list
• pricelist

Attachment: (Varies [.com, .bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive, for example)

• doc.bat
• document.zip
• information.zip
• readme.zip
• text.pif
• bill.scr
• msg.htm.pif
• paypal.txt.exe
• letter.scr

The icon used by the file tries to make it appear as if the attachment is a MS Word document:

When this file is run (manually), it copies itself to the WINDOWS SYSTEM directory as a randomly-named file with an extension of .BAT, .EXE, .PIF, .CMD, or .SCR.

• %SysDir% \(random letters )[.bat, .exe, .pif, .cmd, or .scr]
  (Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

It creates the following registry entry to hook Windows startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "(random letters)" = %SysDir% \(random letters) [.bat, .exe, .pif, .cmd, or .scr]

The virus uses a randomly-named DLL that it creates in the Windows System directory:

•  %SysDir% \(random letters) .dll (size varies)

This DLL is injected into the EXPLORER.EXE upon reboot via these registry keys:

• HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InProcServer32 "(Default)" = %SysDir%\(random letters) .dll
• HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir% \(random letters) .dll

Remote Access Component
The worm (this functionality is in the dropped DLL) opens a connection on TCP port 1080.

Denial of Service Component
This worm contains a payload to carry out a denial of service against the www.symantec.com website, which starts 10-20 minutes after the malicious file is initially run.

Symptoms

Method of Infection

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

• xls
• jpg
• avi
• wma
• mp4
• mp3
• wav
• wab
• mht
• adb
• tbb
• uin
• rtf
• dbx
• eml
• mmf
• nch
• mbx
• asp
• pl
• sht
• php

The worm avoids certain address, those using the following strings:

• norepl
• master
• accoun
• google
• certific
• listserv
• linux
• ntivi
• icrosoft
• admin
• the.bat
• gold-certs
• ca
• feste
• submit
• not
• help
• privacy
• somebody
• site
• rating
• bugs
• someone
• anyone
• nobody
• noone
• samples
• root
• example.com
• ymante
• slashdot.
• sf.net
• sourceforge
• mozilla.
• uci.edu
• ucsd.edu
• rutgers.edu
• berkeley
• stanford.edu
• packetstorm
• secur
• isc.org
• isi.edu
• sendmail.
• rfc-edit
• kernel.
• google.
• ibm.com
• urlon
• fsf.
• gnu.
• mit.edu
• bsd
• unix
• ietf.
• ripe.
• arin.
• iana.
• .mil
• gov.
• .gov
• support
• ssagelab
• panda
• hotmail.com
• msn.c
• icrosoft.
• norma
• avp
• ruslis
• trendmic
• trend.c
• nai.co
• sopho
• spam
• www
• spm
• abuse
• .edu

Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

• sales
• tom
• stan
• bob
• peter
• kevin
• sam
• james
• alex
• john

Removal

All Users :
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

McAfee Threatscan
ThreatScan users can detect the remote access component by running a Resource Discovery Task using the following settings:

-Select TCP Port scan
-Enter port: 1080
 
McAfee Desktop Firewall
To prevent possible remote access McAfee Desktop Firewall users can block incoming TCP port 1080.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This is a mass-mailing worm that bears the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• contains a backdoor component (see below)
• contains a Denial of Service payload

The virus arrives in an email message as follows:

From: (Spoofed email sender)

Do not assume that the sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject and Message body: (Varies, may be chosen from the following list)

• Here it is
• Please, read and let me know what do you feel
• Full message is in the attached document
• Open the document
• Test
• Here is the document
• Please, reply
• Re:
• See you
• Okay
• Ok
• Look at the attached file
• Look at the document
• Read this
• See the attached document
• See the attached message
• See attachment
• See attachemnt
• Read the document
• Details are in the attached document
• Hi! Check the attachment for details
• Your file is attached
• Your document is attached
• See the attached file for details
• Please read the attached file
• Please have a look at the attached file
• Here is the file
• Read the attached message
• For your eyes only
• micro$oft must die. support us!
• Micro$oft
• some stuff
• Your profile
• just some stuff
• See you soon
• Auto-reply
• Address verification
• Your account is about to be expired
• Your account is expired
• Expired account
• Bank information
• Registration rejected
• Rejected
• excuse me
• photo
• my photos
• Alert
• Warning
• Attention
• hey!
• read!!!
• i can tell you the future
• your chance
• please read
• corrupted
• missed
• unknown
• Microsoft
• join
• we're unable to process your request
• i need you
• Interesting
• we're experiencing technical problems
• Empty
• Automatic notification
• Reply
• beauty
• kleopatra
• kate
• dear friend!
• Response
• Request
• notification
• anna
• price list
• hey
• fw:
• re:
• question
• report
• how are you?
• :-)
• :)
• hello! :)
• hi! :)
• confirmed
• Email verification
• verification
• see you
• You have been successfully registered
• Please, confirm the registration
• Registration
• Your details
• Your account details
• service
• melissa
• maria
• pamela
• jessica
• your website
• your text
• your music
• your letter
• your archive
• thank you
• thanks
• thanks!
• your document
• my details
• here is the document
• here
• hello
• spreadsheet
• excel
• Your request
• do you still love me
• do you love me
• greetings
• hello my friend
• hi!
• account details
• your account
• from me
• Daily Report
• summary
• price-list
• pricelist

Attachment: (Varies [.com, .bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive, for example)

• doc.bat
• document.zip
• information.zip
• readme.zip
• text.pif
• bill.scr
• msg.htm.pif
• paypal.txt.exe
• letter.scr

The icon used by the file tries to make it appear as if the attachment is a MS Word document:

When this file is run (manually), it copies itself to the WINDOWS SYSTEM directory as a randomly-named file with an extension of .BAT, .EXE, .PIF, .CMD, or .SCR.

• %SysDir% \(random letters )[.bat, .exe, .pif, .cmd, or .scr]
  (Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

It creates the following registry entry to hook Windows startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "(random letters)" = %SysDir% \(random letters) [.bat, .exe, .pif, .cmd, or .scr]

The virus uses a randomly-named DLL that it creates in the Windows System directory:

•  %SysDir% \(random letters) .dll (size varies)

This DLL is injected into the EXPLORER.EXE upon reboot via these registry keys:

• HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InProcServer32 "(Default)" = %SysDir%\(random letters) .dll
• HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir% \(random letters) .dll

Remote Access Component
The worm (this functionality is in the dropped DLL) opens a connection on TCP port 1080.

Denial of Service Component
This worm contains a payload to carry out a denial of service against the www.symantec.com website, which starts 10-20 minutes after the malicious file is initially run.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

• xls
• jpg
• avi
• wma
• mp4
• mp3
• wav
• wab
• mht
• adb
• tbb
• uin
• rtf
• dbx
• eml
• mmf
• nch
• mbx
• asp
• pl
• sht
• php

The worm avoids certain address, those using the following strings:

• norepl
• master
• accoun
• google
• certific
• listserv
• linux
• ntivi
• icrosoft
• admin
• the.bat
• gold-certs
• ca
• feste
• submit
• not
• help
• privacy
• somebody
• site
• rating
• bugs
• someone
• anyone
• nobody
• noone
• samples
• root
• example.com
• ymante
• slashdot.
• sf.net
• sourceforge
• mozilla.
• uci.edu
• ucsd.edu
• rutgers.edu
• berkeley
• stanford.edu
• packetstorm
• secur
• isc.org
• isi.edu
• sendmail.
• rfc-edit
• kernel.
• google.
• ibm.com
• urlon
• fsf.
• gnu.
• mit.edu
• bsd
• unix
• ietf.
• ripe.
• arin.
• iana.
• .mil
• gov.
• .gov
• support
• ssagelab
• panda
• hotmail.com
• msn.c
• icrosoft.
• norma
• avp
• ruslis
• trendmic
• trend.c
• nai.co
• sopho
• spam
• www
• spm
• abuse
• .edu

Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

• sales
• tom
• stan
• bob
• peter
• kevin
• sam
• james
• alex
• john

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

McAfee Threatscan
ThreatScan users can detect the remote access component by running a Resource Discovery Task using the following settings:

-Select TCP Port scan
-Enter port: 1080
 
McAfee Desktop Firewall
To prevent possible remote access McAfee Desktop Firewall users can block incoming TCP port 1080.

Variants

Variants -

N/A