McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This self-executing worm spreads by exploiting a Microsoft Windows vulnerability [MS04-011 vulnerability (CAN-2003-0533)].

Note: Users should install the Microsoft update to be protected from the exploit used by this worm. See:

The worm spreads with a random filename. When run, it drops a DLL which it injects into the EXPLORER.EXE process. The DLL contains the main worm's functionality.

Symptoms

The virus copies itself to the %SysDir% directory using a random filename. It adds a Registry key in order to load itself at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "(random string)" = %SysDir%\(random filename).exe

(Where %SysDir% is the System directory, for example: C:\WINDOWS\SYSTEM32.)

When executed, the worm executable drops a DLL into the temporary directory, and injects the DLL into the EXPLORER.EXE process. A side effect of this injection is that EXPLORER.EXE may unexpectedly terminate on the victim machine.

Another side effect of this worm is that LSASS.EXE may crash on attacked machines. By default such a system will reboot after the crash occurs. The following Window may be displayed:

Method of Infection

Initial analysis suggests the worms scans IP ranges looking for exploitable machines. If found, a buffer in LSASS.EXE is overflowed in order to create a remote shell. Then the worm is downloaded from a remote HTTP server (via HTTP). The worm is downloaded as SYS.EXE.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This self-executing worm spreads by exploiting a Microsoft Windows vulnerability [MS04-011 vulnerability (CAN-2003-0533)].

Note: Users should install the Microsoft update to be protected from the exploit used by this worm. See:

The worm spreads with a random filename. When run, it drops a DLL which it injects into the EXPLORER.EXE process. The DLL contains the main worm's functionality.

Symptoms

Symptoms -

The virus copies itself to the %SysDir% directory using a random filename. It adds a Registry key in order to load itself at system startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "(random string)" = %SysDir%\(random filename).exe

(Where %SysDir% is the System directory, for example: C:\WINDOWS\SYSTEM32.)

When executed, the worm executable drops a DLL into the temporary directory, and injects the DLL into the EXPLORER.EXE process. A side effect of this injection is that EXPLORER.EXE may unexpectedly terminate on the victim machine.

Another side effect of this worm is that LSASS.EXE may crash on attacked machines. By default such a system will reboot after the crash occurs. The following Window may be displayed:

Method of Infection

Method of Infection -

Initial analysis suggests the worms scans IP ranges looking for exploitable machines. If found, a buffer in LSASS.EXE is overflowed in order to create a remote shell. Then the worm is downloaded from a remote HTTP server (via HTTP). The worm is downloaded as SYS.EXE.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A