McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This is a mass-mailing and share-hopping worm that bears the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• contains ability to copy itself to mapped drives
• Opens a backdoor on TCP port 1042

Symptoms

When this file is run (manually), it copies itself to the WINDOWS directory as LSASS.EXE

• Note: %WinDir% is a variable. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\WINNT (Windows NT/2000).

It creates the following registry entry to hook Windows startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "Traybar" %WinDir% \LSASS.EXE

Remote Access Component

The worm listens on TCP port 1042 on the infected machine.  This allows a hacker to send commands remotely to the infected system.

Method of Infection

Mail Propogation

The virus arrives in an email message as follows:

From: (Spoofed email sender):

• Postmaster
• Mail Administrator  
• Automatic Email Delivery Software
• Post Office
• The Post Office
• Bounced mail
• Returned mail
• MAILER-DAEMON
• Mail Delivery Subsystem

Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case

Subject: (Varies, such as)

• click me baby, one more time
• say helo to my litl friend
• hello
• hi
• error
• status
• test
• report
• delivery failed
• Message could not be delivered
• Mail System Error - Returned Mail
• Delivery reports about your e-mail
• Returned mail: see transcript for details
• Returned mail: Data format error

Body: (Can contain some or all of the following)

• The original message was received at    %Date and Time %             from    %From_Address%

• ----- The following addresses had permanent fatal errors -----        %To_Address%

• ----- Transcript of session follows -----
    while talking to %To_Address%.:
  >>> MAIL From:%From_Adress%
  <<< 501 %From_Address%... Refused

• This Message was undeliverable due to the following reason:      

Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura-tion parameters.

Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.

Your message was not delivered within %Random_Number% days:
Host %Random_ IP_Address% is not responding.

The following recipients did not receive this message:

Please reply to PostMaster@%Domain_of_To_Address%
if you feel this message to be in error.

Attachment: (Extension Varies [.cmd, .bat, .pif, .com, .scr, .exe, zip]

• readme
• transcript
• mail
• letter
• file
• text
• attachment
• document
• message 
• %random characters%

Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

• sales
• james
• john
• spam
• abus
• master
• sample

The worm avoids certain address, those using the following strings:

• accoun
• privacycertific
• bug
• listserv
• submit
• ntivi
• suppor
• crosoft
• admi
• page
• the.bat
• gold-certs
• ca
• feste
• not
• help
• service
• no
• soft
• contact
• site
• rating
• me
• you
• your
• someone
• anyone
• nothing
• nobody
• noone
• info
• root
• winzip
• rarsoft
• sf.net
• sourceforge
• ripe.
• arin.
• google
• gnu.
• gmail
• seclist
• secur
• math
• labs
• bar.
• foo.
• .mil
• gov.
• .gov
• update
• uslis
• domain
• example
• ophos
• spersk
• panda
• hotmail
• msn.
• microsoft
• sarc.
• syma
• avp

Propagation via Shared folders

This worm drops copies of itself  in folders that contain the following strings

• shar
• incoming
• ftproot
• download

The folloiwng filenames are used when copying itself to the folders mentioned above.

• index
• Kazaa Lite
• Harry Potter
• ICQ 4 Lite
• WinRAR.v.3.2.and.key
• Winamp 5.0 (en) Crack
• Winamp 5.0 (en)
• ShareReactor

The extension of the filename can be .scr, .com, or .exe.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This is a mass-mailing and share-hopping worm that bears the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• contains ability to copy itself to mapped drives
• Opens a backdoor on TCP port 1042

Symptoms

Symptoms -

When this file is run (manually), it copies itself to the WINDOWS directory as LSASS.EXE

• Note: %WinDir% is a variable. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\WINNT (Windows NT/2000).

It creates the following registry entry to hook Windows startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "Traybar" %WinDir% \LSASS.EXE

Remote Access Component

The worm listens on TCP port 1042 on the infected machine.  This allows a hacker to send commands remotely to the infected system.

Method of Infection

Method of Infection -

Mail Propogation

The virus arrives in an email message as follows:

From: (Spoofed email sender):

• Postmaster
• Mail Administrator  
• Automatic Email Delivery Software
• Post Office
• The Post Office
• Bounced mail
• Returned mail
• MAILER-DAEMON
• Mail Delivery Subsystem

Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case

Subject: (Varies, such as)

• click me baby, one more time
• say helo to my litl friend
• hello
• hi
• error
• status
• test
• report
• delivery failed
• Message could not be delivered
• Mail System Error - Returned Mail
• Delivery reports about your e-mail
• Returned mail: see transcript for details
• Returned mail: Data format error

Body: (Can contain some or all of the following)

• The original message was received at    %Date and Time %             from    %From_Address%

• ----- The following addresses had permanent fatal errors -----        %To_Address%

• ----- Transcript of session follows -----
    while talking to %To_Address%.:
  >>> MAIL From:%From_Adress%
  <<< 501 %From_Address%... Refused

• This Message was undeliverable due to the following reason:      

Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura-tion parameters.

Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.

Your message was not delivered within %Random_Number% days:
Host %Random_ IP_Address% is not responding.

The following recipients did not receive this message:

Please reply to PostMaster@%Domain_of_To_Address%
if you feel this message to be in error.

Attachment: (Extension Varies [.cmd, .bat, .pif, .com, .scr, .exe, zip]

• readme
• transcript
• mail
• letter
• file
• text
• attachment
• document
• message 
• %random characters%

Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

• sales
• james
• john
• spam
• abus
• master
• sample

The worm avoids certain address, those using the following strings:

• accoun
• privacycertific
• bug
• listserv
• submit
• ntivi
• suppor
• crosoft
• admi
• page
• the.bat
• gold-certs
• ca
• feste
• not
• help
• service
• no
• soft
• contact
• site
• rating
• me
• you
• your
• someone
• anyone
• nothing
• nobody
• noone
• info
• root
• winzip
• rarsoft
• sf.net
• sourceforge
• ripe.
• arin.
• google
• gnu.
• gmail
• seclist
• secur
• math
• labs
• bar.
• foo.
• .mil
• gov.
• .gov
• update
• uslis
• domain
• example
• ophos
• spersk
• panda
• hotmail
• msn.
• microsoft
• sarc.
• syma
• avp

Propagation via Shared folders

This worm drops copies of itself  in folders that contain the following strings

• shar
• incoming
• ftproot
• download

The folloiwng filenames are used when copying itself to the folders mentioned above.

• index
• Kazaa Lite
• Harry Potter
• ICQ 4 Lite
• WinRAR.v.3.2.and.key
• Winamp 5.0 (en) Crack
• Winamp 5.0 (en)
• ShareReactor

The extension of the filename can be .scr, .com, or .exe.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A