McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This is a mass-mailing with the following characteristics:

• constructs messages using its own SMTP engine
• spoofs the From: address
• harvests email addresses from the victim machine
• consists of multiple components (the EXE serves to drop a DLL, which contains the replication code)

Mail Propagation

The virus harvests email addresses from files with the following extensions on the victim machine:

• .TXT
• .HTML
• .HTM
• .WAB

Outgoing messages are constructed with variable subject lines and attachment filenames. Example subject lines include:

• Hello
• Important
• I'm in love
• Sex
• Wet girls
• Hi

Possible filenames include:

• DETAILS
• JENIFER
• BRITNEY
• CREME_DE_GRUYERE
• GUTTED
• FETISHES
• PHOTO
• DOCUMENT

Filenames may also be constructed from random letters and numbers (eg. U8984648). The virus may also mail itself within a ZIP archive.

The following file extensions are used:

• SCR (copy of the worm)
• ZIP (worm within an archive)

Within the ZIP archive, the worm may contain a double extension, and may also contain multiple spaces in an attempt to deceive the user. For example:

• .JPG (multiple spaces) .SCR
• .TXT (multiple spaces) .SCR

Symptoms

The virus installs itself (both EXE and DLL) into the Windows directory on the victim machine. The filenames it uses are constructed from a random letter followed by 'TWAIN' (with a .DLL or .EXE extension). For example:

• %WinDir%\HTWAIN.EXE
• %WinDir%\HTWAIN.DLL

Other files are also dropped into %WinDir%:

• %WinDir%\CFG.DAT
• %WinDir%\RHTWAIN.DAT (first two letters variable)

The system file RUNDLL32.EXE is used for running the DLL. It is also used in hooking system startup via the addition of the following Registry key:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "winupd" = RUNDLL32.EXE %WinDir%\HTWAIN.DLL, _mainRD

The virus attempts to connect to a remote IRC server (destination port TCP 6667). The following servers are used:

• austin.tx.us.undernet.org
• mesa.az.us.undernet.org
• surrey.uk.eu.undernet.org
• stockholm.se.eu.undernet.org
• moscow.ru.eu.undernet.org
• haarlem.nl.eu.undernet.org
• amsterdam.nl.eu.undernet.org
• amsterdam2.nl.eu.undernet.org
• quebec.qu.ca.undernet.org
• graz2.at.eu.undernet.org
• toronto.on.ca.undernet.org
• montreal.qu.ca.undernet.org
• vancouver.bc.ca.undernet.org
• graz.at.eu.undernet.org
• london.uk.eu.undernet.org
• brussels.be.eu.undernet.org
• diemen.nl.eu.undernet.org
• oslo.no.eu.undernet.org
• flanders.be.eu.undernet.org
• lulea.se.eu.undernet.org
• los-angeles.ca.us.undernet.org
• phoenix.az.us.undernet.org
• washington.dc.us.undernet.org
• atlanta.ga.us.undernet.org
• manhattan.ks.us.undernet.org
• baltimore.md.us.undernet.org
• lasvegas.nv.us.undernet.org
• newyork.ny.us.undernet.org
• dallas.tx.us.undernet.org
• saltlake.ut.us.undernet.org
• arlington.va.us.undernet.org
• auckland.nz.undernet.org
• ann-arbor.mi.us.undernet.org
• newbrunswick.nj.us.undernet.org
• plano.tx.us.undernet.org
• mclean.va.us.undernet.org
• caen.fr.eu.undernet.org

Method of Infection

The virus emails itself to target addresses harvested from the victim machine. Outgoing messages are constructed using its own SMTP engine, and the From: header is spoofed.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This is a mass-mailing with the following characteristics:

• constructs messages using its own SMTP engine
• spoofs the From: address
• harvests email addresses from the victim machine
• consists of multiple components (the EXE serves to drop a DLL, which contains the replication code)

Mail Propagation

The virus harvests email addresses from files with the following extensions on the victim machine:

• .TXT
• .HTML
• .HTM
• .WAB

Outgoing messages are constructed with variable subject lines and attachment filenames. Example subject lines include:

• Hello
• Important
• I'm in love
• Sex
• Wet girls
• Hi

Possible filenames include:

• DETAILS
• JENIFER
• BRITNEY
• CREME_DE_GRUYERE
• GUTTED
• FETISHES
• PHOTO
• DOCUMENT

Filenames may also be constructed from random letters and numbers (eg. U8984648). The virus may also mail itself within a ZIP archive.

The following file extensions are used:

• SCR (copy of the worm)
• ZIP (worm within an archive)

Within the ZIP archive, the worm may contain a double extension, and may also contain multiple spaces in an attempt to deceive the user. For example:

• .JPG (multiple spaces) .SCR
• .TXT (multiple spaces) .SCR

Symptoms

Symptoms -

The virus installs itself (both EXE and DLL) into the Windows directory on the victim machine. The filenames it uses are constructed from a random letter followed by 'TWAIN' (with a .DLL or .EXE extension). For example:

• %WinDir%\HTWAIN.EXE
• %WinDir%\HTWAIN.DLL

Other files are also dropped into %WinDir%:

• %WinDir%\CFG.DAT
• %WinDir%\RHTWAIN.DAT (first two letters variable)

The system file RUNDLL32.EXE is used for running the DLL. It is also used in hooking system startup via the addition of the following Registry key:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "winupd" = RUNDLL32.EXE %WinDir%\HTWAIN.DLL, _mainRD

The virus attempts to connect to a remote IRC server (destination port TCP 6667). The following servers are used:

• austin.tx.us.undernet.org
• mesa.az.us.undernet.org
• surrey.uk.eu.undernet.org
• stockholm.se.eu.undernet.org
• moscow.ru.eu.undernet.org
• haarlem.nl.eu.undernet.org
• amsterdam.nl.eu.undernet.org
• amsterdam2.nl.eu.undernet.org
• quebec.qu.ca.undernet.org
• graz2.at.eu.undernet.org
• toronto.on.ca.undernet.org
• montreal.qu.ca.undernet.org
• vancouver.bc.ca.undernet.org
• graz.at.eu.undernet.org
• london.uk.eu.undernet.org
• brussels.be.eu.undernet.org
• diemen.nl.eu.undernet.org
• oslo.no.eu.undernet.org
• flanders.be.eu.undernet.org
• lulea.se.eu.undernet.org
• los-angeles.ca.us.undernet.org
• phoenix.az.us.undernet.org
• washington.dc.us.undernet.org
• atlanta.ga.us.undernet.org
• manhattan.ks.us.undernet.org
• baltimore.md.us.undernet.org
• lasvegas.nv.us.undernet.org
• newyork.ny.us.undernet.org
• dallas.tx.us.undernet.org
• saltlake.ut.us.undernet.org
• arlington.va.us.undernet.org
• auckland.nz.undernet.org
• ann-arbor.mi.us.undernet.org
• newbrunswick.nj.us.undernet.org
• plano.tx.us.undernet.org
• mclean.va.us.undernet.org
• caen.fr.eu.undernet.org

Method of Infection

Method of Infection -

The virus emails itself to target addresses harvested from the victim machine. Outgoing messages are constructed using its own SMTP engine, and the From: header is spoofed.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A