Content

W32/Noomy.a@MM

Type
Virus
SubType
Email
Discovery Date
09/14/2004
Length
Varies
Minimum DAT
4394 (09/22/2004)
Updated DAT
4394 (09/22/2004)
Minimum Engine
5.1.00
Description Added
10/07/2004
Description Modified
10/07/2004 4:15 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update October 7th, 2004 --
 The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computeractive.co.uk/news/1158607

--

This is a mass-mailing worm with the following characteristics:

  • harvests email addresses from the victim machine
  • the From: address of messages is spoofed
  • sets up an HTTP server on the infected machine
  • terminates processes of various security software
  • downloads system files from remote sites if they are not already present on the machine
  • spreads itself via IRC
  • performs a DDoS on certain websites

The current DATs detect the executable portion of this virus as W32/Generic.d and the VBS portion as VBS/Cidco.gen.

Mail Propagation

Outgoing messages may be formatted as follows: (mass-mailing was not observed to function in testing)

Subject:

  • Re: eCard Delivery Error:
  • Re: VoiceMail to - Delivery Error
  • You`ve got 1 new eCard!
  • Re: Bad Request Server not found!
  • One new VoiceMail! ID:
  • One new eCard! ID:
  • ID: New eCard in your inbox!
  • ID: You got one VoiceMail! See online!
  • Num: One new eCard from
  • Num: One new VoiceMail from
  • Mail Delivery (error)
  • Re: Message Error! mail:
  • Bad Request Server not found!
  • Re:  Mail System Error - Returned Mail
  • Extended Mail System ERROR:
  • Re: Mail Delivery Error!
  • Protected Mail Server invalid!
  • Re: Mail Delivery: - Error
  • Re: MAIL Error num: - Returned mail: see transcript for details
  • Warning!!!
  • Why you SPAM?
  • Last notice! Regard ! Please read...
  • This is not OK !
  • Don't spam!!!!!
  • Question about YOUR SPAM!!
  • Information!You spam this email:
  • Last chance!STOP SPAM THIS EMAIL:
  • I call spam POLICE! STOP!!!

Body Text:

  • Dear Sir,
    According to our cognitions you have done next:
    The emails are still arriving...
    Stop to doing that,i call Spam Police!
    actually you have been buring our network and our right is to protect our users.
    Accourding to that you have been informed about this by phone by our System engineer,
    with this letter we want to point you to next facts:
    1) Your personal account is not restricted in any way and our right is to protect our users and servers;
    2) Server has been shuted down beacouse large amount of emails that have been arricing to our servers and beacouse of adequacy suspicion that it is a spam ramp.
    3) Unsubscribing system is not functioning!
    On unsubscribing attempt result is next:
    Persits.MailSender.4 error 84a0004'
    Connection timed out.
    ---------------------
    Email not found:
    According to part 10 of Personal servie terms of use we are authorized to warn you about this.
    As an evidence we have a LOG file fromour server that is clearly showing date and time when you about this.
    I send you LOG File , to see your IP Adress!
    have been sending spam emails, your IP address and your username!
    Please accept this warnning about sending informations to users and wrongly interpret our actions taken in your case as seriously as possible.
    If you don't accept this warning we will be forced to refer to our lawyers so we could protect our company intersts.
    If you don't understand anything in this email, please contact us via email or by phone for aditional explanations.
    Reply-To:
    According to computer criminal law of USA, act 168v, act you have done is judget to
    jail (1-8 years).
    Best regards,
    Office Manager
  • Dear Sir,i wait for your comment about it.
    You SPAM our email server:
    Thank You!
  • Dear Customer!
    You`ve got 1 eCard VoiceMessage from ecards.com website!
    You can listen your Virtual VoiceMessage at the following link:
    http://see.ecards.com/
    or by clicking the attached link:
    You can see your eCard at the following link:
    Send eCard VoiceMessage! Try our new eCard VoiceMessage Empire!
    Best regards: eCard.com Team (R).
  • Dear User!
    You have one new eCard Pic to your inbox at eCard.com
    Login ID:
    https://pics.ecard.com/
    Or by clicking the attached link:
    Thank you
  • One new Voice Message for you!
    From:
    Can see online: http://voice.ecard.com/
    Test our new service! Send you one voice message http://voice.ecards.com
    Best regards: eCard.com Team (R).
  • Delivery Failed ! Error:
    The original message was included as attachment
    ----- The following addresses had permanent fatal errors -----
    >>> DATA or --
    <<<400-aturner; %MAIL-E-OPENOUT, error opening !AS as output
    --- From Server:
    >>> MAIL
    To:
    <<<400-aturner; -RMS-E-CRE, ACP file create failed
    <<<400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded
    <<<400
    --- Attachment: ---
    Attachment: No Virus found
    Kaspersky AntiVirus - www.kaspersky.com

    Your message [was not or could not be] delivered because the destination'
     'was
    reachable within the allowed queue period. The amount of time
    From:
    a message is queued before it is returned depends on local configuration parameters.
    <<<< ---------------
    it is also possible that the computer is turned off, or does not have a mail system running right now.
    >>> Your message [was not or could not be] delivered within 3 days.
     <<< is not responding.
    Please reply to postmaster!
    <<<400 if you feel this message to be in error.
    >< Automatic message from:

Attachment: (with a final extension of .exe, .pif or .scr

  • Sending.www.ecards.com
  • pics.ecards.com
  • see.ecards.com
  • voice.ecards.com
  • secure.ecards.com
  • ecardID.ecards.com
  • secpics.ecards.com
  • online.ecard.com
  • onlineSee.cards.com
  • pics.online.see.com
  • URL.ecard.php.SSEcxcsd
  • link.index.php.seeHere
  • file.URL.view.fDEd
  • LIVE.show.URL.see.phpAsVEd
  • log.file.
  • logs.
  • URL.Picture.php.Seeonline
  • -www.telekom.com
  • -www.usaeunet.com
  • -www.aol.com
  • -www.aol.abuse.co.com
  • -www.scg.net.com
  • -www.pttusa.com
  • -www.police.spam.com
  • -www.usapolice.com
  • -www.nic.uk.com
  • -www.webhosting.com
  • file.logs.
  • mail.log.
  • smtp.serverLog
  •  yahoo
  • -hotmail
  • -mailmail
  • FdfsECcdsaA.error.
  • Dde.view.
  • Nude.only.viewDFereS
  • -servise.error
  • Index.php.sEeeDSAD.not.found
  • vk.Only.error.found
  • private.mail.error2222442
  • Error.MSG.
  • e-mail.
  • unsent.mail.
  • msg.
  • mail.

Installation

The virus copies itself into the Windows directory as SYSCONF32.EXE. For example:
C:\WINDOWS\Sysconf32.exe (88,576 bytes)

It also creates other files in the root of the C: drive, to perform its functions:

  • C:\ReAd_ThiS_ShiT.txt (673 bytes - text file)
  • C:\StpLogs.vbs (2,465 bytes - VBS file for harvesting addresses from the local machine)

It creates the folder %SysDir% \SystemBck and copies itself there with the following filenames:

  • XboxIso2RomConverter.exe
  • Ageofempires2crack.exe
  • AgeOfMythologyISO.exe
  • BattlenetkeygeneratorWORKS.exe
  • BritneyspearsNude.scr
  • Burnout2CarRacing.exe
  • Cablemodemuncapper.exe
  • CloneCDcrack.exe
  • CloneCDallversionskeygenerator.exe
  • Copyprotectionremover.exe
  • Crazytaxicrack.exe
  • CuteFTPPro30.exe
  • DivXcodecv6.0.exe
  • DivXnewestversion.exe
  • DivXpatch-Increasesquality.exe
  • DivXprokeygenerator.exe
  • Doom3Beta.exe
  • DragonballZCOMPLETEepisodeguide.exe
  • DragonballZepisode1.exe
  • DragonballZshootout.exe
  • GamecubeEmulatorWORKS.exe
  • GrandPrix4crack.exe
  • Grandtheftauto3CD1crack.exe
  • GTA3crack.exe
  • Hackintoanycomputer.exe
  • Half-lifeONLINEkeygenerator.exe
  • Half-lifeWONkeygenerator.exe
  • J-LONudeREAL.scr
  • JediKnight2crack.exe
  • KaZaAhack.exe
  • FIFA2004crack.exe
  • NBA2004crack.exe
  • AquaNox2crack.exe
  • UT2003bloodpatch.exe
  • Unreal2bloodpatch.exe
  • Battlefield1942bloodpatch.exe
  • AVPCrackNEW.exe
  • zoneallarmprocrack2004.exe
  • counterstrikerkeygen2004.exe
  • warcraft3keygen.exe
  • windowskeygenNEWSeptember2004.exe
  • officexppatch2004.exe
  • haloonpc.exe
  • HotmailPasswordHacker2004.exe
  • MailBomberv8.1.exe
  • 2004serials.pif
  • hackershandbook.pif
  • anarchistcookbook.pif
  • MacromediaDreamweaverMXKeyGenerator.exe
  • MacromediaFlashMXKeyGenerator.exe
  • MacromediaMXkeygeneratorallproducts.exe
  • MafiaISO.exe
  • McAfeeFirewall3.exe
  • Microsoftkeygeneratorworksfor.exe
  • MicrosoftOfficeXPenglishkeygenerator.exe
  • MicrosoftOfficeXPiso.exe
  • MicrosoftWindowsXPcrackpack.exe
  • MotorcrossMadness2.exe
  • N0RT0NANTIVIRUS2004.exe
  • Neverwinternightscrack.exe
  • Nokiasimlockremoverincludesnewmodels.exe
  • Nortonantivirus2002.exe
  • Rayman2Full.exe
  • ResidentEvilDivX.exe
  • Starwarsepisode2downloader.exe
  • TotalImmersionRacingISO.exe
  • Warcraft3battlenetserialgenerator.exe
  • Warcraft3ONLINEkeygenerator.exe
  • WinAPs2.exe
  • WindowsXPkeygenerator.exe
  • WindowsXPserialgenerator.exe
  • WindowsXPSP1key-Crack.exe
  • Winrarandcrack.exe
  • Winzip80serial.exe
  • WorkingIsoBurner.exe
  • XBOXemulatorWORKS.exe
  • Xboxinfo.exe
  • AnaKurnikovaVirualGirl2004.scr
  • Battlefield1942Bloodpatch.exe
  • AngelinaRealScreenSaver.scr
  • CounterStrikeHLDSv1.1.0.9.exe
  • DVDCoppierv1.5.7byCrash2004.exe
  • FunnyBush2004movieSeptember.scr
  • DVDRipperv1.3.2byCrash2004.exe
  • iWormMymoonremovetool2.5.exe
  • EvidenceEraserbyCrash2004.exe
  • McAffeeUtilitiesv3.11FinalbyR2P2K.exe
  • McAffeeUtilitiesv3.11byR2P2K.exe
  • NeroBurningROMv5.5.8.2Keygen.exe
  • NeroBurningROMv5.5.8.2Serial.exe
  • NeroBurningROMv5.5.8.2byCooKie.exe
  • SpyAgentRemoteControl1.05.exe
  • SpyCamv6.32.exe
  • SpyTechSpyAgentPersonalv3.00.00byAmoK.exe
  • StarCraftBroodWarv1.09byFR.exe
  • UnrealTournament2bloodpatch.exe
  • UnrealTournament2004Bloodpatch.exe
  • Windows2004Keygen.exe
  • WindowsXPKeyGen.exe
  • YahooPasswordHacker2004BF.exe
  • ZoneAlarmProv3.0.2.6byOrion.exe
  • Generalscrack.exe
  • Mirc7.0Crack.exe
  • NapsterClone.exe
  • PlayGamesOnlineForFREE.exe
  • Ps2Emulator.exe
  • Ps2Iso2RomConverter.exe
  • ShakiraDancing.scr
  • SoldierOfFortune2MutiplayerSerialHack.exe
  • SystemMonitor.exe
  • TheSimsGameCrack.exe
  • UniversalGameCrack.exe
  • Warcraft3Battle.netCrack.exe
  • XboxEmulator.exe
  • 1001nesroms.exe
  • windowsxpkeygen.exe
  • deadaim4.0.exe
  • deadaim4.0serial.exe
  • counterstrikemaphack.exe
  • counterstrikeaim_bot.exe
  • AliciaSilverstonePayboyNude.scr
  • Bingo.exe
  • BritneySpearsDanceBeat.scr
  • DDosClient2005.exe
  • EmailBomber447.exe
  • FileServer.exe
  • FlashGolf.exe
  • FreeMpegsLists.pif
  • FreePicsList.pif
  • FreePornLists.pif
  • HoesForYouSolitare.exe
  • J.LoBikiniScreensaver.scr
  • JennaJamisonDildoHumping.scr
  • KamaSutraTetris.exe
  • KazaaClone.exe
  • KaZaAmediadesktopv2.0UNOFFICIAL.exe
  • KaZaAspywareremover.exe
  • KeygeneratorforallwindowsXPversions.exe
  • Keygeneratorforoverreally.exe

The following Registry key is added to hook system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Windows HTML file reader" =
    %WinDir% \Sysconf32.exe

Symptoms

  • Upon being run, the worm displays the following error message:


  • Outgoing messages matching the described characteristics
  • Files/Registry keys as described

Method of Infection

Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

  • dbx
  • htm
  • html
  • php

The virus avoids sending itself to addresses containing the following:

  • yahoo.com
  • mail.com
  • rock.com
  • hotmail.com
  • lycos.com
  • webmaster@
  • myownemail.com
  • fepg.net
  • bravenet.com
  • bluemountain.com
  • google.com
  • netaddress.com
  • iname.com
  • hushmail.com
  • bigfoot.com
  • rocketmail.com
  • Johnny McNatt
  • johnnyNik@
  • Monica Hays
  • monica2005@
  • Sandra
  • Kerry Henderson
  • kerrylove@
  • David Lewis
  • david.sw@
  • Jane McNatt
  • Jane.Mc@
  • Mail Service
  • mailservice@
  • Linda Goldstein
  • Linda1982@
  • Jill Saluck
  • jillsaluck@
  • Office Menager
  • office@
  • Webmaster
  • Sandra82@
  • Big Mymoon
  • mymoon@
  • Angelina
  • hot.angelina@
  • Cindy
  • cindy2005@
  • Britney
  • britney@

Process Termination

The virus enumerates running processes, and terminates those with the following filenames:

  • ANTI-TROJAN.EXE
  • _AVPM.EXE
  • _AVPCC.EXE
  • ACKWIN32.EXE
  • AckWin32.EXE
  • ADVXDWIN.EXE
  • AGENTSVR.EXE
  • agentw.EXE
  • ALERTSVC.EXE
  • ALOGSERV.EXE
  • AMON9X.EXE
  • ANTIVIRUS.EXE
  • APLICA32.EXE
  • apvxdwin.EXE
  • APVXDWIN.EXE
  • ATCON.EXE
  • ATGUARD.EXE
  • ATRO55EN.EXE
  • ATUPDATER.EXE
  • ATWATCH.EXE
  • AUPDATE.EXE
  • AUTODOWN.EXE
  • AutoTrace.EXE
  • AUTOUPDATE.EXE
  • AVCONSOL.EXE
  • AVGCC32.EXE
  • CTRL.EXE
  • Avgctrl.EXE
  • AVGCTRL.EXE
  • AvgServ.EXE
  • AVGSERV.EXE
  • AVGSERV9.EXE
  • AVGW.EXE
  • avkpop.EXE
  • AvkServ.EXE
  • avkservice.EXE
  • avkwctl9.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPM.EXE
  • avpm.EXE
  • Avsched32.EXE
  • AVSYNMGR.EXE
  • AVWINNT.EXE
  • AVXMONITOR9X.EXE
  • AVXMONITORNT.EXE
  • AVXQUAR.EXE
  • AVXW.EXE
  • BD_PROFESSIONAL.EXE
  • BIDEF.EXE
  • BIDSERVER.EXE
  • BIPCP.EXE
  • BIPCPEVALSETUP.EXE
  • BISP.EXE
  • BLACKD.EXE
  • blackd.EXE
  • BLACKICE.EXE
  • BlackICE.EXE
  • BOOTWARN.EXE
  • BORG2.EXE
  • BS120.EXE
  • ccApp.EXE
  • ccEvtMgr.EXE
  • ccPxySvc.EXE
  • CDP.EXE
  • CFGWIZ.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • CFINET32.EXE
  • cleaner3.EXE
  • CLEANPC.EXE
  • CMGRDIAN.EXE
  • CMON016.EXE
  • CONNECTIONMONITOR.EXE
  • CPD.EXE
  • cpd.EXE
  • Claw95.EXE
  • CLAW95CF.EXE
  • Claw95cf.EXE
  • CLEAN.EXE
  • CLEANER.EXE
  • cleaner.EXE
  • CLEANER3.EXE
  • CPF9X206.EXE
  • CPFNT206.EXE
  • CV.EXE
  • CWNB181.EXE
  • CWNTDWMO.EXE
  • defalert.EXE
  • defscangui.EXE
  • DEFWATCH.EXE
  • DEPUTY.EXE
  • DOORS.EXE
  • DPF.EXE
  • DPFSETUP.EXE
  • DRWATSON.EXE
  • DRWEB32.EXE
  • DVP95.EXE
  • DVP95_0.EXE
  • EFPEADM.EXE
  • ENT.EXE
  • ESCANH95.EXE
  • ESCANHNT.EXE
  • ESCANV95.EXE
  • ETRUSTCIPE.EXE
  • EVPN.EXE
  • EXANTIVIRUS-CNET.EXE
  • EXPERT.EXE
  • F-AGNT95.EXE
  • fameh32.EXE
  • FAST.EXE
  • fch32.EXE
  • fih32.EXE
  • FIREWALL.EXE
  • FLOWPROTECTOR.EXE
  • fnrb32.EXE
  • F-PROT.EXE
  • F-PROT95.EXE
  • FP-WIN.EXE
  • FP-WIN_TRIAL.EXE
  • FRW.EXE
  • fsaa.EXE
  • FSAV.EXE
  • fsav32.EXE
  • FSAV530STBYB.EXE
  • FSAV530WTBYB.EXE
  • FSAV95.EXE
  • fsgk32.EXE
  • fsm32.EXE
  • fsma32.EXE
  • fsmb32.EXE
  • F-STOPW.EXE
  • f-stopw.EXE
  • GBMENU.EXE
  • gbmenu.EXE
  • gbpoll.EXE
  • GBPOLL.EXE
  • GENERICS.EXE
  • GUARD.EXE
  • GUARDDOG.EXE
  • HACKTRACERSETUP.EXE
  • HTLOG.EXE
  • HWPE.EXE
  • IAMAPP.EXE
  • iamapp.EXE
  • IAMSERV.EXE
  • iamserv.EXE
  • IAMSTATS.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IFACE.EXE
  • IFW2000.EXE
  • IOMON98.EXE
  • IPARMOR.EXE
  • IRIS.EXE
  • ISRV95.EXE
  • JAMMER.EXE
  • JEDI.EXE
  • KAVLITE40ENG.EXE
  • KAVPERS40ENG.EXE
  • KAVPF.EXE
  • KERIO-PF-213-EN-WIN.EXE
  • KERIO-WRL-421-EN-WIN.EXE
  • KERIO-WRP-421-EN-WIN.EXE
  • KILLPROCESSSETUP161.EXE
  • LDNETMON.EXE
  • LDPRO.EXE
  • LDPROMENU.EXE
  • LDSCAN.EXE
  • LOCALNET.EXE
  • LOCKDOWN.EXE
  • LOCKDOWN2000.EXE
  • lockdown2000.EXE
  • LSETUP.EXE
  • LUALL.EXE
  • LUAU.EXE
  • LUCOMSERVER.EXE
  • LUINIT.EXE
  • LUSPT.EXE
  • MCAGENT.EXE
  • MCMNHDLR.EXE
  • Mcshield.EXE
  • MCTOOL.EXE
  • NTVDM.EXE
  • MCUPDATE.EXE
  • MCVSRTE.EXE
  • MCVSSHLD.EXE
  • MFW2EN.EXE
  • MFWENG3.02D30.EXE
  • MGAVRTCL.EXE
  • MGAVRTE.EXE
  • MGHTML.EXE
  • MGUI.EXE
  • MINILOG.EXE
  • MONITOR.EXE
  • Monitor.EXE
  • MOOLIVE.EXE
  • MPFAGENT.EXE
  • MPFSERVICE.EXE
  • MPFTRAY.EXE
  • MRFLUX.EXE
  • MSCONFIG.EXE
  • MSINFO32.EXE
  • MSSMMC32.EXE
  • MU0311AD.EXE
  • MWATCH.EXE
  • NAV80TRY.EXE
  • navapsvc.EXE
  • NAVAPSVC.EXE
  • NAVAPW32.EXE
  • NAVDX.EXE
  • NAVLU32.EXE
  • NAVSTUB.EXE
  • NAVW32.EXE
  • Navw32.EXE
  • NAVWNT.EXE
  • NC2000.EXE
  • NCINST4.EXE
  • NDD32.EXE
  • NEOMONITOR.EXE
  • NeoWatchLog.EXE
  • NETARMOR.EXE
  • NETINFO.EXE
  • NETMON.EXE
  • NETSCANPRO.EXE
  • NETSPYHUNTER-1.2.EXE
  • NETSTAT.EXE
  • NETUTILS.EXE
  • NISSERV.EXE
  • NISUM.EXE
  • NMAIN.EXE
  • NORMIST.EXE
  • NORTON_INTERNET_SECU_3.0_407.EXE
  • notstart.EXE
  • NPF40_TW_98_NT_ME_2K.EXE
  • NPFMESSENGER.EXE
  • NPROTECT.EXE
  • npscheck.EXE
  • NPSSVC.EXE
  • NSCHED32.EXE
  • ntrtscan.EXE
  • NTXconfig.EXE
  • Nui.EXE
  • Nupgrade.EXE
  • NVARCH16.EXE
  • NVC95.EXE
  • nvsvc32.EXE
  • NWINST4.EXE
  • NWService.EXE
  • NWTOOL16.EXE
  • OSTRONET.EXE
  • OUTPOST.EXE
  • OUTPOSTINSTALL.EXE
  • OUTPOSTPROINSTALL.EXE
  • PADMIN.EXE
  • PANIXK.EXE
  • pavproxy.EXE
  • PAVPROXY.EXE
  • PCC2002S902.EXE
  • PCC2K_76_1436.EXE
  • PCCIOMON.EXE
  • pccntmon.EXE
  • pccwin97.EXE
  • PCCWIN98.EXE
  • PCDSETUP.EXE
  • PCFWALLICON.EXE
  • PCIP10117_0.EXE
  • pcscan.EXE
  • PDSETUP.EXE
  • PERISCOPE.EXE
  • PERSFW.EXE
  • PERSWF.EXE
  • PF2.EXE
  • PFWADMIN.EXE
  • PINGSCAN.EXE
  • PLATIN.EXE
  • POP3TRAP.EXE
  • POPROXY.EXE
  • POPSCAN.EXE
  • PORTDETECTIVE.EXE
  • PORTMONITOR.EXE
  • PPINUPDT.EXE
  • PPTBC.EXE
  • PPVSTOP.EXE
  • PROCESSMONITOR.EXE
  • PROCEXPLORERV1.0.EXE
  • PROGRAMAUDITOR.EXE
  • PROPORT.EXE
  • PROTECTX.EXE
  • PSPF.EXE
  • PURGE.EXE
  • PVIEW95.EXE
  • QCONSOLE.EXE
  • QSERVER.EXE
  • rapapp.EXE
  • RAV7.EXE
  • RAV7WIN.EXE
  • RAV8WIN32ENG.EXE
  • REALMON.EXE
  • REGEDIT.EXE
  • REGEDT32.EXE
  • RESCUE.EXE
  • RESCUE32.EXE
  • RRGUARD.EXE
  • RSHELL.EXE
  • RTVSCN95.EXE
  • RULAUNCH.EXE
  • SAFEWEB.EXE
  • SBSERV.EXE
  • sbserv.EXE
  • SCAN32.EXE
  • SCRSCAN.EXE
  • SD.EXE
  • SETUP_FLOWPROTECTOR_US.EXE
  • SETUPVAMEEVAL.EXE
  • SFC.EXE
  • SGSSFW32.EXE
  • SH.EXE
  • SHELLSPYINSTALL.EXE
  • SHN.EXE
  • SMC.EXE
  • SOFI.EXE
  • SPF.EXE
  • SPHINX.EXE
  • Sphinx.EXE
  • SPYXX.EXE
  • SS3EDIT.EXE
  • ST2.EXE
  • SUPFTRL.EXE
  • SUPPORTER5.EXE
  • SWEEP95.EXE
  • SWEEPSRV.SYS
  • SWNETSUP.EXE
  • SYMPROXYSVC.EXE
  • SymProxySvc.EXE
  • SYMTRAY.EXE
  • SYSEDIT.EXE
  • TASKMON.EXE
  • TAUMON.EXE
  • TC.EXE
  • TCA.EXETCM.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • TDS-3.EXE
  • TFAK.EXE
  • TFAK5.EXE
  • TGBOB.EXE
  • TITANIN.EXE
  • TITANINXP.EXE
  • TRACERT.EXE
  • TRJSCAN.EXE
  • TRJSETUP.EXE
  • TROJANTRAP3.EXE
  • UNDOBOOT.EXE
  • UPDATE.EXE
  • VBCMSERV.EXE
  • vbcmserv.EXE
  • rtvscan.EXE
  • VBCONS.EXE
  • VbCons.EXE
  • VBUST.EXE
  • VBWIN9X.EXE
  • VBWINNTW.EXE
  • VCSETUP.EXE
  • VET32.EXE
  • VET95.EXE
  • Vet95.EXE
  • VETTRAY.EXE
  • VetTray.EXE
  • VFSETUP.EXE
  • VIR-HELP.EXE
  • vsmon.EXE
  • VIRUSMDPERSONALFIREWALL.EXE
  • VNLAN300.EXE
  • VNPC3000.EXE
  • VPC32.EXE
  • VPC42.EXE
  • VPFW30S.EXE
  • VPTRAY.EXE
  • VSCENU6.02D30.EXE
  • VSCHED.EXE
  • VSECOMR.EXE
  • vshwin32.EXE
  • VSISETUP.EXE
  • VSMAIN.EXE
  • VSMON.EXE
  • VSSTAT.EXE
  • VSWIN9XE.EXE
  • VSWINNTSE.EXE
  • VSWINPERSE.EXE
  • W32DSM89.EXE
  • W9X.EXE
  • WATCHDOG.EXE
  • WEBSCANX.EXE
  • WEBTRAP.EXE
  • WGFE95.EXE
  • WHOSWATCHINGME.EXE
  • WIMMUN32.EXE
  • WINRECON.EXE
  • WNT.EXE
  • WRADMIN.EXE
  • WrAdmin.EXE
  • WRCTRL.EXE
  • WrCtrl.EXE
  • WSBGATE.EXE
  • WYVERNWORKSFIREWALL.EXE
  • XPF202EN.EXE
  • ZAPRO.EXE
  • zapro.EXE
  • ZAPSETUP3001.EXE
  • ZATUTOR.EXE
  • ZAUINST.EXE
  • ZONALM2601.EXE
  • ZONEALARM.EXE
  • zonealarm.EXE
  • AVGNT.EXE
  • AVGUARD.EXE
  • AVWUPSRV.EXE

It also terminates processes which contain the following strings:

  • _avp*
  • ackwin32*
  • anti-trojan*
  • aplica32*
  • apvxdwin*
  • autodown*
  • avconsol*
  • ave32*
  • avgcc32*
  • avgctrl*
  • avgw*
  • avkserv*
  • avnt*
  • avp*
  • avsched32*
  • avwin95*
  • avwupd32*
  • blackd*
  • blackice*
  • bootwarn*
  • ccapp*
  • ccshtdwn*
  • cfiadmin*
  • cfiaudit*
  • cfind*
  • cfinet*
  • claw95*
  • dv95*
  • ecengine*
  • efinet32*
  • esafe*
  • espwatch*
  • f-agnt95*
  • fprot*
  • fprot95*
  • f-prot*
  • f-prot95*
  • fp-win*
  • frw*
  • f-stopw*
  • findviru*
  • gibe*
  • iamapp*
  • iamserv*
  • ibmasn*
  • ibmavsp*
  • icload95*
  • icloadnt*
  • icmon*
  • icmoon*
  • icssuppnt*
  • icsupp*
  • iface*
  • iomon98*
  • jedi*
  • kpfw32*
  • lockdown2000*
  • lookout*
  • luall*
  • moolive*
  • mpftray*
  • msconfig*
  • nai_vs_stat*
  • navapw32*
  • navlu32*
  • navnt*
  • navsched*
  • navw*
  • nisum*
  • nmain*
  • normist*
  • nupdate*
  • nupgrade*
  • nvc95*
  • tds2*
  • outpost*
  • padmin*
  • pavcl*
  • pavsched*
  • pavw*
  • pcciomon*
  • pccmain*
  • pccwin98*
  • pcfwallicon*
  • persfw*
  • pop3trap*
  • pview*
  • rav*
  • regedit*
  • rescue*
  • safeweb*
  • serv95*
  • sphinx*
  • sweep*
  • tca*
  • vcleaner*
  • vcontrol*
  • vet32*
  • vet95*
  • vet98*
  • vettray*
  • vscan*
  • vsecomr*
  • vshwin32*
  • vsstat*
  • webtrap*
  • wfindv32*
  • zapro*
  • zonealarm*
  • McVSEscn*
  • mcvsrte*
  • mcvsftsn*
  • mcvsshld*

Remote Access Component

This worm sets the infected machine up as a webserver, so that it can send links to the files in the %SysDir% \SystemBck directory. 

IRC Propagation

The worm connects to a list of the following IRC servers and channels, in order to spread.  It sends the following messages, plus a link to copies of itself on the infected machine:

  • want hot chix as ur screensaver? be sure to visit my private server while im on..
  • everyone interested in the newest cracks can visit my private server while im online.. there's other things on it too
  • download Britney Spears virual girl screensaver at my private server while im online..
  • see funny video of naked Bush while his drunk
  • download new version of Windows XP 2004 Keygen here
  • hey I found hot Britney Spears Dance Beat screen saver.. download on
  • Shakira Dancing virual girl , visit my private server while im online...
    J-LO Nude (REAL!!) ScreenSaver :) hehe, visit my page
  • everyone interested to see new Ana Kurnikova hot ScreenSaver can visit my private server while im online.. there's other things on it too
  • you can download new 2004 Alicia Silverstone Nude screen saver at this page
  • i have big list of XXX passwords at my private server..you can see while im online
  • i have big list of URL porn Movies at my private server..you can see while im online
  • hey download FREE new 2004 ScreenSavers and much more..
  • i have big list of URL porn Pics Gallerys at my private server..you can see while im online..there's other things on it too
  • download new version of Microsoft Office XP (english) key generator here
  • i have new version Microsoft Office XP (english) key generator at my private webserver , you can download it while im online ;) here
  • new version of WinZip + crack , you can download at my webserver while im online ;)
  • new version of AVP crack , you can download at my webserver while im online ;)
  • new version of miRC crack , you can download at
  • hey ppl new version of N0RT0N ANTI-VIRUS 2004 (by mymoon) crack ,download here
  • ppl who need Nero Burning ROM v5.5.8.2 Keygen and muck more new cracks can download here
  • ppl new private warez server , all new cracks .. see..
  • hey dowload FREE nude screensavers here
  • hey see this private server.. cool download list..
  • best virual girls and cracks on net .. only at my private server :)
  • download hot virual girls from my private webserver , while im online...
  • download new cracks and screensavers from my private webserver , while im online...
  • hey ppl new worm on net, named 'i-worm.mymoon' you can download patch from my private server , while im online...
  • ppl download remove tool for new worm 'i-worm.mymoon' you can download here , while im online...
  • the antivirus company Sophos released a remove-tool for 'i-worm.mymoon' a new worm thats spreading fast on the internet.. protect your computer.. you can download it from me
  • J-LO Nude (REAL!!) new septembar 2004 ScreenSaver :) hehe, visit my page
  • the antivirus company Sophos released a remove-tool for 'i-worm.mymoon' a new worm thats spreading fast on the internet.. you can download here
  • who need new cracks and cool p-o-r-n screen savers go to my server...
  • ppl the anti-virus.com company released a remove-tool for 'i-worm.mymoon' a new worm thats spreading fast on the internet.. at my private webserver , you can download it while im online ;) here
  • i update my private server now.. add more cracks and lists,you can see here
  • my private server is updated now , you can download some new crack and screen savers and muck more.. visit
  • HELLO PPL hehee i update my private server today , add some new cracks and p-o-r-n lists .. visit :)
  • I ADD NEW XXX password list on my private server , you can download here
  • J-LO Nude 2004 Virual Girl:) visit page and download..
  • I ADD NEW p-o-r-n password list on my private server , you can download here
  • new virual GIRLS is now on my server :) you can download one or something else
  • Cracks and muck more programs and screensavers..FREE download
  • Britney Spears virual girl screensaver NEW VERSION download here
  • Shakira Dancing 2004 screen saver , download from this private server
  • want hot chix as ur screensaver? like J-LO or Britney Spears ?? download here
  • ahhaa funny video of naked Bush while his drunk hehe see here

Downloading Component

If MSWINSCK.OCX is not present on the infected machine, it will download it from one of the following sites and then register it.

  • caraastuce123.free.fr
  • www.webmaxx.nl/uploads
  • utenti.lycos.it/lucianobr/dll
  • home.conceptsfa.nl/~juky_d/system
  • www.aasportsware.com/ftp
  • www.prorealtime.com/common/dde
  • www.non-ice.com/files
  • www.sharemation.com/tnt5/tnt
  • www.bluehill.com/support

Denial of Service Component

This worm may try to perform a denial of service attack agains the following websites:

  • www.Microsoft.com
  • www.sophos.com
  • www.kaspersky.com

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

-- Update October 7th, 2004 --
 The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computeractive.co.uk/news/1158607

--

This is a mass-mailing worm with the following characteristics:

  • harvests email addresses from the victim machine
  • the From: address of messages is spoofed
  • sets up an HTTP server on the infected machine
  • terminates processes of various security software
  • downloads system files from remote sites if they are not already present on the machine
  • spreads itself via IRC
  • performs a DDoS on certain websites

The current DATs detect the executable portion of this virus as W32/Generic.d and the VBS portion as VBS/Cidco.gen.

Mail Propagation

Outgoing messages may be formatted as follows: (mass-mailing was not observed to function in testing)

Subject:

  • Re: eCard Delivery Error:
  • Re: VoiceMail to - Delivery Error
  • You`ve got 1 new eCard!
  • Re: Bad Request Server not found!
  • One new VoiceMail! ID:
  • One new eCard! ID:
  • ID: New eCard in your inbox!
  • ID: You got one VoiceMail! See online!
  • Num: One new eCard from
  • Num: One new VoiceMail from
  • Mail Delivery (error)
  • Re: Message Error! mail:
  • Bad Request Server not found!
  • Re:  Mail System Error - Returned Mail
  • Extended Mail System ERROR:
  • Re: Mail Delivery Error!
  • Protected Mail Server invalid!
  • Re: Mail Delivery: - Error
  • Re: MAIL Error num: - Returned mail: see transcript for details
  • Warning!!!
  • Why you SPAM?
  • Last notice! Regard ! Please read...
  • This is not OK !
  • Don't spam!!!!!
  • Question about YOUR SPAM!!
  • Information!You spam this email:
  • Last chance!STOP SPAM THIS EMAIL:
  • I call spam POLICE! STOP!!!

Body Text:

  • Dear Sir,
    According to our cognitions you have done next:
    The emails are still arriving...
    Stop to doing that,i call Spam Police!
    actually you have been buring our network and our right is to protect our users.
    Accourding to that you have been informed about this by phone by our System engineer,
    with this letter we want to point you to next facts:
    1) Your personal account is not restricted in any way and our right is to protect our users and servers;
    2) Server has been shuted down beacouse large amount of emails that have been arricing to our servers and beacouse of adequacy suspicion that it is a spam ramp.
    3) Unsubscribing system is not functioning!
    On unsubscribing attempt result is next:
    Persits.MailSender.4 error 84a0004'
    Connection timed out.
    ---------------------
    Email not found:
    According to part 10 of Personal servie terms of use we are authorized to warn you about this.
    As an evidence we have a LOG file fromour server that is clearly showing date and time when you about this.
    I send you LOG File , to see your IP Adress!
    have been sending spam emails, your IP address and your username!
    Please accept this warnning about sending informations to users and wrongly interpret our actions taken in your case as seriously as possible.
    If you don't accept this warning we will be forced to refer to our lawyers so we could protect our company intersts.
    If you don't understand anything in this email, please contact us via email or by phone for aditional explanations.
    Reply-To:
    According to computer criminal law of USA, act 168v, act you have done is judget to
    jail (1-8 years).
    Best regards,
    Office Manager
  • Dear Sir,i wait for your comment about it.
    You SPAM our email server:
    Thank You!
  • Dear Customer!
    You`ve got 1 eCard VoiceMessage from ecards.com website!
    You can listen your Virtual VoiceMessage at the following link:
    http://see.ecards.com/
    or by clicking the attached link:
    You can see your eCard at the following link:
    Send eCard VoiceMessage! Try our new eCard VoiceMessage Empire!
    Best regards: eCard.com Team (R).
  • Dear User!
    You have one new eCard Pic to your inbox at eCard.com
    Login ID:
    https://pics.ecard.com/
    Or by clicking the attached link:
    Thank you
  • One new Voice Message for you!
    From:
    Can see online: http://voice.ecard.com/
    Test our new service! Send you one voice message http://voice.ecards.com
    Best regards: eCard.com Team (R).
  • Delivery Failed ! Error:
    The original message was included as attachment
    ----- The following addresses had permanent fatal errors -----
    >>> DATA or --
    <<<400-aturner; %MAIL-E-OPENOUT, error opening !AS as output
    --- From Server:
    >>> MAIL
    To:
    <<<400-aturner; -RMS-E-CRE, ACP file create failed
    <<<400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded
    <<<400
    --- Attachment: ---
    Attachment: No Virus found
    Kaspersky AntiVirus - www.kaspersky.com

    Your message [was not or could not be] delivered because the destination'
     'was
    reachable within the allowed queue period. The amount of time
    From:
    a message is queued before it is returned depends on local configuration parameters.
    <<<< ---------------
    it is also possible that the computer is turned off, or does not have a mail system running right now.
    >>> Your message [was not or could not be] delivered within 3 days.
     <<< is not responding.
    Please reply to postmaster!
    <<<400 if you feel this message to be in error.
    >< Automatic message from:

Attachment: (with a final extension of .exe, .pif or .scr

  • Sending.www.ecards.com
  • pics.ecards.com
  • see.ecards.com
  • voice.ecards.com
  • secure.ecards.com
  • ecardID.ecards.com
  • secpics.ecards.com
  • online.ecard.com
  • onlineSee.cards.com
  • pics.online.see.com
  • URL.ecard.php.SSEcxcsd
  • link.index.php.seeHere
  • file.URL.view.fDEd
  • LIVE.show.URL.see.phpAsVEd
  • log.file.
  • logs.
  • URL.Picture.php.Seeonline
  • -www.telekom.com
  • -www.usaeunet.com
  • -www.aol.com
  • -www.aol.abuse.co.com
  • -www.scg.net.com
  • -www.pttusa.com
  • -www.police.spam.com
  • -www.usapolice.com
  • -www.nic.uk.com
  • -www.webhosting.com
  • file.logs.
  • mail.log.
  • smtp.serverLog
  •  yahoo
  • -hotmail
  • -mailmail
  • FdfsECcdsaA.error.
  • Dde.view.
  • Nude.only.viewDFereS
  • -servise.error
  • Index.php.sEeeDSAD.not.found
  • vk.Only.error.found
  • private.mail.error2222442
  • Error.MSG.
  • e-mail.
  • unsent.mail.
  • msg.
  • mail.

Installation

The virus copies itself into the Windows directory as SYSCONF32.EXE. For example:
C:\WINDOWS\Sysconf32.exe (88,576 bytes)

It also creates other files in the root of the C: drive, to perform its functions:

  • C:\ReAd_ThiS_ShiT.txt (673 bytes - text file)
  • C:\StpLogs.vbs (2,465 bytes - VBS file for harvesting addresses from the local machine)

It creates the folder %SysDir% \SystemBck and copies itself there with the following filenames:

  • XboxIso2RomConverter.exe
  • Ageofempires2crack.exe
  • AgeOfMythologyISO.exe
  • BattlenetkeygeneratorWORKS.exe
  • BritneyspearsNude.scr
  • Burnout2CarRacing.exe
  • Cablemodemuncapper.exe
  • CloneCDcrack.exe
  • CloneCDallversionskeygenerator.exe
  • Copyprotectionremover.exe
  • Crazytaxicrack.exe
  • CuteFTPPro30.exe
  • DivXcodecv6.0.exe
  • DivXnewestversion.exe
  • DivXpatch-Increasesquality.exe
  • DivXprokeygenerator.exe
  • Doom3Beta.exe
  • DragonballZCOMPLETEepisodeguide.exe
  • DragonballZepisode1.exe
  • DragonballZshootout.exe
  • GamecubeEmulatorWORKS.exe
  • GrandPrix4crack.exe
  • Grandtheftauto3CD1crack.exe
  • GTA3crack.exe
  • Hackintoanycomputer.exe
  • Half-lifeONLINEkeygenerator.exe
  • Half-lifeWONkeygenerator.exe
  • J-LONudeREAL.scr
  • JediKnight2crack.exe
  • KaZaAhack.exe
  • FIFA2004crack.exe
  • NBA2004crack.exe
  • AquaNox2crack.exe
  • UT2003bloodpatch.exe
  • Unreal2bloodpatch.exe
  • Battlefield1942bloodpatch.exe
  • AVPCrackNEW.exe
  • zoneallarmprocrack2004.exe
  • counterstrikerkeygen2004.exe
  • warcraft3keygen.exe
  • windowskeygenNEWSeptember2004.exe
  • officexppatch2004.exe
  • haloonpc.exe
  • HotmailPasswordHacker2004.exe
  • MailBomberv8.1.exe
  • 2004serials.pif
  • hackershandbook.pif
  • anarchistcookbook.pif
  • MacromediaDreamweaverMXKeyGenerator.exe
  • MacromediaFlashMXKeyGenerator.exe
  • MacromediaMXkeygeneratorallproducts.exe
  • MafiaISO.exe
  • McAfeeFirewall3.exe
  • Microsoftkeygeneratorworksfor.exe
  • MicrosoftOfficeXPenglishkeygenerator.exe
  • MicrosoftOfficeXPiso.exe
  • MicrosoftWindowsXPcrackpack.exe
  • MotorcrossMadness2.exe
  • N0RT0NANTIVIRUS2004.exe
  • Neverwinternightscrack.exe
  • Nokiasimlockremoverincludesnewmodels.exe
  • Nortonantivirus2002.exe
  • Rayman2Full.exe
  • ResidentEvilDivX.exe
  • Starwarsepisode2downloader.exe
  • TotalImmersionRacingISO.exe
  • Warcraft3battlenetserialgenerator.exe
  • Warcraft3ONLINEkeygenerator.exe
  • WinAPs2.exe
  • WindowsXPkeygenerator.exe
  • WindowsXPserialgenerator.exe
  • WindowsXPSP1key-Crack.exe
  • Winrarandcrack.exe
  • Winzip80serial.exe
  • WorkingIsoBurner.exe
  • XBOXemulatorWORKS.exe
  • Xboxinfo.exe
  • AnaKurnikovaVirualGirl2004.scr
  • Battlefield1942Bloodpatch.exe
  • AngelinaRealScreenSaver.scr
  • CounterStrikeHLDSv1.1.0.9.exe
  • DVDCoppierv1.5.7byCrash2004.exe
  • FunnyBush2004movieSeptember.scr
  • DVDRipperv1.3.2byCrash2004.exe
  • iWormMymoonremovetool2.5.exe
  • EvidenceEraserbyCrash2004.exe
  • McAffeeUtilitiesv3.11FinalbyR2P2K.exe
  • McAffeeUtilitiesv3.11byR2P2K.exe
  • NeroBurningROMv5.5.8.2Keygen.exe
  • NeroBurningROMv5.5.8.2Serial.exe
  • NeroBurningROMv5.5.8.2byCooKie.exe
  • SpyAgentRemoteControl1.05.exe
  • SpyCamv6.32.exe
  • SpyTechSpyAgentPersonalv3.00.00byAmoK.exe
  • StarCraftBroodWarv1.09byFR.exe
  • UnrealTournament2bloodpatch.exe
  • UnrealTournament2004Bloodpatch.exe
  • Windows2004Keygen.exe
  • WindowsXPKeyGen.exe
  • YahooPasswordHacker2004BF.exe
  • ZoneAlarmProv3.0.2.6byOrion.exe
  • Generalscrack.exe
  • Mirc7.0Crack.exe
  • NapsterClone.exe
  • PlayGamesOnlineForFREE.exe
  • Ps2Emulator.exe
  • Ps2Iso2RomConverter.exe
  • ShakiraDancing.scr
  • SoldierOfFortune2MutiplayerSerialHack.exe
  • SystemMonitor.exe
  • TheSimsGameCrack.exe
  • UniversalGameCrack.exe
  • Warcraft3Battle.netCrack.exe
  • XboxEmulator.exe
  • 1001nesroms.exe
  • windowsxpkeygen.exe
  • deadaim4.0.exe
  • deadaim4.0serial.exe
  • counterstrikemaphack.exe
  • counterstrikeaim_bot.exe
  • AliciaSilverstonePayboyNude.scr
  • Bingo.exe
  • BritneySpearsDanceBeat.scr
  • DDosClient2005.exe
  • EmailBomber447.exe
  • FileServer.exe
  • FlashGolf.exe
  • FreeMpegsLists.pif
  • FreePicsList.pif
  • FreePornLists.pif
  • HoesForYouSolitare.exe
  • J.LoBikiniScreensaver.scr
  • JennaJamisonDildoHumping.scr
  • KamaSutraTetris.exe
  • KazaaClone.exe
  • KaZaAmediadesktopv2.0UNOFFICIAL.exe
  • KaZaAspywareremover.exe
  • KeygeneratorforallwindowsXPversions.exe
  • Keygeneratorforoverreally.exe

The following Registry key is added to hook system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Windows HTML file reader" =
    %WinDir% \Sysconf32.exe

Symptoms

Symptoms -

  • Upon being run, the worm displays the following error message:


  • Outgoing messages matching the described characteristics
  • Files/Registry keys as described

Method of Infection

Method of Infection -

Mail Propagation

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

  • dbx
  • htm
  • html
  • php

The virus avoids sending itself to addresses containing the following:

  • yahoo.com
  • mail.com
  • rock.com
  • hotmail.com
  • lycos.com
  • webmaster@
  • myownemail.com
  • fepg.net
  • bravenet.com
  • bluemountain.com
  • google.com
  • netaddress.com
  • iname.com
  • hushmail.com
  • bigfoot.com
  • rocketmail.com
  • Johnny McNatt
  • johnnyNik@
  • Monica Hays
  • monica2005@
  • Sandra
  • Kerry Henderson
  • kerrylove@
  • David Lewis
  • david.sw@
  • Jane McNatt
  • Jane.Mc@
  • Mail Service
  • mailservice@
  • Linda Goldstein
  • Linda1982@
  • Jill Saluck
  • jillsaluck@
  • Office Menager
  • office@
  • Webmaster
  • Sandra82@
  • Big Mymoon
  • mymoon@
  • Angelina
  • hot.angelina@
  • Cindy
  • cindy2005@
  • Britney
  • britney@

Process Termination

The virus enumerates running processes, and terminates those with the following filenames:

  • ANTI-TROJAN.EXE
  • _AVPM.EXE
  • _AVPCC.EXE
  • ACKWIN32.EXE
  • AckWin32.EXE
  • ADVXDWIN.EXE
  • AGENTSVR.EXE
  • agentw.EXE
  • ALERTSVC.EXE
  • ALOGSERV.EXE
  • AMON9X.EXE
  • ANTIVIRUS.EXE
  • APLICA32.EXE
  • apvxdwin.EXE
  • APVXDWIN.EXE
  • ATCON.EXE
  • ATGUARD.EXE
  • ATRO55EN.EXE
  • ATUPDATER.EXE
  • ATWATCH.EXE
  • AUPDATE.EXE
  • AUTODOWN.EXE
  • AutoTrace.EXE
  • AUTOUPDATE.EXE
  • AVCONSOL.EXE
  • AVGCC32.EXE
  • CTRL.EXE
  • Avgctrl.EXE
  • AVGCTRL.EXE
  • AvgServ.EXE
  • AVGSERV.EXE
  • AVGSERV9.EXE
  • AVGW.EXE
  • avkpop.EXE
  • AvkServ.EXE
  • avkservice.EXE
  • avkwctl9.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPM.EXE
  • avpm.EXE
  • Avsched32.EXE
  • AVSYNMGR.EXE
  • AVWINNT.EXE
  • AVXMONITOR9X.EXE
  • AVXMONITORNT.EXE
  • AVXQUAR.EXE
  • AVXW.EXE
  • BD_PROFESSIONAL.EXE
  • BIDEF.EXE
  • BIDSERVER.EXE
  • BIPCP.EXE
  • BIPCPEVALSETUP.EXE
  • BISP.EXE
  • BLACKD.EXE
  • blackd.EXE
  • BLACKICE.EXE
  • BlackICE.EXE
  • BOOTWARN.EXE
  • BORG2.EXE
  • BS120.EXE
  • ccApp.EXE
  • ccEvtMgr.EXE
  • ccPxySvc.EXE
  • CDP.EXE
  • CFGWIZ.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • CFINET32.EXE
  • cleaner3.EXE
  • CLEANPC.EXE
  • CMGRDIAN.EXE
  • CMON016.EXE
  • CONNECTIONMONITOR.EXE
  • CPD.EXE
  • cpd.EXE
  • Claw95.EXE
  • CLAW95CF.EXE
  • Claw95cf.EXE
  • CLEAN.EXE
  • CLEANER.EXE
  • cleaner.EXE
  • CLEANER3.EXE
  • CPF9X206.EXE
  • CPFNT206.EXE
  • CV.EXE
  • CWNB181.EXE
  • CWNTDWMO.EXE
  • defalert.EXE
  • defscangui.EXE
  • DEFWATCH.EXE
  • DEPUTY.EXE
  • DOORS.EXE
  • DPF.EXE
  • DPFSETUP.EXE
  • DRWATSON.EXE
  • DRWEB32.EXE
  • DVP95.EXE
  • DVP95_0.EXE
  • EFPEADM.EXE
  • ENT.EXE
  • ESCANH95.EXE
  • ESCANHNT.EXE
  • ESCANV95.EXE
  • ETRUSTCIPE.EXE
  • EVPN.EXE
  • EXANTIVIRUS-CNET.EXE
  • EXPERT.EXE
  • F-AGNT95.EXE
  • fameh32.EXE
  • FAST.EXE
  • fch32.EXE
  • fih32.EXE
  • FIREWALL.EXE
  • FLOWPROTECTOR.EXE
  • fnrb32.EXE
  • F-PROT.EXE
  • F-PROT95.EXE
  • FP-WIN.EXE
  • FP-WIN_TRIAL.EXE
  • FRW.EXE
  • fsaa.EXE
  • FSAV.EXE
  • fsav32.EXE
  • FSAV530STBYB.EXE
  • FSAV530WTBYB.EXE
  • FSAV95.EXE
  • fsgk32.EXE
  • fsm32.EXE
  • fsma32.EXE
  • fsmb32.EXE
  • F-STOPW.EXE
  • f-stopw.EXE
  • GBMENU.EXE
  • gbmenu.EXE
  • gbpoll.EXE
  • GBPOLL.EXE
  • GENERICS.EXE
  • GUARD.EXE
  • GUARDDOG.EXE
  • HACKTRACERSETUP.EXE
  • HTLOG.EXE
  • HWPE.EXE
  • IAMAPP.EXE
  • iamapp.EXE
  • IAMSERV.EXE
  • iamserv.EXE
  • IAMSTATS.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IFACE.EXE
  • IFW2000.EXE
  • IOMON98.EXE
  • IPARMOR.EXE
  • IRIS.EXE
  • ISRV95.EXE
  • JAMMER.EXE
  • JEDI.EXE
  • KAVLITE40ENG.EXE
  • KAVPERS40ENG.EXE
  • KAVPF.EXE
  • KERIO-PF-213-EN-WIN.EXE
  • KERIO-WRL-421-EN-WIN.EXE
  • KERIO-WRP-421-EN-WIN.EXE
  • KILLPROCESSSETUP161.EXE
  • LDNETMON.EXE
  • LDPRO.EXE
  • LDPROMENU.EXE
  • LDSCAN.EXE
  • LOCALNET.EXE
  • LOCKDOWN.EXE
  • LOCKDOWN2000.EXE
  • lockdown2000.EXE
  • LSETUP.EXE
  • LUALL.EXE
  • LUAU.EXE
  • LUCOMSERVER.EXE
  • LUINIT.EXE
  • LUSPT.EXE
  • MCAGENT.EXE
  • MCMNHDLR.EXE
  • Mcshield.EXE
  • MCTOOL.EXE
  • NTVDM.EXE
  • MCUPDATE.EXE
  • MCVSRTE.EXE
  • MCVSSHLD.EXE
  • MFW2EN.EXE
  • MFWENG3.02D30.EXE
  • MGAVRTCL.EXE
  • MGAVRTE.EXE
  • MGHTML.EXE
  • MGUI.EXE
  • MINILOG.EXE
  • MONITOR.EXE
  • Monitor.EXE
  • MOOLIVE.EXE
  • MPFAGENT.EXE
  • MPFSERVICE.EXE
  • MPFTRAY.EXE
  • MRFLUX.EXE
  • MSCONFIG.EXE
  • MSINFO32.EXE
  • MSSMMC32.EXE
  • MU0311AD.EXE
  • MWATCH.EXE
  • NAV80TRY.EXE
  • navapsvc.EXE
  • NAVAPSVC.EXE
  • NAVAPW32.EXE
  • NAVDX.EXE
  • NAVLU32.EXE
  • NAVSTUB.EXE
  • NAVW32.EXE
  • Navw32.EXE
  • NAVWNT.EXE
  • NC2000.EXE
  • NCINST4.EXE
  • NDD32.EXE
  • NEOMONITOR.EXE
  • NeoWatchLog.EXE
  • NETARMOR.EXE
  • NETINFO.EXE
  • NETMON.EXE
  • NETSCANPRO.EXE
  • NETSPYHUNTER-1.2.EXE
  • NETSTAT.EXE
  • NETUTILS.EXE
  • NISSERV.EXE
  • NISUM.EXE
  • NMAIN.EXE
  • NORMIST.EXE
  • NORTON_INTERNET_SECU_3.0_407.EXE
  • notstart.EXE
  • NPF40_TW_98_NT_ME_2K.EXE
  • NPFMESSENGER.EXE
  • NPROTECT.EXE
  • npscheck.EXE
  • NPSSVC.EXE
  • NSCHED32.EXE
  • ntrtscan.EXE
  • NTXconfig.EXE
  • Nui.EXE
  • Nupgrade.EXE
  • NVARCH16.EXE
  • NVC95.EXE
  • nvsvc32.EXE
  • NWINST4.EXE
  • NWService.EXE
  • NWTOOL16.EXE
  • OSTRONET.EXE
  • OUTPOST.EXE
  • OUTPOSTINSTALL.EXE
  • OUTPOSTPROINSTALL.EXE
  • PADMIN.EXE
  • PANIXK.EXE
  • pavproxy.EXE
  • PAVPROXY.EXE
  • PCC2002S902.EXE
  • PCC2K_76_1436.EXE
  • PCCIOMON.EXE
  • pccntmon.EXE
  • pccwin97.EXE
  • PCCWIN98.EXE
  • PCDSETUP.EXE
  • PCFWALLICON.EXE
  • PCIP10117_0.EXE
  • pcscan.EXE
  • PDSETUP.EXE
  • PERISCOPE.EXE
  • PERSFW.EXE
  • PERSWF.EXE
  • PF2.EXE
  • PFWADMIN.EXE
  • PINGSCAN.EXE
  • PLATIN.EXE
  • POP3TRAP.EXE
  • POPROXY.EXE
  • POPSCAN.EXE
  • PORTDETECTIVE.EXE
  • PORTMONITOR.EXE
  • PPINUPDT.EXE
  • PPTBC.EXE
  • PPVSTOP.EXE
  • PROCESSMONITOR.EXE
  • PROCEXPLORERV1.0.EXE
  • PROGRAMAUDITOR.EXE
  • PROPORT.EXE
  • PROTECTX.EXE
  • PSPF.EXE
  • PURGE.EXE
  • PVIEW95.EXE
  • QCONSOLE.EXE
  • QSERVER.EXE
  • rapapp.EXE
  • RAV7.EXE
  • RAV7WIN.EXE
  • RAV8WIN32ENG.EXE
  • REALMON.EXE
  • REGEDIT.EXE
  • REGEDT32.EXE
  • RESCUE.EXE
  • RESCUE32.EXE
  • RRGUARD.EXE
  • RSHELL.EXE
  • RTVSCN95.EXE
  • RULAUNCH.EXE
  • SAFEWEB.EXE
  • SBSERV.EXE
  • sbserv.EXE
  • SCAN32.EXE
  • SCRSCAN.EXE
  • SD.EXE
  • SETUP_FLOWPROTECTOR_US.EXE
  • SETUPVAMEEVAL.EXE
  • SFC.EXE
  • SGSSFW32.EXE
  • SH.EXE
  • SHELLSPYINSTALL.EXE
  • SHN.EXE
  • SMC.EXE
  • SOFI.EXE
  • SPF.EXE
  • SPHINX.EXE
  • Sphinx.EXE
  • SPYXX.EXE
  • SS3EDIT.EXE
  • ST2.EXE
  • SUPFTRL.EXE
  • SUPPORTER5.EXE
  • SWEEP95.EXE
  • SWEEPSRV.SYS
  • SWNETSUP.EXE
  • SYMPROXYSVC.EXE
  • SymProxySvc.EXE
  • SYMTRAY.EXE
  • SYSEDIT.EXE
  • TASKMON.EXE
  • TAUMON.EXE
  • TC.EXE
  • TCA.EXETCM.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • TDS-3.EXE
  • TFAK.EXE
  • TFAK5.EXE
  • TGBOB.EXE
  • TITANIN.EXE
  • TITANINXP.EXE
  • TRACERT.EXE
  • TRJSCAN.EXE
  • TRJSETUP.EXE
  • TROJANTRAP3.EXE
  • UNDOBOOT.EXE
  • UPDATE.EXE
  • VBCMSERV.EXE
  • vbcmserv.EXE
  • rtvscan.EXE
  • VBCONS.EXE
  • VbCons.EXE
  • VBUST.EXE
  • VBWIN9X.EXE
  • VBWINNTW.EXE
  • VCSETUP.EXE
  • VET32.EXE
  • VET95.EXE
  • Vet95.EXE
  • VETTRAY.EXE
  • VetTray.EXE
  • VFSETUP.EXE
  • VIR-HELP.EXE
  • vsmon.EXE
  • VIRUSMDPERSONALFIREWALL.EXE
  • VNLAN300.EXE
  • VNPC3000.EXE
  • VPC32.EXE
  • VPC42.EXE
  • VPFW30S.EXE
  • VPTRAY.EXE
  • VSCENU6.02D30.EXE
  • VSCHED.EXE
  • VSECOMR.EXE
  • vshwin32.EXE
  • VSISETUP.EXE
  • VSMAIN.EXE
  • VSMON.EXE
  • VSSTAT.EXE
  • VSWIN9XE.EXE
  • VSWINNTSE.EXE
  • VSWINPERSE.EXE
  • W32DSM89.EXE
  • W9X.EXE
  • WATCHDOG.EXE
  • WEBSCANX.EXE
  • WEBTRAP.EXE
  • WGFE95.EXE
  • WHOSWATCHINGME.EXE
  • WIMMUN32.EXE
  • WINRECON.EXE
  • WNT.EXE
  • WRADMIN.EXE
  • WrAdmin.EXE
  • WRCTRL.EXE
  • WrCtrl.EXE
  • WSBGATE.EXE
  • WYVERNWORKSFIREWALL.EXE
  • XPF202EN.EXE
  • ZAPRO.EXE
  • zapro.EXE
  • ZAPSETUP3001.EXE
  • ZATUTOR.EXE
  • ZAUINST.EXE
  • ZONALM2601.EXE
  • ZONEALARM.EXE
  • zonealarm.EXE
  • AVGNT.EXE
  • AVGUARD.EXE
  • AVWUPSRV.EXE

It also terminates processes which contain the following strings:

  • _avp*
  • ackwin32*
  • anti-trojan*
  • aplica32*
  • apvxdwin*
  • autodown*
  • avconsol*
  • ave32*
  • avgcc32*
  • avgctrl*
  • avgw*
  • avkserv*
  • avnt*
  • avp*
  • avsched32*
  • avwin95*
  • avwupd32*
  • blackd*
  • blackice*
  • bootwarn*
  • ccapp*
  • ccshtdwn*
  • cfiadmin*
  • cfiaudit*
  • cfind*
  • cfinet*
  • claw95*
  • dv95*
  • ecengine*
  • efinet32*
  • esafe*
  • espwatch*
  • f-agnt95*
  • fprot*
  • fprot95*
  • f-prot*
  • f-prot95*
  • fp-win*
  • frw*
  • f-stopw*
  • findviru*
  • gibe*
  • iamapp*
  • iamserv*
  • ibmasn*
  • ibmavsp*
  • icload95*
  • icloadnt*
  • icmon*
  • icmoon*
  • icssuppnt*
  • icsupp*
  • iface*
  • iomon98*
  • jedi*
  • kpfw32*
  • lockdown2000*
  • lookout*
  • luall*
  • moolive*
  • mpftray*
  • msconfig*
  • nai_vs_stat*
  • navapw32*
  • navlu32*
  • navnt*
  • navsched*
  • navw*
  • nisum*
  • nmain*
  • normist*
  • nupdate*
  • nupgrade*
  • nvc95*
  • tds2*
  • outpost*
  • padmin*
  • pavcl*
  • pavsched*
  • pavw*
  • pcciomon*
  • pccmain*
  • pccwin98*
  • pcfwallicon*
  • persfw*
  • pop3trap*
  • pview*
  • rav*
  • regedit*
  • rescue*
  • safeweb*
  • serv95*
  • sphinx*
  • sweep*
  • tca*
  • vcleaner*
  • vcontrol*
  • vet32*
  • vet95*
  • vet98*
  • vettray*
  • vscan*
  • vsecomr*
  • vshwin32*
  • vsstat*
  • webtrap*
  • wfindv32*
  • zapro*
  • zonealarm*
  • McVSEscn*
  • mcvsrte*
  • mcvsftsn*
  • mcvsshld*

Remote Access Component

This worm sets the infected machine up as a webserver, so that it can send links to the files in the %SysDir% \SystemBck directory. 

IRC Propagation

The worm connects to a list of the following IRC servers and channels, in order to spread.  It sends the following messages, plus a link to copies of itself on the infected machine:

  • want hot chix as ur screensaver? be sure to visit my private server while im on..
  • everyone interested in the newest cracks can visit my private server while im online.. there's other things on it too
  • download Britney Spears virual girl screensaver at my private server while im online..
  • see funny video of naked Bush while his drunk
  • download new version of Windows XP 2004 Keygen here
  • hey I found hot Britney Spears Dance Beat screen saver.. download on
  • Shakira Dancing virual girl , visit my private server while im online...
    J-LO Nude (REAL!!) ScreenSaver :) hehe, visit my page
  • everyone interested to see new Ana Kurnikova hot ScreenSaver can visit my private server while im online.. there's other things on it too
  • you can download new 2004 Alicia Silverstone Nude screen saver at this page
  • i have big list of XXX passwords at my private server..you can see while im online
  • i have big list of URL porn Movies at my private server..you can see while im online
  • hey download FREE new 2004 ScreenSavers and much more..
  • i have big list of URL porn Pics Gallerys at my private server..you can see while im online..there's other things on it too
  • download new version of Microsoft Office XP (english) key generator here
  • i have new version Microsoft Office XP (english) key generator at my private webserver , you can download it while im online ;) here
  • new version of WinZip + crack , you can download at my webserver while im online ;)
  • new version of AVP crack , you can download at my webserver while im online ;)
  • new version of miRC crack , you can download at
  • hey ppl new version of N0RT0N ANTI-VIRUS 2004 (by mymoon) crack ,download here
  • ppl who need Nero Burning ROM v5.5.8.2 Keygen and muck more new cracks can download here
  • ppl new private warez server , all new cracks .. see..
  • hey dowload FREE nude screensavers here
  • hey see this private server.. cool download list..
  • best virual girls and cracks on net .. only at my private server :)
  • download hot virual girls from my private webserver , while im online...
  • download new cracks and screensavers from my private webserver , while im online...
  • hey ppl new worm on net, named 'i-worm.mymoon' you can download patch from my private server , while im online...
  • ppl download remove tool for new worm 'i-worm.mymoon' you can download here , while im online...
  • the antivirus company Sophos released a remove-tool for 'i-worm.mymoon' a new worm thats spreading fast on the internet.. protect your computer.. you can download it from me
  • J-LO Nude (REAL!!) new septembar 2004 ScreenSaver :) hehe, visit my page
  • the antivirus company Sophos released a remove-tool for 'i-worm.mymoon' a new worm thats spreading fast on the internet.. you can download here
  • who need new cracks and cool p-o-r-n screen savers go to my server...
  • ppl the anti-virus.com company released a remove-tool for 'i-worm.mymoon' a new worm thats spreading fast on the internet.. at my private webserver , you can download it while im online ;) here
  • i update my private server now.. add more cracks and lists,you can see here
  • my private server is updated now , you can download some new crack and screen savers and muck more.. visit
  • HELLO PPL hehee i update my private server today , add some new cracks and p-o-r-n lists .. visit :)
  • I ADD NEW XXX password list on my private server , you can download here
  • J-LO Nude 2004 Virual Girl:) visit page and download..
  • I ADD NEW p-o-r-n password list on my private server , you can download here
  • new virual GIRLS is now on my server :) you can download one or something else
  • Cracks and muck more programs and screensavers..FREE download
  • Britney Spears virual girl screensaver NEW VERSION download here
  • Shakira Dancing 2004 screen saver , download from this private server
  • want hot chix as ur screensaver? like J-LO or Britney Spears ?? download here
  • ahhaa funny video of naked Bush while his drunk hehe see here

Downloading Component

If MSWINSCK.OCX is not present on the infected machine, it will download it from one of the following sites and then register it.

  • caraastuce123.free.fr
  • www.webmaxx.nl/uploads
  • utenti.lycos.it/lucianobr/dll
  • home.conceptsfa.nl/~juky_d/system
  • www.aasportsware.com/ftp
  • www.prorealtime.com/common/dde
  • www.non-ice.com/files
  • www.sharemation.com/tnt5/tnt
  • www.bluehill.com/support

Denial of Service Component

This worm may try to perform a denial of service attack agains the following websites:

  • www.Microsoft.com
  • www.sophos.com
  • www.kaspersky.com

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A