McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• BackDoor-CJV

• W32.Scard (Symantec)

• W32/Aler.A.worm (Panda)

• W32/Golten.worm.a

• Worm.Win32.Aler (AVP)

• WORM_GOLTEN.A (Trend)

Characteristics

-- Update November 17, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

• http://www.theregister.com/2004/11/17/arafat_worm/

--

This worm may be installed via MS04-032 exploit code that was recently mass-mailed to many email addresses.  That message appears as follows:

The message contains an attachment arafat_1.emf , which is simply an image, but the other attachment, arafat_2.emf,  is a specially crafted EMF file that installs this worm on vulnerable systems.  This attachment is detected as Exploit-MS04-032!gdi  with the current DAT release.

The worm attempts to spread via the ADMIN$ share, connecting to accessible remote system via existing credentials or attempting to use weak administrator passwords to gain access.  Those passwords contained in the virus body are as follows:

• stgzs
• security
• super
• oracle
• secret
• root
• admin
• password
• passwd
• pass
• 88888888
• 888888
• 00000000
• 000000
• 11111111
• 111111
• 1111
• fan@ing*
• 54321
• 654321
• ~!@#
• !@#$%^
• !@#$%
• !@#$
• 12345!@#$%
• 1234!@#$
• 123!@#
• 12345678
• 1234567
• 123456
• 12345
• 1234
• 123
• 12

The worm finds systems to infect by runing the local class C subnet, looking for responding systems on the LAN.

Symptoms

The following files are added to the WINDOWS SYSTEM directory (such as c:\windows\system32) during infection:

• Alerter.exe

The worm modifies the image path for the Alerter service:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter "ImagePath"
  • Old data: %SystemRoot%\System32\svchost.exe -k LocalService
  • New data: %SystemRoot%\System32\Alerter.exe

Other files are created in the WINDOWS SYSTEM directory:

• SPO0LSV.EXE
• sptres.dll
• spc.exe (BackDoor-CJV.dr)

The following components are installed via the BackDoor-CJV dropper (spc.exe)

• comwsock.dll (BackDoor-CJV)
• dmsock.dll (BackDoor-CJV)
• inetcfg.h (BackDoor-CJV data file)
• mst.tlb (BackDoor-CJV data file) 
• SCardSer.exe (BackDoor-CJV)

A service is created by the BackDoor-CJV dropper.

• Name: netlog
• Image path: %SystemRoot%\system32\SCardSer.exe
• Display name: Net Login Helper

The backdoor door injects the dmsock.dll file into one of the following running processes:

• lsass.exe
• svchost.exe
• explorer.exe
• inetinfo.exe
• qq.exe
• msimn.exe
• iexplore.exe
• outlook.exe
• msmsgs.exe
• msnmsgr.exe

The DLL listens on a random TCP port.

Method of Infection

This worm spreads via accessible network shares.  The worm drops several files, including sptres.dll, which it injects into the EXPLORER.EXE process.  This is the main worm component.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• BackDoor-CJV

• W32.Scard (Symantec)

• W32/Aler.A.worm (Panda)

• W32/Golten.worm.a

• Worm.Win32.Aler (AVP)

• WORM_GOLTEN.A (Trend)

Characteristics

Characteristics -

-- Update November 17, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

• http://www.theregister.com/2004/11/17/arafat_worm/

--

This worm may be installed via MS04-032 exploit code that was recently mass-mailed to many email addresses.  That message appears as follows:

The message contains an attachment arafat_1.emf , which is simply an image, but the other attachment, arafat_2.emf,  is a specially crafted EMF file that installs this worm on vulnerable systems.  This attachment is detected as Exploit-MS04-032!gdi  with the current DAT release.

The worm attempts to spread via the ADMIN$ share, connecting to accessible remote system via existing credentials or attempting to use weak administrator passwords to gain access.  Those passwords contained in the virus body are as follows:

• stgzs
• security
• super
• oracle
• secret
• root
• admin
• password
• passwd
• pass
• 88888888
• 888888
• 00000000
• 000000
• 11111111
• 111111
• 1111
• fan@ing*
• 54321
• 654321
• ~!@#
• !@#$%^
• !@#$%
• !@#$
• 12345!@#$%
• 1234!@#$
• 123!@#
• 12345678
• 1234567
• 123456
• 12345
• 1234
• 123
• 12

The worm finds systems to infect by runing the local class C subnet, looking for responding systems on the LAN.

Symptoms

Symptoms -

The following files are added to the WINDOWS SYSTEM directory (such as c:\windows\system32) during infection:

• Alerter.exe

The worm modifies the image path for the Alerter service:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter "ImagePath"
  • Old data: %SystemRoot%\System32\svchost.exe -k LocalService
  • New data: %SystemRoot%\System32\Alerter.exe

Other files are created in the WINDOWS SYSTEM directory:

• SPO0LSV.EXE
• sptres.dll
• spc.exe (BackDoor-CJV.dr)

The following components are installed via the BackDoor-CJV dropper (spc.exe)

• comwsock.dll (BackDoor-CJV)
• dmsock.dll (BackDoor-CJV)
• inetcfg.h (BackDoor-CJV data file)
• mst.tlb (BackDoor-CJV data file) 
• SCardSer.exe (BackDoor-CJV)

A service is created by the BackDoor-CJV dropper.

• Name: netlog
• Image path: %SystemRoot%\system32\SCardSer.exe
• Display name: Net Login Helper

The backdoor door injects the dmsock.dll file into one of the following running processes:

• lsass.exe
• svchost.exe
• explorer.exe
• inetinfo.exe
• qq.exe
• msimn.exe
• iexplore.exe
• outlook.exe
• msmsgs.exe
• msnmsgr.exe

The DLL listens on a random TCP port.

Method of Infection

Method of Infection -

This worm spreads via accessible network shares.  The worm drops several files, including sptres.dll, which it injects into the EXPLORER.EXE process.  This is the main worm component.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A