McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

--Update 11/24/2004

This virus has been updated to Low-Profiled due to media attention at   http://www.webuser.co.uk/news/59666.html .

--

This is a mass-mailing worm written in MSVC which contains its own SMTP engine to construct outgoing messages.   

The virus arrives in an email message as follows:

From: (Spoofed email sender)

Do not assume that the sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

• World_Tour_Sun_YanZi
• Sun_Yanzi_Mp3
• Huai_Tian_Qi
• Forever Sun Yanzi
• SuN_YanZi_innocent
• I_hate_Spyware
• Sun-YanZi-Mp3-Archive
• Sun_YanZi_Hayrani
• Hoscakal
• Stefanie Sun Yanzi
• Sun_Yan_Zi
• Sun-YanZi
• Asia_Singer
• Sun_YanZi_HayranI
• Sun_YanZi

Body:  (Varies, such as)  

• Please listen to me Stefanie Sun Yanzi.
• I can not contact you. Because, I am far to you(Turkiye)
• I want to see Sun YanZi. Call me Sun Yan Zi ;)
• My Favourite Singer is Stefanie Sun Yanzi
• I want to meet Sun YanZi. I am loving Sun-YanZi's Magic. Call me YanZi. But you don't contact me(Turkiye).
• You must to listen Sun Yanzi. I am enjoying to listen Sun YanZi.

Attachment:

• Sun_Yan_Zi-Shen_Qi.mp3.pif
• Sun_YanZI.zip
• Dong_Shi.exe
• Yanzi.htm

Target email addresses are harvested from the victim machine. Files with the following extensions are searched:

• dbx
• adb
• asp
• jsp
• rtf
• doc
• xml
• txt
• htm
• html

The virus does not mail itself to email addresses containing the following strings:

• @milliyet
• @ntvmsnbc
• @hurriyetim
• @posta
• @aksam
• @sabah
• @erdemironline
• @erdemir
• @e-kolay
• @dostmail
• @mynet
• @superonline

When this file is run (manually), it copies itself to the Windows System directory as NVCPL.EXE.

• %SysDir% \NVCPL.EXE
  (Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

It creates the following registry entry to hook Windows startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "NvCpl" = %SysDir% \NVCPL.EXE

Peer To Peer Propagation

The virus copies itself to folders on the victim machine that contain the string 'SHAR'. The following enticing filenames are used:

• Sun_YanZi-Mei_You_Ren_De_Fang_Xiang.avi.exe
• Sun_YanZi-Huai_Tian_Qi.mpg.exe
• Sun_YanZi-Tao_Wang.mpeg.exe
• Sun_YanZi-Shen_Qi.exe
• Sun_YanZi-I_am_not_sad.mp3.exe
• Sun_YanZi-Leave_me_alone.mp3.exe
• YanZi_SuN-forever.mp3.exe
• YanZi.Mp3.exe
• SunYanZi.mp3.exe

The virus also drops a VBS script which is detected as VBS/Inor by the current DATS.  This VBS script will drop image files of an popular Asian popstar into the victim's TEMP folder.  The script contains code to execute these JPG files as soon as they are dropped.  The 2 images displayed are as follows:

 

Symptoms

• Upon executing the virus, a dialogue is displayed as follows:

Existence of the files and registry entry listed above

Method of Infection

• This virus tries to spread via email.
• The virus copies itself to folders on the victim machine that contain the string 'SHAR'.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

--Update 11/24/2004

This virus has been updated to Low-Profiled due to media attention at   http://www.webuser.co.uk/news/59666.html .

--

This is a mass-mailing worm written in MSVC which contains its own SMTP engine to construct outgoing messages.   

The virus arrives in an email message as follows:

From: (Spoofed email sender)

Do not assume that the sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

• World_Tour_Sun_YanZi
• Sun_Yanzi_Mp3
• Huai_Tian_Qi
• Forever Sun Yanzi
• SuN_YanZi_innocent
• I_hate_Spyware
• Sun-YanZi-Mp3-Archive
• Sun_YanZi_Hayrani
• Hoscakal
• Stefanie Sun Yanzi
• Sun_Yan_Zi
• Sun-YanZi
• Asia_Singer
• Sun_YanZi_HayranI
• Sun_YanZi

Body:  (Varies, such as)  

• Please listen to me Stefanie Sun Yanzi.
• I can not contact you. Because, I am far to you(Turkiye)
• I want to see Sun YanZi. Call me Sun Yan Zi ;)
• My Favourite Singer is Stefanie Sun Yanzi
• I want to meet Sun YanZi. I am loving Sun-YanZi's Magic. Call me YanZi. But you don't contact me(Turkiye).
• You must to listen Sun Yanzi. I am enjoying to listen Sun YanZi.

Attachment:

• Sun_Yan_Zi-Shen_Qi.mp3.pif
• Sun_YanZI.zip
• Dong_Shi.exe
• Yanzi.htm

Target email addresses are harvested from the victim machine. Files with the following extensions are searched:

• dbx
• adb
• asp
• jsp
• rtf
• doc
• xml
• txt
• htm
• html

The virus does not mail itself to email addresses containing the following strings:

• @milliyet
• @ntvmsnbc
• @hurriyetim
• @posta
• @aksam
• @sabah
• @erdemironline
• @erdemir
• @e-kolay
• @dostmail
• @mynet
• @superonline

When this file is run (manually), it copies itself to the Windows System directory as NVCPL.EXE.

• %SysDir% \NVCPL.EXE
  (Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

It creates the following registry entry to hook Windows startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "NvCpl" = %SysDir% \NVCPL.EXE

Peer To Peer Propagation

The virus copies itself to folders on the victim machine that contain the string 'SHAR'. The following enticing filenames are used:

• Sun_YanZi-Mei_You_Ren_De_Fang_Xiang.avi.exe
• Sun_YanZi-Huai_Tian_Qi.mpg.exe
• Sun_YanZi-Tao_Wang.mpeg.exe
• Sun_YanZi-Shen_Qi.exe
• Sun_YanZi-I_am_not_sad.mp3.exe
• Sun_YanZi-Leave_me_alone.mp3.exe
• YanZi_SuN-forever.mp3.exe
• YanZi.Mp3.exe
• SunYanZi.mp3.exe

The virus also drops a VBS script which is detected as VBS/Inor by the current DATS.  This VBS script will drop image files of an popular Asian popstar into the victim's TEMP folder.  The script contains code to execute these JPG files as soon as they are dropped.  The 2 images displayed are as follows:

 

Symptoms

Symptoms -

• Upon executing the virus, a dialogue is displayed as follows:

Existence of the files and registry entry listed above

Method of Infection

Method of Infection -

• This virus tries to spread via email.
• The virus copies itself to folders on the victim machine that contain the string 'SHAR'.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A