McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

--Update 11/24/2004

This virus has been updated to Low-Profiled due to media attention at   http://www.webuser.co.uk/news/59666.html .

--

This is a mass-mailing worm written in MSVB and with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• the From: address of messages is spoofed
• attachment can be a Zip archive.
• copies itself to C, D, E and F drives.
• Deletes files

Mail Propagation

The details are as follows:

Subject :

• re:Crees que puede ser verdad?
• re:Amor verdadero
• re:xD no me lo puedo creer!!
• re:Dejate de rollos y viv
• re:Psicolog
• re:Neptuno y Mercurio
• re:La Luna
• re:Voodoo un tanto ps...
• re:Eso con queso rima con...xD
• re:Como el aire...

Body Text:

• No veas que cosas xD,luego me cuentas,chao.

• Crees en el amor de verdad?,miralo y ya hablamos,ciaooo
  

• Ver es creer!!!!chaoo.

• Mira lo que te mando y ya vers que los detalles mas peque
  os son los que importan,ciaoo

• Test para ver si andas bien de las neuronassss!xD,luego hablamos,chao.

• Que relaci n tienen estos planetas?,miralo y luego me cuentas,chao.

• Esa moribunda y solitaria Luna,Impresionante!chao.

•  cierta la magia negra?,sal de dudas y ya me cuentas,chao.

• Renvalo a todo que es que se meannn xD,nos vemos!

• No comment,xDD ,Nos vemos!!
  

Attachment:   (Can be any of the following:)

• gnito.zip
• Love-Me.zip
• EL_rechazo.zip
• My life(Mi vida).zip
• quico-Mix.zip
• Planetario.zip
• Moon(Luna).zip
• Voodoo!.zip
• Rimaz.zip
• Para-Brisas.zip

The virus copies itself into the Windows System directory as SVCHOSL.PIF. For example:

• C:\WINNT\SYSTEM32\SVCHOSL.PIF

The following Registry key is added to hook system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "svchost" = C:\Winnt\System32\SVCHOSL.PIF

Other files dropped into the %Sysdir% folder:

C:\Winnt\System32\SW.EXE - Contains Mail Propogation routine.

C:\Winnt\System32\SX.EXE - Contains Mail Propogation routine.

C:\Winnt\System32\SZ.EXE - Contains Mail Propogation routine.

C:\Winnt\System32\M.ZIP - Contains a copy of the worm.

C:\Winnt\System32\INZAX.EXE - Contains the dialogues

This worm also deletes files with the following extensions from C,D,E,F drives:
:

• ASM
• ASP
• BDSPROJ
• BMP
• CPP
• CS
• CSPROJ
• CSS
• DOC
• DPR
•  FRM
• GIF
• HTM
• HTML
•  JPEG
•  JPG
• MDB
• MP3
• NFM
• NRG
• PAS
• PCX
• PDF
• PHP
• PPT
• RC
• RC2
• REG
• RESX
• RPT
• SLN
• TXT
• VB
• VBP
• VBPROJ
• WAV
• XLS

Symptoms

When the worm is executed, the user is presented with the following Spanish text messages:

• Files/Registry keys as described

Method of Infection

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

The virus spoofs the sender address by using a harvested address in the From: field.

Copies itself to drives C:, D:, E: and F: using any of the following filenames:

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

--Update 11/24/2004

This virus has been updated to Low-Profiled due to media attention at   http://www.webuser.co.uk/news/59666.html .

--

This is a mass-mailing worm written in MSVB and with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• the From: address of messages is spoofed
• attachment can be a Zip archive.
• copies itself to C, D, E and F drives.
• Deletes files

Mail Propagation

The details are as follows:

Subject :

• re:Crees que puede ser verdad?
• re:Amor verdadero
• re:xD no me lo puedo creer!!
• re:Dejate de rollos y viv
• re:Psicolog
• re:Neptuno y Mercurio
• re:La Luna
• re:Voodoo un tanto ps...
• re:Eso con queso rima con...xD
• re:Como el aire...

Body Text:

• No veas que cosas xD,luego me cuentas,chao.

• Crees en el amor de verdad?,miralo y ya hablamos,ciaooo
  

• Ver es creer!!!!chaoo.

• Mira lo que te mando y ya vers que los detalles mas peque
  os son los que importan,ciaoo

• Test para ver si andas bien de las neuronassss!xD,luego hablamos,chao.

• Que relaci n tienen estos planetas?,miralo y luego me cuentas,chao.

• Esa moribunda y solitaria Luna,Impresionante!chao.

•  cierta la magia negra?,sal de dudas y ya me cuentas,chao.

• Renvalo a todo que es que se meannn xD,nos vemos!

• No comment,xDD ,Nos vemos!!
  

Attachment:   (Can be any of the following:)

• gnito.zip
• Love-Me.zip
• EL_rechazo.zip
• My life(Mi vida).zip
• quico-Mix.zip
• Planetario.zip
• Moon(Luna).zip
• Voodoo!.zip
• Rimaz.zip
• Para-Brisas.zip

The virus copies itself into the Windows System directory as SVCHOSL.PIF. For example:

• C:\WINNT\SYSTEM32\SVCHOSL.PIF

The following Registry key is added to hook system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "svchost" = C:\Winnt\System32\SVCHOSL.PIF

Other files dropped into the %Sysdir% folder:

C:\Winnt\System32\SW.EXE - Contains Mail Propogation routine.

C:\Winnt\System32\SX.EXE - Contains Mail Propogation routine.

C:\Winnt\System32\SZ.EXE - Contains Mail Propogation routine.

C:\Winnt\System32\M.ZIP - Contains a copy of the worm.

C:\Winnt\System32\INZAX.EXE - Contains the dialogues

This worm also deletes files with the following extensions from C,D,E,F drives:
:

• ASM
• ASP
• BDSPROJ
• BMP
• CPP
• CS
• CSPROJ
• CSS
• DOC
• DPR
•  FRM
• GIF
• HTM
• HTML
•  JPEG
•  JPG
• MDB
• MP3
• NFM
• NRG
• PAS
• PCX
• PDF
• PHP
• PPT
• RC
• RC2
• REG
• RESX
• RPT
• SLN
• TXT
• VB
• VBP
• VBPROJ
• WAV
• XLS

Symptoms

Symptoms -

When the worm is executed, the user is presented with the following Spanish text messages:

• Files/Registry keys as described

Method of Infection

Method of Infection -

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

The virus spoofs the sender address by using a harvested address in the From: field.

Copies itself to drives C:, D:, E: and F: using any of the following filenames:

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A