McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

--Update 11/24/2004

This virus has been updated to Low-Profiled due to media attention at   http://www.webuser.co.uk/news/59666.html .

--

This is a mass-mailing worm written in MSVB and with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• the From: address of messages is spoofed
• attachment can be a Zip archive.
• copies itself to C, D, E and F drives.
• Deletes files

Mail Propagation

The details are as follows:

Subject :

• re:Crees que puede ser verdad?
• re:Amor verdadero
• re:xD no me lo puedo creer!!
• re:Dejate de rollos y viv
• re:Psicolog
• re:Neptuno y Mercurio
• re:La Luna
• re:Voodoo un tanto ps...
• re:Eso con queso rima con...xD
• re:Como el aire...

Body Text:

• No veas que cosas xD,luego me cuentas,chao.
• Crees en el amor de verdad?,miralo y ya hablamos,ciaooo
• Ver es creer!!!!chaoo.
• Mira lo que te mando y ya vers que los detalles mas peque
  os son los que importan,ciaoo
• Test para ver si andas bien de las neuronassss!xD,luego hablamos,chao.
• Que relaci n tienen estos planetas?,miralo y luego me cuentas,chao.
• Esa moribunda y solitaria Luna,Impresionante!chao.
•  cierta la magia negra?,sal de dudas y ya me cuentas,chao.
• Renvalo a todo que es que se meannn xD,nos vemos!
• No comment,xDD ,Nos vemos!!

Attachment:    (Can be any of the following:)

• gnito.zip
• Love-Me.zip
• EL_rechazo.zip
• My life(Mi vida).zip
• quico-Mix.zip
• Planetario.zip
• Moon(Luna).zip
• Voodoo!.zip
• Rimaz.zip
• Para-Brisas.zip

The virus copies itself into the Windows System directory as SVCHOSL.PIF. For example:

C:\WINNT\SYSTEM32\SVCHOSL.PIF
The following Registry key is added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "svchost" = C:\Winnt\System32\SVCHOSL.PIF
Other files dropped into the %Sysdir% folder:

C:\Winnt\System32\SW.EXE - Contains Mail Propogation routine.

C:\Winnt\System32\SX.EXE - Contains Mail Propogation routine.

C:\Winnt\System32\SZ.EXE - Contains Mail Propogation routine.

C:\Winnt\System32\M.ZIP - Contains a copy of the worm.

C:\Winnt\System32\SS.EXE - Joke file which creates sound.  Detected as Joke-Beeper.

This worm also deletes files with the following extensions from C,D,E,F drives:

• ASM
• ASP
• BDSPROJ
• BMP
• CPP
• CS
• CSPROJ
• CSS
• DOC
• DPR
•  FRM
• GIF
• HTM
• HTML
•  JPEG
•  JPG
• MDB
• MP3
• NFM
• NRG
• PAS
• PCX
• PDF
• PHP
• PPT
• RAR
• RC
• RC2
• REG
• RESX
• RPT
• SLN
• TXT
• VB
• VBP
• VBPROJ
• WAV
• XLS

Symptoms

• Creation of file/registry keys mentioned above. 
• Deletion of files

Method of Infection

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

The virus spoofs the sender address by using a harvested address in the From: field.

Copies itself to drives C:, D:, E: and F: using any of the following filenames:

inzae.pif

extasis8.pif

rd2_roberto.pif

ph003.pif

simbolic3.pif

sin_mas_menos.pif

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

--Update 11/24/2004

This virus has been updated to Low-Profiled due to media attention at   http://www.webuser.co.uk/news/59666.html .

--

This is a mass-mailing worm written in MSVB and with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• the From: address of messages is spoofed
• attachment can be a Zip archive.
• copies itself to C, D, E and F drives.
• Deletes files

Mail Propagation

The details are as follows:

Subject :

• re:Crees que puede ser verdad?
• re:Amor verdadero
• re:xD no me lo puedo creer!!
• re:Dejate de rollos y viv
• re:Psicolog
• re:Neptuno y Mercurio
• re:La Luna
• re:Voodoo un tanto ps...
• re:Eso con queso rima con...xD
• re:Como el aire...

Body Text:

• No veas que cosas xD,luego me cuentas,chao.
• Crees en el amor de verdad?,miralo y ya hablamos,ciaooo
• Ver es creer!!!!chaoo.
• Mira lo que te mando y ya vers que los detalles mas peque
  os son los que importan,ciaoo
• Test para ver si andas bien de las neuronassss!xD,luego hablamos,chao.
• Que relaci n tienen estos planetas?,miralo y luego me cuentas,chao.
• Esa moribunda y solitaria Luna,Impresionante!chao.
•  cierta la magia negra?,sal de dudas y ya me cuentas,chao.
• Renvalo a todo que es que se meannn xD,nos vemos!
• No comment,xDD ,Nos vemos!!

Attachment:    (Can be any of the following:)

• gnito.zip
• Love-Me.zip
• EL_rechazo.zip
• My life(Mi vida).zip
• quico-Mix.zip
• Planetario.zip
• Moon(Luna).zip
• Voodoo!.zip
• Rimaz.zip
• Para-Brisas.zip

The virus copies itself into the Windows System directory as SVCHOSL.PIF. For example:

C:\WINNT\SYSTEM32\SVCHOSL.PIF
The following Registry key is added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "svchost" = C:\Winnt\System32\SVCHOSL.PIF
Other files dropped into the %Sysdir% folder:

C:\Winnt\System32\SW.EXE - Contains Mail Propogation routine.

C:\Winnt\System32\SX.EXE - Contains Mail Propogation routine.

C:\Winnt\System32\SZ.EXE - Contains Mail Propogation routine.

C:\Winnt\System32\M.ZIP - Contains a copy of the worm.

C:\Winnt\System32\SS.EXE - Joke file which creates sound.  Detected as Joke-Beeper.

This worm also deletes files with the following extensions from C,D,E,F drives:

• ASM
• ASP
• BDSPROJ
• BMP
• CPP
• CS
• CSPROJ
• CSS
• DOC
• DPR
•  FRM
• GIF
• HTM
• HTML
•  JPEG
•  JPG
• MDB
• MP3
• NFM
• NRG
• PAS
• PCX
• PDF
• PHP
• PPT
• RAR
• RC
• RC2
• REG
• RESX
• RPT
• SLN
• TXT
• VB
• VBP
• VBPROJ
• WAV
• XLS

Symptoms

Symptoms -

• Creation of file/registry keys mentioned above. 
• Deletion of files

Method of Infection

Method of Infection -

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:

The virus spoofs the sender address by using a harvested address in the From: field.

Copies itself to drives C:, D:, E: and F: using any of the following filenames:

inzae.pif

extasis8.pif

rd2_roberto.pif

ph003.pif

simbolic3.pif

sin_mas_menos.pif

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A