Content

W32/Anzae.worm.c

Type
Virus
SubType
Email Worm
Discovery Date
11/23/2004
Length
50,613 Bytes
Minimum DAT
4410 (11/24/2004)
Updated DAT
4637 (11/25/2005)
Minimum Engine
5.1.00
Description Added
11/24/2004
Description Modified
11/24/2004 9:31 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

--Update 11/24/2004

This virus has been updated to Low-Profiled due to media attention at   http://www.webuser.co.uk/news/59666.html .

--

This is a mass-mailing worm packed using FSG packer and with the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • the From: address of messages is spoofed
  • attachment can be a Zip archive.
  • copies itself to C, D, E and F drives.
  • Deletes files
  • Attempts to download a DLL from a remote website


Mail Propagation

The details are as follows:

Subject :

  • re:Crees que puede ser verdad?
  • re:Amor verdadero
  • re:xD no me lo puedo creer!!
  • re:Dejate de rollos y viv
  • re:Psicolog
  • re:Neptuno y Mercurio
  • re:La Luna
  • re:Voodoo un tanto ps...
  • re:Eso con queso rima con...xD
  • re:Como el aire...

Body Text:

  • No veas que cosas xD,luego me cuentas,chao.
  • Crees en el amor de verdad?,miralo y ya hablamos,ciaooo
  • Ver es creer!!!!chaoo.
  • Mira lo que te mando y ya vers que los detalles mas peque
    os son los que importan,ciaoo
  • Test para ver si andas bien de las neuronassss!xD,luego hablamos,chao.
  • Que relaci n tienen estos planetas?,miralo y luego me cuentas,chao.
  • Esa moribunda y solitaria Luna,Impresionante!chao.
  •  cierta la magia negra?,sal de dudas y ya me cuentas,chao.
  • Renvalo a todo que es que se meannn xD,nos vemos!
  • No comment,xDD ,Nos vemos!!


Attachment:    (Can be any of the following:)

  • gnito.zip
  • Love-Me.zip
  • EL_rechazo.zip
  • My life(Mi vida).zip
  • quico-Mix.zip
  • Planetario.zip
  • Moon(Luna).zip
  • Voodoo!.zip
  • Rimaz.zip
  • Para-Brisas.zip

The virus copies itself into the Windows System directory as the following files

  • COMMAND.PIF.  
  • SVCHOL.PIF
  • PAULA.PIF

The following Registry keys are added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "Messenger6" = C:\Winnt\System32\COMMAND.PIF
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "svchost" = C:\Winnt\System32\SVCHOSL.PIF 

Other files dropped into the %Sysdir% folder:

  • C:\Winnt\System32\SW.EXE - Contains Mail Propogation routine.
  • C:\Winnt\System32\SX.EXE - Contains Mail Propogation routine.
  • C:\Winnt\System32\SZ.EXE - Contains Mail Propogation routine.
  • C:\Winnt\System32\SS.EXE - Joke file which creates sound.   (Detected as Joke-Beeper).
  • C:\Winnt\System32\M.ZIP - Contains a copy of the worm.

Deletion

This worm also deletes files with the following extensions from C,D,E,F drives:

  • ASM
  • ASP
  • BDSPROJ
  • BMP
  • CPP
  • CS
  • CSPROJ
  • CSS
  • DOC
  • DPR
  •  FRM
  • GIF
  • HTM
  • HTML
  •  JPEG
  •  JPG
  • MDB
  • MP3
  • NFM
  • NRG
  • PAS
  • PCX
  • PDF
  • PHP
  • PPT
  • RAR
  • RC
  • RC2
  • REG
  • RESX
  • RPT
  • SLN
  • TXT
  • VB
  • VBP
  • VBPROJ
  • WAV
  • XLS

This worm also attempts to download a Microsoft Visual Basic Runtime Library (msvbvm60.dll) from a remote website.

Symptoms

When the file which contains the worm is executed the user is presented with the following mesage text:

  • Creation of file/registry keys mentioned above. 
  • Deletion of files

Method of Infection

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:
The virus spoofs the sender address by using a harvested address in the From: field.

Copies itself to drives C:, D:, E: and F: using any of the following filenames:

inzae.pif
extasis8.pif
rd2_roberto.pif
ph003.pif
simbolic3.pif
sin_mas_menos.pif

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

--Update 11/24/2004

This virus has been updated to Low-Profiled due to media attention at   http://www.webuser.co.uk/news/59666.html .

--

This is a mass-mailing worm packed using FSG packer and with the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • the From: address of messages is spoofed
  • attachment can be a Zip archive.
  • copies itself to C, D, E and F drives.
  • Deletes files
  • Attempts to download a DLL from a remote website


Mail Propagation

The details are as follows:

Subject :

  • re:Crees que puede ser verdad?
  • re:Amor verdadero
  • re:xD no me lo puedo creer!!
  • re:Dejate de rollos y viv
  • re:Psicolog
  • re:Neptuno y Mercurio
  • re:La Luna
  • re:Voodoo un tanto ps...
  • re:Eso con queso rima con...xD
  • re:Como el aire...

Body Text:

  • No veas que cosas xD,luego me cuentas,chao.
  • Crees en el amor de verdad?,miralo y ya hablamos,ciaooo
  • Ver es creer!!!!chaoo.
  • Mira lo que te mando y ya vers que los detalles mas peque
    os son los que importan,ciaoo
  • Test para ver si andas bien de las neuronassss!xD,luego hablamos,chao.
  • Que relaci n tienen estos planetas?,miralo y luego me cuentas,chao.
  • Esa moribunda y solitaria Luna,Impresionante!chao.
  •  cierta la magia negra?,sal de dudas y ya me cuentas,chao.
  • Renvalo a todo que es que se meannn xD,nos vemos!
  • No comment,xDD ,Nos vemos!!


Attachment:    (Can be any of the following:)

  • gnito.zip
  • Love-Me.zip
  • EL_rechazo.zip
  • My life(Mi vida).zip
  • quico-Mix.zip
  • Planetario.zip
  • Moon(Luna).zip
  • Voodoo!.zip
  • Rimaz.zip
  • Para-Brisas.zip

The virus copies itself into the Windows System directory as the following files

  • COMMAND.PIF.  
  • SVCHOL.PIF
  • PAULA.PIF

The following Registry keys are added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "Messenger6" = C:\Winnt\System32\COMMAND.PIF
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "svchost" = C:\Winnt\System32\SVCHOSL.PIF 

Other files dropped into the %Sysdir% folder:

  • C:\Winnt\System32\SW.EXE - Contains Mail Propogation routine.
  • C:\Winnt\System32\SX.EXE - Contains Mail Propogation routine.
  • C:\Winnt\System32\SZ.EXE - Contains Mail Propogation routine.
  • C:\Winnt\System32\SS.EXE - Joke file which creates sound.   (Detected as Joke-Beeper).
  • C:\Winnt\System32\M.ZIP - Contains a copy of the worm.

Deletion

This worm also deletes files with the following extensions from C,D,E,F drives:

  • ASM
  • ASP
  • BDSPROJ
  • BMP
  • CPP
  • CS
  • CSPROJ
  • CSS
  • DOC
  • DPR
  •  FRM
  • GIF
  • HTM
  • HTML
  •  JPEG
  •  JPG
  • MDB
  • MP3
  • NFM
  • NRG
  • PAS
  • PCX
  • PDF
  • PHP
  • PPT
  • RAR
  • RC
  • RC2
  • REG
  • RESX
  • RPT
  • SLN
  • TXT
  • VB
  • VBP
  • VBPROJ
  • WAV
  • XLS

This worm also attempts to download a Microsoft Visual Basic Runtime Library (msvbvm60.dll) from a remote website.

Symptoms

Symptoms -

When the file which contains the worm is executed the user is presented with the following mesage text:

  • Creation of file/registry keys mentioned above. 
  • Deletion of files

Method of Infection

Method of Infection -

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:
The virus spoofs the sender address by using a harvested address in the From: field.

Copies itself to drives C:, D:, E: and F: using any of the following filenames:

inzae.pif
extasis8.pif
rd2_roberto.pif
ph003.pif
simbolic3.pif
sin_mas_menos.pif

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A