W32/Anzae.worm.c

Content

W32/Anzae.worm.c

Type: Virus
SubType: Email Worm
Discovery Date: 11/23/2004
Length: 50,613 Bytes
Minimum DAT: 4410 (11/24/2004)
Updated DAT: 4637 (11/25/2005)
Minimum Engine: 5.1.00
Description Added: 11/24/2004
Description Modified: 11/24/2004 9:31 AM (PT)

Risk Assessment

Corporate User: Low-Profiled
Home User: Low-Profiled

Tab Navigation

Characteristics

--Update 11/24/2004

This virus has been updated to Low-Profiled due to media attention at http://www.webuser.co.uk/news/59666.html .

This is a mass-mailing worm packed using FSG packer and with the following characteristics:

contains its own SMTP engine to construct outgoing messages
the From: address of messages is spoofed
attachment can be a Zip archive.
copies itself to C, D, E and F drives.
Deletes files
Attempts to download a DLL from a remote website

Mail Propagation

The details are as follows:

Subject :

re:Crees que puede ser verdad?
re:Amor verdadero
re:xD no me lo puedo creer!!
re:Dejate de rollos y viv
re:Psicolog
re:Neptuno y Mercurio
re:La Luna
re:Voodoo un tanto ps...
re:Eso con queso rima con...xD
re:Como el aire...

Body Text:

No veas que cosas xD,luego me cuentas,chao.
Crees en el amor de verdad?,miralo y ya hablamos,ciaooo
Ver es creer!!!!chaoo.
Mira lo que te mando y ya vers que los detalles mas peque
os son los que importan,ciaoo
Test para ver si andas bien de las neuronassss!xD,luego hablamos,chao.
Que relaci n tienen estos planetas?,miralo y luego me cuentas,chao.
Esa moribunda y solitaria Luna,Impresionante!chao.
cierta la magia negra?,sal de dudas y ya me cuentas,chao.
Renvalo a todo que es que se meannn xD,nos vemos!
No comment,xDD ,Nos vemos!!

Attachment: (Can be any of the following:)

gnito.zip
Love-Me.zip
EL_rechazo.zip
My life(Mi vida).zip
quico-Mix.zip
Planetario.zip
Moon(Luna).zip
Voodoo!.zip
Rimaz.zip
Para-Brisas.zip

The virus copies itself into the Windows System directory as the following files

COMMAND.PIF.
SVCHOL.PIF
PAULA.PIF

The following Registry keys are added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "Messenger6" = C:\Winnt\System32\COMMAND.PIF
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "svchost" = C:\Winnt\System32\SVCHOSL.PIF

Other files dropped into the %Sysdir% folder:

C:\Winnt\System32\SW.EXE - Contains Mail Propogation routine.
C:\Winnt\System32\SX.EXE - Contains Mail Propogation routine.
C:\Winnt\System32\SZ.EXE - Contains Mail Propogation routine.
C:\Winnt\System32\SS.EXE - Joke file which creates sound. (Detected as Joke-Beeper).
C:\Winnt\System32\M.ZIP - Contains a copy of the worm.

Deletion

This worm also deletes files with the following extensions from C,D,E,F drives:

ASM
ASP
BDSPROJ
BMP
CPP
CS
CSPROJ
CSS
DOC
DPR
FRM
GIF
HTM
HTML
JPEG
JPG
MDB
MP3
NFM
NRG
PAS
PCX
PDF
PHP
PPT
RAR
RC
RC2
REG
RESX
RPT
SLN
TXT
VB
VBP
VBPROJ
WAV
XLS

This worm also attempts to download a Microsoft Visual Basic Runtime Library (msvbvm60.dll) from a remote website.

Symptoms

When the file which contains the worm is executed the user is presented with the following mesage text:

Creation of file/registry keys mentioned above.
Deletion of files

Method of Infection

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:
The virus spoofs the sender address by using a harvested address in the From: field.

Copies itself to drives C:, D:, E: and F: using any of the following filenames:

inzae.pif
extasis8.pif
rd2_roberto.pif
ph003.pif
simbolic3.pif
sin_mas_menos.pif

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

--Update 11/24/2004

This virus has been updated to Low-Profiled due to media attention at http://www.webuser.co.uk/news/59666.html .

This is a mass-mailing worm packed using FSG packer and with the following characteristics:

contains its own SMTP engine to construct outgoing messages
the From: address of messages is spoofed
attachment can be a Zip archive.
copies itself to C, D, E and F drives.
Deletes files
Attempts to download a DLL from a remote website

Mail Propagation

The details are as follows:

Subject :

re:Crees que puede ser verdad?
re:Amor verdadero
re:xD no me lo puedo creer!!
re:Dejate de rollos y viv
re:Psicolog
re:Neptuno y Mercurio
re:La Luna
re:Voodoo un tanto ps...
re:Eso con queso rima con...xD
re:Como el aire...

Body Text:

No veas que cosas xD,luego me cuentas,chao.
Crees en el amor de verdad?,miralo y ya hablamos,ciaooo
Ver es creer!!!!chaoo.
Mira lo que te mando y ya vers que los detalles mas peque
os son los que importan,ciaoo
Test para ver si andas bien de las neuronassss!xD,luego hablamos,chao.
Que relaci n tienen estos planetas?,miralo y luego me cuentas,chao.
Esa moribunda y solitaria Luna,Impresionante!chao.
cierta la magia negra?,sal de dudas y ya me cuentas,chao.
Renvalo a todo que es que se meannn xD,nos vemos!
No comment,xDD ,Nos vemos!!

Attachment: (Can be any of the following:)

gnito.zip
Love-Me.zip
EL_rechazo.zip
My life(Mi vida).zip
quico-Mix.zip
Planetario.zip
Moon(Luna).zip
Voodoo!.zip
Rimaz.zip
Para-Brisas.zip

The virus copies itself into the Windows System directory as the following files

COMMAND.PIF.
SVCHOL.PIF
PAULA.PIF

The following Registry keys are added to hook system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "Messenger6" = C:\Winnt\System32\COMMAND.PIF
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "svchost" = C:\Winnt\System32\SVCHOSL.PIF

Other files dropped into the %Sysdir% folder:

C:\Winnt\System32\SW.EXE - Contains Mail Propogation routine.
C:\Winnt\System32\SX.EXE - Contains Mail Propogation routine.
C:\Winnt\System32\SZ.EXE - Contains Mail Propogation routine.
C:\Winnt\System32\SS.EXE - Joke file which creates sound. (Detected as Joke-Beeper).
C:\Winnt\System32\M.ZIP - Contains a copy of the worm.

Deletion

This worm also deletes files with the following extensions from C,D,E,F drives:

ASM
ASP
BDSPROJ
BMP
CPP
CS
CSPROJ
CSS
DOC
DPR
FRM
GIF
HTM
HTML
JPEG
JPG
MDB
MP3
NFM
NRG
PAS
PCX
PDF
PHP
PPT
RAR
RC
RC2
REG
RESX
RPT
SLN
TXT
VB
VBP
VBPROJ
WAV
XLS

This worm also attempts to download a Microsoft Visual Basic Runtime Library (msvbvm60.dll) from a remote website.

Symptoms

Symptoms -

When the file which contains the worm is executed the user is presented with the following mesage text:

Creation of file/registry keys mentioned above.
Deletion of files

Method of Infection

Method of Infection -

Copies itself to drives C:, D:, E: and F: using any of the following filenames:

inzae.pif
extasis8.pif
rd2_roberto.pif
ph003.pif
simbolic3.pif
sin_mas_menos.pif

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A

McAfee > Theat Center > Virus Detail Page

Navigation

Utility Navigation

Global Sites

Need Help?

Threat Center

Segment Navigation

Section Navigation

Content

W32/Anzae.worm.c

Risk Assessment

Tab Navigation

Overview

Characteristics

Symptoms

Method of Infection

Removal

Variants

Variants

All Information

Overview -

Characteristics

Characteristics -

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Variants

Variants -

Threat Resources

Footer