Content

W32/Anzae.worm.d

Type
Virus
SubType
E-mail worm
Discovery Date
11/23/2004
Length
50,832 Bytes
Minimum DAT
4410 (11/24/2004)
Updated DAT
4637 (11/25/2005)
Minimum Engine
5.1.00
Description Added
11/24/2004
Description Modified
11/24/2004 8:40 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a mass-mailing worm packed using FSG packer and with the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • the From: address of messages is spoofed
  • attachment can be a Zip archive.
  • copies itself to C, D, E and F drives.
  • Deletes files 
  • A pornographic image is displayed on screen


Mail Propagation

The details are as follows:

Subject :

  • re:Crees que puede ser verdad?
  • re:Amor verdadero
  • re:xD no me lo puedo creer!!
  • re:Dejate de rollos y viv
  • re:Psicolog
  • re:Neptuno y Mercurio
  • re:La Luna
  • re:Voodoo un tanto ps...
  • re:Eso con queso rima con...xD
  • re:Como el aire...

Body Text:

  • No veas que cosas xD,luego me cuentas,chao.
  • Crees en el amor de verdad?,miralo y ya hablamos,ciaooo
  • Ver es creer!!!!chaoo.
  • Mira lo que te mando y ya vers que los detalles mas peque
    os son los que importan,ciaoo
  • Test para ver si andas bien de las neuronassss!xD,luego hablamos,chao.
  • Que relaci n tienen estos planetas?,miralo y luego me cuentas,chao.
  • Esa moribunda y solitaria Luna,Impresionante!chao.
  •  cierta la magia negra?,sal de dudas y ya me cuentas,chao.
  • Renvalo a todo que es que se meannn xD,nos vemos!
  • No comment,xDD ,Nos vemos!!


Attachment:    (Can be any of the following:)

  • gnito.zip
  • Love-Me.zip
  • EL_rechazo.zip
  • My life(Mi vida).zip
  • quico-Mix.zip
  • Planetario.zip
  • Moon(Luna).zip
  • Voodoo!.zip
  • Rimaz.zip
  • Para-Brisas.zip

The virus copies itself into the Windows System directory as the following files

  • COMMAND.PIF.  
  • SVCHOL.PIF
  • PAULA.PIF

The following Registry keys are added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "Messenger6" = C:\Winnt\System32\COMMAND.PIF
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "svchost" = C:\Winnt\System32\SVCHOSL.PIF 

Other files dropped into the %Sysdir% folder:

  • C:\Winnt\System32\SW.EXE - Contains Mail Propogation routine.
  • C:\Winnt\System32\SX.EXE - Contains Mail Propogation routine.
  • C:\Winnt\System32\SZ.EXE - Contains Mail Propogation routine.
  • C:\Winnt\System32\SS.EXE - Joke file which creates sound.   (Detected as Joke-Beeper).
  • C:\Winnt\System32\M.ZIP - Contains a copy of the worm.

Deletion

This worm also deletes files with the following extensions from C,D,E,F drives:

  • ASM
  • ASP
  • BDSPROJ
  • BMP
  • CPP
  • CS
  • CSPROJ
  • CSS
  • DOC
  • DPR
  •  FRM
  • GIF
  • HTM
  • HTML
  •  JPEG
  •  JPG
  • MDB
  • MP3
  • NFM
  • NRG
  • PAS
  • PCX
  • PDF
  • PHP
  • PPT
  • RAR
  • RC
  • RC2
  • REG
  • RESX
  • RPT
  • SLN
  • TXT
  • VB
  • VBP
  • VBPROJ
  • WAV
  • XLS

This worm attempts to download a pornographic image from a remote website and automatically displays it on the desktop.

Symptoms

  • Creation of file/registry keys mentioned above. 
  • Deletion of files
  • Pornographic image on desktop.

Method of Infection

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:
The virus spoofs the sender address by using a harvested address in the From: field.

Copies itself to drives C:, D:, E: and F: using any of the following filenames:

inzae.pif
extasis8.pif
rd2_roberto.pif
ph003.pif
simbolic3.pif
sin_mas_menos.pif

Removal

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This is a mass-mailing worm packed using FSG packer and with the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • the From: address of messages is spoofed
  • attachment can be a Zip archive.
  • copies itself to C, D, E and F drives.
  • Deletes files 
  • A pornographic image is displayed on screen


Mail Propagation

The details are as follows:

Subject :

  • re:Crees que puede ser verdad?
  • re:Amor verdadero
  • re:xD no me lo puedo creer!!
  • re:Dejate de rollos y viv
  • re:Psicolog
  • re:Neptuno y Mercurio
  • re:La Luna
  • re:Voodoo un tanto ps...
  • re:Eso con queso rima con...xD
  • re:Como el aire...

Body Text:

  • No veas que cosas xD,luego me cuentas,chao.
  • Crees en el amor de verdad?,miralo y ya hablamos,ciaooo
  • Ver es creer!!!!chaoo.
  • Mira lo que te mando y ya vers que los detalles mas peque
    os son los que importan,ciaoo
  • Test para ver si andas bien de las neuronassss!xD,luego hablamos,chao.
  • Que relaci n tienen estos planetas?,miralo y luego me cuentas,chao.
  • Esa moribunda y solitaria Luna,Impresionante!chao.
  •  cierta la magia negra?,sal de dudas y ya me cuentas,chao.
  • Renvalo a todo que es que se meannn xD,nos vemos!
  • No comment,xDD ,Nos vemos!!


Attachment:    (Can be any of the following:)

  • gnito.zip
  • Love-Me.zip
  • EL_rechazo.zip
  • My life(Mi vida).zip
  • quico-Mix.zip
  • Planetario.zip
  • Moon(Luna).zip
  • Voodoo!.zip
  • Rimaz.zip
  • Para-Brisas.zip

The virus copies itself into the Windows System directory as the following files

  • COMMAND.PIF.  
  • SVCHOL.PIF
  • PAULA.PIF

The following Registry keys are added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "Messenger6" = C:\Winnt\System32\COMMAND.PIF
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "svchost" = C:\Winnt\System32\SVCHOSL.PIF 

Other files dropped into the %Sysdir% folder:

  • C:\Winnt\System32\SW.EXE - Contains Mail Propogation routine.
  • C:\Winnt\System32\SX.EXE - Contains Mail Propogation routine.
  • C:\Winnt\System32\SZ.EXE - Contains Mail Propogation routine.
  • C:\Winnt\System32\SS.EXE - Joke file which creates sound.   (Detected as Joke-Beeper).
  • C:\Winnt\System32\M.ZIP - Contains a copy of the worm.

Deletion

This worm also deletes files with the following extensions from C,D,E,F drives:

  • ASM
  • ASP
  • BDSPROJ
  • BMP
  • CPP
  • CS
  • CSPROJ
  • CSS
  • DOC
  • DPR
  •  FRM
  • GIF
  • HTM
  • HTML
  •  JPEG
  •  JPG
  • MDB
  • MP3
  • NFM
  • NRG
  • PAS
  • PCX
  • PDF
  • PHP
  • PPT
  • RAR
  • RC
  • RC2
  • REG
  • RESX
  • RPT
  • SLN
  • TXT
  • VB
  • VBP
  • VBPROJ
  • WAV
  • XLS

This worm attempts to download a pornographic image from a remote website and automatically displays it on the desktop.

Symptoms

Symptoms -

  • Creation of file/registry keys mentioned above. 
  • Deletion of files
  • Pornographic image on desktop.

Method of Infection

Method of Infection -

This virus constructs messages using its own SMTP engine. Target email addresses are harvested from files with the following extensions on the victim machine:
The virus spoofs the sender address by using a harvested address in the From: field.

Copies itself to drives C:, D:, E: and F: using any of the following filenames:

inzae.pif
extasis8.pif
rd2_roberto.pif
ph003.pif
simbolic3.pif
sin_mas_menos.pif

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A