McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This is a mass-mailing worm that bears the following characteristics:

• Contains its own SMTP engine to construct outgoing messages
• Spoofs the From: address
• Terminates certain Antivirus/Firewall products

Symptoms

Installation

When executed the following file is dropped and loaded in MSPaint, causing the application to crash:

• %SysDir%\JPG.BMP

The file is a corrupt bitmap, not a valid file.

The worm installs itself into the Windows directory as REGEDIT.COM, and into a SECURITY folder as SVCHOST.EXE:

• %WinDir%\regedit.com
• %WinDir%\security\svchost.exe

Startup is hooked via modification of the following Registry key:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
  \CurrentVersion\Winlogon

The "Shell" value is changed from:

• Explorer.exe

to

• Explorer.exe %WinDir%\security\svchost.exe

Process Termination

The worm terminates processes associated with many anti-virus and security products. For example those containing any of the following strings:

• frw.
• bupw.
• ewall
• guard.
• ___r.
• sphinx.
• maniac.
• bscanx
• nprotect
• suchost.
• ___synmgr.
• safe
• taumon
• kerio
• blackice
• systra.e
• upgrade
• update
• zonealarm
• outpost
• rising
• winit.
• symantec
• gate
• kav
• mcafee
• nav
• duba
• dec25.
• svchosl.
• skynet
• rfw.
• avmon

sdf

Method of Infection

Mail Propagation

The worm harvests email addresses from the victim machine. The following files are searched:

• tbb
• dbx
• doc
• htm
• adb
• txt

The worm spoofs the From: address of sent messages. In addition to constructing a fake address, it may set it to one of the following:

• Cameron dias@love.com
• kylie minogue@kylie minogue.com
• madonna@madonna.com
• Britney Spears@britney spears.com

Outgoing messages are constructed as follows:

From: Spoofed

Subject: One of the following is used:

• Ass
• Happy New Year
• Hello

Body: Various message bodies may be used:

Message 1
_____________________________________________
    Server cannot send message.
_____________________________________________
On all questions address in a support service
   support@(inserted domain name)

Message 2
Kiss me Ass...

Message 3
Hello! baby :)

Attachment: The worm attaches itself with a .SCR extension using various filenames:

• kiss my ass.scr
• your present.scr
• your screen_03.scr
• myfoto_04.scr

The worm does not mail itself to certain addresses - those containing any of the following strings:

• nai.c
• mydomai
• gov.
• foo.
• iruslis
• strike.
• .hlp
• .zip
• .gov
• nodomai
• borlan
• hotmail
• software.
• .txt
• .mil
• panda
• msn.
• icrosoft
• avp
• rfc-
• ripe.
• anyone
• mozilla
• sendmail
• pgp
• sopho
• syman
• secur
• fido
• google
• bitdef
• mailer
• linux
• unix
• neohapsis
• guninski
• podpiska
• delphiworld
• accoun
• listserv
• newvir
• antivir
• support
• admin
• confirm
• news
• info
• no
• site
• webmaney
• spm111
• where
• bigbrother
• abuse
• rating
• the.bat
• page
• soft
• register
• moco2k
• notice
• www.
• help
• bugs
• contact
• service
• bugtraq
• latincards
• msoe
• privacy
• webmaster
• postmaster

Peer to Peer Propagation

The worm copies itself to shared folders on the victim machine. The following enticing filenames are used:

• Nude Britney Spears.scr
• Nude Pic_07.scr
• Virtual Girl 2.01.com
• KAV Pro 5.xx keygen.com
• DrWeb 4.32 keygen.com
• WinXP Sp2 key.com

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This is a mass-mailing worm that bears the following characteristics:

• Contains its own SMTP engine to construct outgoing messages
• Spoofs the From: address
• Terminates certain Antivirus/Firewall products

Symptoms

Symptoms -

Installation

When executed the following file is dropped and loaded in MSPaint, causing the application to crash:

• %SysDir%\JPG.BMP

The file is a corrupt bitmap, not a valid file.

The worm installs itself into the Windows directory as REGEDIT.COM, and into a SECURITY folder as SVCHOST.EXE:

• %WinDir%\regedit.com
• %WinDir%\security\svchost.exe

Startup is hooked via modification of the following Registry key:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT
  \CurrentVersion\Winlogon

The "Shell" value is changed from:

• Explorer.exe

to

• Explorer.exe %WinDir%\security\svchost.exe

Process Termination

The worm terminates processes associated with many anti-virus and security products. For example those containing any of the following strings:

• frw.
• bupw.
• ewall
• guard.
• ___r.
• sphinx.
• maniac.
• bscanx
• nprotect
• suchost.
• ___synmgr.
• safe
• taumon
• kerio
• blackice
• systra.e
• upgrade
• update
• zonealarm
• outpost
• rising
• winit.
• symantec
• gate
• kav
• mcafee
• nav
• duba
• dec25.
• svchosl.
• skynet
• rfw.
• avmon

sdf

Method of Infection

Method of Infection -

Mail Propagation

The worm harvests email addresses from the victim machine. The following files are searched:

• tbb
• dbx
• doc
• htm
• adb
• txt

The worm spoofs the From: address of sent messages. In addition to constructing a fake address, it may set it to one of the following:

• Cameron dias@love.com
• kylie minogue@kylie minogue.com
• madonna@madonna.com
• Britney Spears@britney spears.com

Outgoing messages are constructed as follows:

From: Spoofed

Subject: One of the following is used:

• Ass
• Happy New Year
• Hello

Body: Various message bodies may be used:

Message 1
_____________________________________________
    Server cannot send message.
_____________________________________________
On all questions address in a support service
   support@(inserted domain name)

Message 2
Kiss me Ass...

Message 3
Hello! baby :)

Attachment: The worm attaches itself with a .SCR extension using various filenames:

• kiss my ass.scr
• your present.scr
• your screen_03.scr
• myfoto_04.scr

The worm does not mail itself to certain addresses - those containing any of the following strings:

• nai.c
• mydomai
• gov.
• foo.
• iruslis
• strike.
• .hlp
• .zip
• .gov
• nodomai
• borlan
• hotmail
• software.
• .txt
• .mil
• panda
• msn.
• icrosoft
• avp
• rfc-
• ripe.
• anyone
• mozilla
• sendmail
• pgp
• sopho
• syman
• secur
• fido
• google
• bitdef
• mailer
• linux
• unix
• neohapsis
• guninski
• podpiska
• delphiworld
• accoun
• listserv
• newvir
• antivir
• support
• admin
• confirm
• news
• info
• no
• site
• webmaney
• spm111
• where
• bigbrother
• abuse
• rating
• the.bat
• page
• soft
• register
• moco2k
• notice
• www.
• help
• bugs
• contact
• service
• bugtraq
• latincards
• msoe
• privacy
• webmaster
• postmaster

Peer to Peer Propagation

The worm copies itself to shared folders on the victim machine. The following enticing filenames are used:

• Nude Britney Spears.scr
• Nude Pic_07.scr
• Virtual Girl 2.01.com
• KAV Pro 5.xx keygen.com
• DrWeb 4.32 keygen.com
• WinXP Sp2 key.com

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A