McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Backdoor.IRC.Nafan - Doctor Web

• Backdoor.Win32.Delf.vb - Kaspersky

• Win32.Lovgate.W - Ikarus PC Scan

Characteristics

When executed, this worm creates the following registry entry to load itself at system startup:

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nethost

The name of this service is "Nethost", and the display name of the service is "Network Host Controller".
This worm also drops a dll file named MSRSDN32.DLL which is detected as “BackDoor-COY"

Worm Component:

Attempts to spread through the following Microsoft Vulnerabilities:

• Microsoft Windows LSASS Buffer Overrun Vulnerability
• Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
• Windows DCOM RPC Interface Buffer Overrun Vulnerability

IRC Component:

It connects to a pre-defined IRC server and joins a channel. Once connected, the worm acts as a bot, waiting for commands from the attacker.

Redirection Component:

Monitors the user's internet access and when certain internet banking sites are accessed, the worm redirects the user to a website with fake login pages. The banking sites include the following:

• LloydsTSB online
• NatWest OnLine Banking
• HSBC Internet Banking
• Barclays International Online Banking

Key logging Component:

Logs information on the user name and passwords for the above banking websites, and this information is transmitted to a pre-defined email address.

Symptoms

• Desktop firewall program alerting that a foreign program is trying to access the internet.
• Presence of the above mentioned registry key and files on the system.
  

Method of Infection

The Worm infects the machine upon its initial execution. Thereafter it starts spreading by exploiting other machines in the network that are vulnerable to the above mentioned Microsoft vulnerabilities.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Backdoor.IRC.Nafan - Doctor Web

• Backdoor.Win32.Delf.vb - Kaspersky

• Win32.Lovgate.W - Ikarus PC Scan

Characteristics

Characteristics -

When executed, this worm creates the following registry entry to load itself at system startup:

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nethost

The name of this service is "Nethost", and the display name of the service is "Network Host Controller".
This worm also drops a dll file named MSRSDN32.DLL which is detected as “BackDoor-COY"

Worm Component:

Attempts to spread through the following Microsoft Vulnerabilities:

• Microsoft Windows LSASS Buffer Overrun Vulnerability
• Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
• Windows DCOM RPC Interface Buffer Overrun Vulnerability

IRC Component:

It connects to a pre-defined IRC server and joins a channel. Once connected, the worm acts as a bot, waiting for commands from the attacker.

Redirection Component:

Monitors the user's internet access and when certain internet banking sites are accessed, the worm redirects the user to a website with fake login pages. The banking sites include the following:

• LloydsTSB online
• NatWest OnLine Banking
• HSBC Internet Banking
• Barclays International Online Banking

Key logging Component:

Logs information on the user name and passwords for the above banking websites, and this information is transmitted to a pre-defined email address.

Symptoms

Symptoms -

• Desktop firewall program alerting that a foreign program is trying to access the internet.
• Presence of the above mentioned registry key and files on the system.
  

Method of Infection

Method of Infection -

The Worm infects the machine upon its initial execution. Thereafter it starts spreading by exploiting other machines in the network that are vulnerable to the above mentioned Microsoft vulnerabilities.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A