McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This is a mass-mailing worm with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• the From: address of messages is spoofed
• attachment may be a password-protected zip file, with the password included in the message body
• contains a remote access component (notification is sent to hacker)
• uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines
• deletes registry entries of security programs and other worms

Mail Propagation

The details are as follows:

From : (address is spoofed)
Subject : (blank)

Body Text:

• Password:
• Pass -
• Password -
• new price
• price
• The password is
• Password:

Attachment:

• price.zip
• price2.zip
• price_new.zip
• price_08.zip
• 08_price.zip
• newprice.zip
• new_price.zip
• new__price.zip

Within the ZIP file is an executable file named doc_01.exe.

The virus copies itself into the Windows System directory as windlhhl.exe. For example:

• C:\WINDOWS\SYSTEM32\windlhhl.exe

The following Registry key is added to hook system startup (note the key name uses random ascii characters and may vary):

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Ru1n "erghgjhgdr" = %SysDir% \windlhhl.exe

Various mutexes are created in an attempt to prevent some W32/Netsky variants running on an infected machine:

• MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
• 'D'r'o'p'p'e'd'S'k'y'N'e't'
• _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
• [SkyNet.cz]SystemsMutex
• AdmSkynetJklS003
• ____--->>>>U<<<<--____
• _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

The worm opens port 80 (TCP) on the victim machine.

Symptoms

Method of Infection

Mail Propagation

This virus constructs messages using its own SMTP engine. It may try to download a file which contains a list of email addresses to send to, but at the time of writing this file was unavailable.

The virus spoofs the sender address by using a harvested address in the From: field.

The virus avoids sending itself to addresses containing the following:

• @eerswqe
• @derewrdgrs
• @microsoft
• rating@
• f-secur
• news
• update
• anyone@
• bugs@
• contract@
• feste
• gold-certs@
• help@
• info@
• nobody@
• noone@
• kasp
• admin
• icrosoft
• support
• ntivi
• unix
• bsd
• linux
• listserv
• certific
• sopho
• @foo
• @iana
• free-av
• @messagelab
• winzip
• google
• winrar
• samples
• abuse
• panda
• cafee
• spam
• pgp
• @avp.
• noreply
• local
• root@
• postmaster@

Registry Removal

In the following registry entry

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Ru1n

The following keys for other worms and security products are deleted:

• My AV
• Zone Labs Client Ex
• 9XHtProtect
• Antivirus
• Special Firewall Service
• service
• Tiny AV
• ICQNet
• HtProtect
• NetDy
• Jammer2nd
• FirewallSvr
• MsInfo
• SysMonXP
• EasyAV
• PandaAVEngine
• Norton Antivirus AV
• KasperskyAVEng
• SkynetsRevenge
• ICQ Net 

Remote Access Component

The virus listens on TCP port 80 for remote connections. It attempts to open a file, script1.php, on the localhost.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This is a mass-mailing worm with the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• the From: address of messages is spoofed
• attachment may be a password-protected zip file, with the password included in the message body
• contains a remote access component (notification is sent to hacker)
• uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines
• deletes registry entries of security programs and other worms

Mail Propagation

The details are as follows:

From : (address is spoofed)
Subject : (blank)

Body Text:

• Password:
• Pass -
• Password -
• new price
• price
• The password is
• Password:

Attachment:

• price.zip
• price2.zip
• price_new.zip
• price_08.zip
• 08_price.zip
• newprice.zip
• new_price.zip
• new__price.zip

Within the ZIP file is an executable file named doc_01.exe.

The virus copies itself into the Windows System directory as windlhhl.exe. For example:

• C:\WINDOWS\SYSTEM32\windlhhl.exe

The following Registry key is added to hook system startup (note the key name uses random ascii characters and may vary):

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Ru1n "erghgjhgdr" = %SysDir% \windlhhl.exe

Various mutexes are created in an attempt to prevent some W32/Netsky variants running on an infected machine:

• MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
• 'D'r'o'p'p'e'd'S'k'y'N'e't'
• _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
• [SkyNet.cz]SystemsMutex
• AdmSkynetJklS003
• ____--->>>>U<<<<--____
• _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

The worm opens port 80 (TCP) on the victim machine.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Mail Propagation

This virus constructs messages using its own SMTP engine. It may try to download a file which contains a list of email addresses to send to, but at the time of writing this file was unavailable.

The virus spoofs the sender address by using a harvested address in the From: field.

The virus avoids sending itself to addresses containing the following:

• @eerswqe
• @derewrdgrs
• @microsoft
• rating@
• f-secur
• news
• update
• anyone@
• bugs@
• contract@
• feste
• gold-certs@
• help@
• info@
• nobody@
• noone@
• kasp
• admin
• icrosoft
• support
• ntivi
• unix
• bsd
• linux
• listserv
• certific
• sopho
• @foo
• @iana
• free-av
• @messagelab
• winzip
• google
• winrar
• samples
• abuse
• panda
• cafee
• spam
• pgp
• @avp.
• noreply
• local
• root@
• postmaster@

Registry Removal

In the following registry entry

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Ru1n

The following keys for other worms and security products are deleted:

• My AV
• Zone Labs Client Ex
• 9XHtProtect
• Antivirus
• Special Firewall Service
• service
• Tiny AV
• ICQNet
• HtProtect
• NetDy
• Jammer2nd
• FirewallSvr
• MsInfo
• SysMonXP
• EasyAV
• PandaAVEngine
• Norton Antivirus AV
• KasperskyAVEng
• SkynetsRevenge
• ICQ Net 

Remote Access Component

The virus listens on TCP port 80 for remote connections. It attempts to open a file, script1.php, on the localhost.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A