McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This threat was proactively detected as New Malware.h when scanning with program heuristics enabled.

This worm spreads via MSN Messenger (Note: Not the Windows Messenger service).  The worm, sends the following message to Contact List recipients:

lol look at this
http://www.freewebs.com/ {blocked} /picture.com
note: the actual address has been blocked here to prevent infection.

Following the hyperlink in the instant message may result in the worm file being downloaded and subsequently executed by the user.

At the time of this writing, the picture.com file on the remote site was a new W32/Sdbot.worm variant (containing an AIM spread command)

Symptoms

Windows Messenger or MSN Messenger Contacts stating that you're sending them a hyperlink that you did not intentionally or knowingly send.

The worm does not create any registry run keys, shortcuts, or otherwise "install" itself on the system.

The worm attempts to terminate various processes and services:

• F-STOPW
• wscsvc
• SharedAccess
• Event Log
• Zonealarm
• TrueVector Internet Monitor
• Norton Antivirus Auto Protect Service
• Norton Internet Security Accounts Manager
• Norton Internet Security Proxy Service
• Norton Internet Security Service
• Norton AntiVirus Server
• Norton AntiVirus Auto Protect Service
• Norton AntiVirus Client
• Symantec AntiVirus Client
• McShield
• IPSEC Policy Agent
• DefWatch
• WMDM PMSP Service
• F-PROT95
• Symantec Proxy Service
• Symantec Event Manager
• Norton AntiVirus Corporate Edition
• ViRobot Professional Monitoring
• ViRobot Expert Monitoring
• savroam
• symantec antivirus
• ViRobot Lite Monitoring
• Sophos Anti-Virus Network
• PC-cillin Personal Firewall
• Trend Micro Proxy Service
• Trend NT Realtime Service
• McAfee.com McShield
• McAfee.com VirusScan Online Realtime Engine
• McAfee Agent
• SyGateService
• Sygate Personal Firewall Pro
• Sophos Anti-Virus
• eTrust Antivirus Job Server
• eTrust Antivirus Realtime Server
• eTrust Antivirus RPC Server
• V3MonNT
• V3MonSvc
• Quick Heal Online Protection
• Kaspersky
• Kaspersky Anti-Virus
• Kaspersky Antivirus
• Kaspersky Client
• kaspersky auto protect service
• kav
• AVG6 Service
• AVP32
• LOCKDOWN2000
• AVP.EXE
• CFINET32
• CFINET
• ICMON
• SAFEWEB
• WEBSCANX
• ANTIVIR
• MCAFEE
• NORTON
• NVC95
• FP-WIN
• IOMON98
• PCCWIN98
• NAVWNT
• NAVRUNR
• NAVLU32
• NAVAPSVC
• NISUM
• SYMPROXYSVC
• RESCUE32
• NISSERV
• ATRACK
• IAMAPP
• LUCOMSERVER
• LUALL
• NMAIN
• NAVW32
• NAVAPW32
• VSSTAT
• VSHWIN32
• AVSYNMGR
• AVCONSOL
• WEBTRAP
• POP3TRAP
• PCCMAIN
• PCCIOMON
• MonSvcNT
• rising process communication center
• rising realtime monitor service
• OfficeScanNT Monitor
• RemoteAgent
• Panda Antivirus
• ZoneAlarm
• Detector de OfficeScanNT
• iroff
• servu
• Norton Internet Security Proxy Srvice
• Norton Internet Security service
• Sygate Personal Firewall
• Security Center
• Windows Firewall
• Windows Internet Connection Sharing(ICS)
• NAV Alert
• NAV Auto-Protect
• config loader
• ScriptBlocking Service
• Background Intelligent Transfer Service
• System Event Notification
• BlackICE
• AVSync Manager
• officescannt realtime scan
• officescannt listener
• services32 service: msinit
• msinit
• task manager
• AVP control center service
• KAV Moniter Service
• P2P Networking
• gear security
• MastDLL
• MsInt
• MsIntScan
• FireBall
• FireBaum
• Eventask
• InternetFirewallProc
• Serv-U
• mcafee framework service
• mcshield
• secur2
• avast! iavs4 control service
• avast! antivirus
• fix-it task manager
• dllhost
• dns
• fxsvc
• nvscv
• outpost firewall service
• scvhost
• syslock
• snake sockproxy service
• msclol2
• msclol8
• systemsecuritydll
• vnc server
• intel pds
• intel file transfer
• internet pr0tocol
• smss
• rundll
• serv-u-ftp
• Norton Unerase Protection
• AVG7 Alert Manager Server
• AVG7 Update Service
• kerio personal firewall
• Rising Process Communication Center
• Rising Realtime Monitor Service
• Kingsoft AntiVirus Service
• VNC server
• Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
• symantec central quarantine
• symantec quarantine agent
• symantec quarantine scanner
• psexesvc
• etrust antivirus rpc server
• etrust antivirus realtime server
• etrust antivirus job server
• remotely possible/32
• win32sl
• altiris client service
• pcanywhere host service
• carbon copy access edition
• directupdate engine
• noipducservice

Method of Infection

This worm spreads by sending Windows Messenger or MSN Messenger Contacts a hyperlink pointing to a web site hosting the worm.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This threat was proactively detected as New Malware.h when scanning with program heuristics enabled.

This worm spreads via MSN Messenger (Note: Not the Windows Messenger service).  The worm, sends the following message to Contact List recipients:

lol look at this
http://www.freewebs.com/ {blocked} /picture.com
note: the actual address has been blocked here to prevent infection.

Following the hyperlink in the instant message may result in the worm file being downloaded and subsequently executed by the user.

At the time of this writing, the picture.com file on the remote site was a new W32/Sdbot.worm variant (containing an AIM spread command)

Symptoms

Symptoms -

Windows Messenger or MSN Messenger Contacts stating that you're sending them a hyperlink that you did not intentionally or knowingly send.

The worm does not create any registry run keys, shortcuts, or otherwise "install" itself on the system.

The worm attempts to terminate various processes and services:

• F-STOPW
• wscsvc
• SharedAccess
• Event Log
• Zonealarm
• TrueVector Internet Monitor
• Norton Antivirus Auto Protect Service
• Norton Internet Security Accounts Manager
• Norton Internet Security Proxy Service
• Norton Internet Security Service
• Norton AntiVirus Server
• Norton AntiVirus Auto Protect Service
• Norton AntiVirus Client
• Symantec AntiVirus Client
• McShield
• IPSEC Policy Agent
• DefWatch
• WMDM PMSP Service
• F-PROT95
• Symantec Proxy Service
• Symantec Event Manager
• Norton AntiVirus Corporate Edition
• ViRobot Professional Monitoring
• ViRobot Expert Monitoring
• savroam
• symantec antivirus
• ViRobot Lite Monitoring
• Sophos Anti-Virus Network
• PC-cillin Personal Firewall
• Trend Micro Proxy Service
• Trend NT Realtime Service
• McAfee.com McShield
• McAfee.com VirusScan Online Realtime Engine
• McAfee Agent
• SyGateService
• Sygate Personal Firewall Pro
• Sophos Anti-Virus
• eTrust Antivirus Job Server
• eTrust Antivirus Realtime Server
• eTrust Antivirus RPC Server
• V3MonNT
• V3MonSvc
• Quick Heal Online Protection
• Kaspersky
• Kaspersky Anti-Virus
• Kaspersky Antivirus
• Kaspersky Client
• kaspersky auto protect service
• kav
• AVG6 Service
• AVP32
• LOCKDOWN2000
• AVP.EXE
• CFINET32
• CFINET
• ICMON
• SAFEWEB
• WEBSCANX
• ANTIVIR
• MCAFEE
• NORTON
• NVC95
• FP-WIN
• IOMON98
• PCCWIN98
• NAVWNT
• NAVRUNR
• NAVLU32
• NAVAPSVC
• NISUM
• SYMPROXYSVC
• RESCUE32
• NISSERV
• ATRACK
• IAMAPP
• LUCOMSERVER
• LUALL
• NMAIN
• NAVW32
• NAVAPW32
• VSSTAT
• VSHWIN32
• AVSYNMGR
• AVCONSOL
• WEBTRAP
• POP3TRAP
• PCCMAIN
• PCCIOMON
• MonSvcNT
• rising process communication center
• rising realtime monitor service
• OfficeScanNT Monitor
• RemoteAgent
• Panda Antivirus
• ZoneAlarm
• Detector de OfficeScanNT
• iroff
• servu
• Norton Internet Security Proxy Srvice
• Norton Internet Security service
• Sygate Personal Firewall
• Security Center
• Windows Firewall
• Windows Internet Connection Sharing(ICS)
• NAV Alert
• NAV Auto-Protect
• config loader
• ScriptBlocking Service
• Background Intelligent Transfer Service
• System Event Notification
• BlackICE
• AVSync Manager
• officescannt realtime scan
• officescannt listener
• services32 service: msinit
• msinit
• task manager
• AVP control center service
• KAV Moniter Service
• P2P Networking
• gear security
• MastDLL
• MsInt
• MsIntScan
• FireBall
• FireBaum
• Eventask
• InternetFirewallProc
• Serv-U
• mcafee framework service
• mcshield
• secur2
• avast! iavs4 control service
• avast! antivirus
• fix-it task manager
• dllhost
• dns
• fxsvc
• nvscv
• outpost firewall service
• scvhost
• syslock
• snake sockproxy service
• msclol2
• msclol8
• systemsecuritydll
• vnc server
• intel pds
• intel file transfer
• internet pr0tocol
• smss
• rundll
• serv-u-ftp
• Norton Unerase Protection
• AVG7 Alert Manager Server
• AVG7 Update Service
• kerio personal firewall
• Rising Process Communication Center
• Rising Realtime Monitor Service
• Kingsoft AntiVirus Service
• VNC server
• Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
• symantec central quarantine
• symantec quarantine agent
• symantec quarantine scanner
• psexesvc
• etrust antivirus rpc server
• etrust antivirus realtime server
• etrust antivirus job server
• remotely possible/32
• win32sl
• altiris client service
• pcanywhere host service
• carbon copy access edition
• directupdate engine
• noipducservice

Method of Infection

Method of Infection -

This worm spreads by sending Windows Messenger or MSN Messenger Contacts a hyperlink pointing to a web site hosting the worm.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A