McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Net-Worm.Win32.Mytob.bf (AVP)

• W32.Mytob.DL@mm (Symantec)

• W32/Mytob-U (Sophos)

• W32/Mytob.EP.worm (Panda)

• Win32.Mytob.EC (CA)

• WORM_MYTOB.DX (Trend)

Characteristics

This detection is for a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality.

Mail Propagation

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the apparent sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server saying that you are infected, which may not be the case.

Subject: (Varies, such as)

• Notice: **Last Warning**
• *DETECTED* Online User Violation
• Your Email Account is Suspended For Security Reasons
• Account Alert
• Important Notification
• *WARNING* Your Email Account Will Be Closed
• Security measures
• Email Account Suspension
• Notice of account limitation

Body:  (Varies, such as) 

• Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
• The original message has been included as an attachment.
• We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
• We attached some important information regarding your account.
• Please read the attached document and follow it's instructions.

Attachment: (Varies - chooses from the following list of prefaces)

• email-info
• email-doc
• information
• account-details
• document
• INFO
• instructions
• info-text
• information

The attachment name may have one or two file extensions, in which case multiple spaces may be inserted as well, for example:

• document.htm  (many spaces)  .pif

Extensions: (Varies, chooses from the following list)

First extension:

• tmp
• doc
• htm
• txt

Final extension:

• pif
• scr
• exe
• cmd
• bat

These are examples of common names, but they can also be random.  The file may also arrive in a ZIP archive.

Installation

When the attachment is run, the virus copies itself to the Windows System directory (e.g. C:\Windows\System32\ on Windows XP) as LienVdK.exe .

The Hosts file (typically found in C:\Windows\System32\Drivers\etc\) is also appended to direct several security websites to the local host, so they cannot be accessed. This file is detected and cleaned as Qhosts.apd.

Registry keys are created to load the worm at startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  RunServices "http://www.lienvandekelder.be" = LienVdK.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "http://www.lienvandekelder.be" = LienVdK.exe

Additional the following value is set:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess "Start" = 4

Symptoms

The Sdbot functionality in the worm is designed to contact the following IRC server, join a specified channel, and wait for further instructions:

• irc.blackcarder.net (on TCP port 4512)

The following processes are terminated:

ACKWIN32.EXE

ADAWARE.EXE

ADVXDWIN.EXE

AGENTSVR.EXE

AGENTW.EXE

ALERTSVC.EXE

ALEVIR.EXE

ALOGSERV.EXE

AMON9X.EXE

ANTI-TROJAN.EXE

ANTIVIRUS.EXE

ANTS.EXE

APIMONITOR.EXE

APLICA32.EXE

APVXDWIN.EXE

ARR.EXE

ATCON.EXE

ATGUARD.EXE

ATRO55EN.EXE

ATUPDATER.EXE

ATUPDATER.EXE

ATWATCH.EXE

AU.EXE

AUPDATE.EXE

AUPDATE.EXE

AUTODOWN.EXE

AUTODOWN.EXE

AUTOTRACE.EXE

AUTOTRACE.EXE

AUTOUPDATE.EXE

AUTOUPDATE.EXE

AVCONSOL.EXE

AVE32.EXE

AVGCC32.EXE

AVGCTRL.EXE

AVGNT.EXE

AVGSERV.EXE

AVGSERV9.EXE

AVGUARD.EXE

AVGW.EXE

AVKPOP.EXE

AVKSERV.EXE

AVKSERVICE.EXE

AVKWCTl9.EXE

AVLTMAIN.EXE

AVNT.EXE

AVP.EXE

AVP32.EXE

AVPCC.EXE

AVPDOS32.EXE

AVPM.EXE

AVPTC32.EXE

AVPUPD.EXE

AVPUPD.EXE

AVSCHED32.EXE

AVSYNMGR.EXE

AVWINNT.EXE

AVWUPD.EXE

AVWUPD32.EXE

AVWUPD32.EXE

AVWUPSRV.EXE

AVXMONITOR9X.EXE

AVXMONITORNT.EXE

AVXQUAR.EXE

AVXQUAR.EXE

BACKWEB.EXE

BARGAINS.EXE

BD_PROFESSIONAL.EXE

BEAGLE.EXE

BELT.EXE

BIDEF.EXE

BIDSERVER.EXE

BIPCP.EXE

BIPCPEVALSETUP.EXE

BISP.EXE

BLACKD.EXE

BLACKICE.EXE

BLSS.EXE

BOOTCONF.EXE

BOOTWARN.EXE

BORG2.EXE

BPC.EXE

BRASIL.EXE

BS120.EXE

BUNDLE.EXE

BVT.EXE

CCAPP.EXE

CCEVTMGR.EXE

CCPXYSVC.EXE

CDP.EXE

CFD.EXE

CFGWIZ.EXE

CFIADMIN.EXE

CFIAUDIT.EXE

CFIAUDIT.EXE

CFINET.EXE

CFINET32.EXE

CLEAN.EXE

CLEANER.EXE

CLEANER3.EXE

CLEANPC.EXE

CLICK.EXE

CMD32.EXE

CMESYS.EXE

CMGRDIAN.EXE

CMON016.EXE

CONNECTIONMONITOR.EXE

CPD.EXE

CPF9X206.EXE

CPFNT206.EXE

CTRL.EXE

CV.EXE

CWNB181.EXE

CWNTDWMO.EXE

CLAW95CF.EXE

DATEMANAGER.EXE

DCOMX.EXE

DEFALERT.EXE

DEFSCANGUI.EXE

DEFWATCH.EXE

DEPUTY.EXE

DIVX.EXE

DLLCACHE.EXE

DLLREG.EXE

DOORS.EXE

DPF.EXE

DPFSETUP.EXE

DPPS2.EXE

DRWATSON.EXE

DRWEB32.EXE

DRWEBUPW.EXE

DSSAGENT.EXE

DVP95.EXE

DVP95_0.EXE

ECENGINE.EXE

EFPEADM.EXE

EMSW.EXE

ENT.EXE

ESAFE.EXE

ESCANHNT.EXE

ESCANV95.EXE

ESPWATCH.EXE

ETHEREAL.EXE

ETRUSTCIPE.EXE

EVPN.EXE

EXANTIVIRUS-CNET.EXE

EXE.AVXW.EXE

EXPERT.EXE

EXPLORE.EXE

F-PROT.EXE

F-PROT95.EXE

F-STOPW.EXE

FAMEH32.EXE

FAST.EXE

FCH32.EXE

FIH32.EXE

FINDVIRU.EXE

FIREWALL.EXE

FNRB32.EXE

FP-WIN.EXE

FP-WIN_TRIAL.EXE

FPROT.EXE

FRW.EXE

FSAA.EXE

FSAV.EXE

FSAV32.EXE

FSAV530STBYB.EXE

FSAV530WTBYB.EXE

FSAV95.EXE

FSGK32.EXE

FSM32.EXE

FSMA32.EXE

FSMB32.EXE

GATOR.EXE

GBMENU.EXE

GBPOLL.EXE

GENERICS.EXE

GMT.EXE

GUARD.EXE

GUARDDOG.EXE

HACKTRACERSETUP.EXE

HBINST.EXE

HBSRV.EXE

HOTACTIO.EXE

HOTPATCH.EXE

HTLOG.EXE

HTPATCH.EXE

HWPE.EXE

HXDL.EXE

HXIUL.EXE

IAMAPP.EXE

IAMSERV.EXE

IAMSTATS.EXE

IBMASN.EXE

IBMAVSP.EXE

ICLOADNT.EXE

ICMON.EXE

ICSUPP95.EXE

ICSUPPNT.EXE

IDLE.EXE

IEDLL.EXE

IEDRIVER.EXE

IEXPLORER.EXE

IFACE.EXE

IFW2000.EXE

INETLNFO.EXE

INFUS.EXE

INFWIN.EXE

INIT.EXE

INTDEL.EXE

INTREN.EXE

IOMON98.EXE

ISTSVC.EXE

JAMMER.EXE

JDBGMRG.EXE

JEDI.EXE

KAVLITE40ENG.EXE

KAVPERS40ENG.EXE

KAVPF.EXE

KAZZA.EXE

KEENVALUE.EXE

KERIO-PF-213-EN-WIN.EXE

KERIO-WRL-421-EN-WIN.EXE

KERIO-WRP-421-EN-WIN.EXE

KERNEL32.EXE

KILLPROCESSSETUP161.EXE

LAUNCHER.EXE

LDNETMON.EXE

LDPRO.EXE

LDPROMENU.EXE

LDSCAN.EXE

LNETINFO.EXE

LOADER.EXE

LOCALNET.EXE

LOCKDOWN.EXE

LOCKDOWN2000.EXE

LOOKOUT.EXE

LORDPE.EXE

LSETUP.EXE

LUALL.EXE

LUALL.EXE

LUAU.EXE

LUCOMSERVER.EXE

LUINIT.EXE

LUSPT.EXE

MAPISVC32.EXE

MCAGENT.EXE

MCMNHDLR.EXE

MCSHIELD.EXE

MCTOOL.EXE

MCUPDATE.EXE

MCUPDATE.EXE

MCVSRTE.EXE

MCVSSHLD.EXE

MD.EXE

MFIN32.EXE

MFW2EN.EXE

MFWENG3.02D30.EXE

MGAVRTCL.EXE

MGAVRTE.EXE

MGHTML.EXE

MGUI.EXE

MINILOG.EXE

MMOD.EXE

MONITOR.EXE

MOOLIVE.EXE

MOSTAT.EXE

MPFAGENT.EXE

MPFSERVICE.EXE

MPFTRAY.EXE

MRFLUX.EXE

MSAPP.EXE

MSBB.EXE

MSBLAST.EXE

MSCACHE.EXE

MSCCN32.EXE

MSCMAN.EXE

MSCONFIG.EXE

MSDM.EXE

MSDOS.EXE

MSIEXEC16.EXE

MSINFO32.EXE

MSLAUGH.EXE

MSMGT.EXE

MSMSGRI32.EXE

MSSMMC32.EXE

MSSYS.EXE

MSVXD.EXE

MU0311AD.EXE

MWATCH.EXE

N32SCANW.EXE

NAV.EXE

AUTO-PROTECT.NAV80TRY.EXE

NAVAP.NAVAPSVC.EXE

NAVAPSVC.EXE

NAVAPW32.EXE

NAVDX.EXE

NAVLU32.EXE

NAVNT.EXE

NAVSTUB.EXE

NAVW32.EXE

NAVWNT.EXE

NC2000.EXE

NCINST4.EXE

NDD32.EXE

NEOMONITOR.EXE

NEOWATCHLOG.EXE

NETARMOR.EXE

NETD32.EXE

NETINFO.EXE

NETMON.EXE

NETSCANPRO.EXE

NETSPYHUNTER-1.2.EXE

NETSTAT.EXE

NETUTILS.EXE

NISSERV.EXE

NISUM.EXE

NMAIN.EXE

NOD32.EXE

NORMIST.EXE

NORTON_INTERNET_SECU_3.0_407.EXE

NOTSTART.EXE

NPF40_TW_98_NT_ME_2K.EXE

NPFMESSENGER.EXE

NPROTECT.EXE

NPSCHECK.EXE

NPSSVC.EXE

NSCHED32.EXE

NSSYS32.EXE

NSTASK32.EXE

NSUPDATE.EXE

NT.EXE

NTRTSCAN.EXE

NTVDM.EXE

NTXconfig.EXE

NUI.EXE

NUPGRADE.EXE

NUPGRADE.EXE

NVARCH16.EXE

NVC95.EXE

NVSVC32.EXE

NWINST4.EXE

NWSERVICE.EXE

NWTOOL16.EXE

OLLYDBG.EXE

ONSRVR.EXE

OPTIMIZE.EXE

OSTRONET.EXE

OTFIX.EXE

OUTPOST.EXE

OUTPOST.EXE

OUTPOSTINSTALL.EXE

OUTPOSTPROINSTALL.EXE

PADMIN.EXE

PANIXK.EXE

PATCH.EXE

PAVCL.EXE

PAVPROXY.EXE

PAVSCHED.EXE

PAVW.EXE

PCFWALLICON.EXE

PCIP10117_0.EXE

PCSCAN.EXE

PDSETUP.EXE

PERISCOPE.EXE

PERSFW.EXE

PERSWF.EXE

PF2.EXE

PFWADMIN.EXE

PGMONITR.EXE

PINGSCAN.EXE

PLATIN.EXE

POP3TRAP.EXE

POPROXY.EXE

POPSCAN.EXE

PORTDETECTIVE.EXE

PORTMONITOR.EXE

POWERSCAN.EXE

PPINUPDT.EXE

PPTBC.EXE

PPVSTOP.EXE

PRIZESURFER.EXE

PRMT.EXE

PRMVR.EXE

PROCDUMP.EXE

PROCESSMONITOR.EXE

PROCEXPLORERV1.0.EXE

PROGRAMAUDITOR.EXE

PROPORT.EXE

PROTECTX.EXE

PSPF.EXE

PURGE.EXE

QCONSOLE.EXE

QSERVER.EXE

RAPAPP.EXE

RAV7.EXE

RAV7WIN.EXE

RAV8WIN32ENG.EXE

RAY.EXE

RB32.EXE

RCSYNC.EXE

REALMON.EXE

REGED.EXE

REGEDIT.EXE

REGEDT32.EXE

RESCUE.EXE

RESCUE32.EXE

RRGUARD.EXE

RSHELL.EXE

RTVSCAN.EXE

RTVSCN95.EXE

RULAUNCH.EXE

RUN32DLL.EXE

RUNDLL.EXE

RUNDLL16.EXE

RUXDLL32.EXE

SAFEWEB.EXE

SAHAGENT.EXE

SAVE.EXE

SAVENOW.EXE

SBSERV.EXE

SC.EXE

SCAM32.EXE

SCAN32.EXE

SCAN95.EXE

SCANPM.EXE

SCRSCAN.EXE

SETUPVAMEEVAL.EXE

SETUP_FLOWPROTECTOR_US.EXE

SFC.EXE

SGSSFW32.EXE

SH.EXE

SHELLSPYINSTALL.EXE

SHN.EXE

SHOWBEHIND.EXE

SMC.EXE

SMS.EXE

SMSS32.EXE

SOAP.EXE

SOFI.EXE

SPERM.EXE

SPF.EXE

SPHINX.EXE

SPOLER.EXE

SPOOLCV.EXE

SPOOLSV32.EXE

SPYXX.EXE

SREXE.EXE

SRNG.EXE

SS3EDIT.EXE

SSGRATE.EXE

SSG_4104.EXE

ST2.EXE

START.EXE

STCLOADER.EXE

SUPFTRL.EXE

SUPPORT.EXE

SUPPORTER5.EXE

SVC.EXE

SVCHOSTC.EXE

SVCHOSTS.EXE

SVSHOST.EXE

SWEEP95.EXE

SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE

SYMPROXYSVC.EXE

SYMTRAY.EXE

SYSEDIT.EXE

SYSTEM.EXE

SYSTEM32.EXE

SYSUPD.EXE

TASKMG.EXE

TASKMO.EXE

TASKMON.EXE

TAUMON.EXE

TBSCAN.EXE

TC.EXE

TCA.EXE

TCM.EXE

TDS-3.EXE

TDS2-NT.EXE

TEEKIDS.EXE

TFAK.EXE

TFAK5.EXE

TGBOB.EXE

TITANIN.EXE

TITANINXP.EXE

TRACERT.EXE

TRICKLER.EXE

TRJSCAN.EXE

TRJSETUP.EXE

TROJANTRAP3.EXE

TSADBOT.EXE

TVMD.EXE

TVTMD.EXE

UNDOBOOT.EXE

UPDAT.EXE

UPDATE.EXE

UPDATE.EXE

UPGRAD.EXE

UTPOST.EXE

VBCMSERV.EXE

VBCONS.EXE

VBUST.EXE

VBWIN9X.EXE

VBWINNTW.EXE

VCSETUP.EXE

VET32.EXE

VET95.EXE

VETTRAY.EXE

VFSETUP.EXE

VIR-HELP.EXE

VIRUSMDPERSONALFIREWALL.EXE

VNLAN300.EXE

VNPC3000.EXE

VPC32.EXE

VPC42.EXE

VPFW30S.EXE

VPTRAY.EXE

VSCAN40.EXE

VSCENU6.02D30.EXE

VSCHED.EXE

VSECOMR.EXE

VSHWIN32.EXE

VSISETUP.EXE

VSMAIN.EXE

VSMON.EXE

VSSTAT.EXE

VSWIN9XE.EXE

VSWINNTSE.EXE

VSWINPERSE.EXE

W32DSM89.EXE

W9X.EXE

WATCHDOG.EXE

WEBDAV.EXE

WEBSCANX.EXE

WEBTRAP.EXE

WFINDV32.EXE

WHOSWATCHINGME.EXE

WIMMUN32.EXE

WIN-BUGSFIX.EXE

WIN32.EXE

WIN32US.EXE

WINACTIVE.EXE

WINDOW.EXE

WINDOWS.EXE

WININETD.EXE

WININIT.EXE

WININITX.EXE

WINLOGIN.EXE

WINMAIN.EXE

WINNET.EXE

WINPPR32.EXE

WINRECON.EXE

WINSERVN.EXE

WINSSK32.EXE

WINSTART.EXE

WINSTART001.EXE

WINTSK32.EXE

WINUPDATE.EXE

WKUFIND.EXE

WNAD.EXE

WNT.EXE

WRADMIN.EXE

WRCTRL.EXE

WSBGATE.EXE

WUPDATER.EXE

WUPDT.EXE

WYVERNWORKSFIREWALL.EXE

XPF202EN.EXE

ZAPRO.EXE

ZAPSETUP3001.EXE

ZATUTOR.EXE

ZONALM2601.EXE

ZONEALARM.EXE

_AVP32.EXE

_AVPCC.EXE

_AVPM.EXE

CMD.EXE

TASKMGR.EXE

Method of Infection

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

• txt
• htm
• sht
• jsp
• cgi
• xml
• php
• asp
• dbx
• tbb
• adb
• pl
• wab

The worm avoids certain address, those using the following strings:

• avp
• syma
• icrosof
• msn.
• hotmail
• panda
• sopho
• borlan
• inpris
• example
• mydomai
• nodomai
• ruslis
• .gov
• gov.
• .mil
• foo.
• berkeley
• unix
• math
• bsd
• mit.e
• gnu
• fsf.
• ibm.com
• google
• kernel
• linux
• fido
• usenet
• iana
• ietf
• rfc-ed
• sendmail
• arin.
• ripe.
• isi.e
• isc.o
• secur
• acketst
• pgp
• tanford.e
• utgers.ed
• mozilla
• be_loyal:
• A
• root
• info
• samples
• postmaster
• webmaster
• noone
• nobody
• nothing
• anyone
• someone
• your
• you
• me
• bugs
• rating
• site
• contact
• soft
• no
• somebody
• privacy
• service
• help
• not
• submit
• feste
• ca
• gold-certs
• the.bat
• page
• admin
• icrosoft
• support
• ntivi
• unix
• bsd
• linux
• listserv
• certific
• google
• accoun
• spm
• fcnz
• www
• secur
• abuse
• @
• support
• administrator
• mail
• service
• admin
• info
• register
• webmaster

Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

• john
• john
• alex
• michael
• james
• mike
• kevin
• david
• george
• sam
• andrew
• jose
• leo
• maria
• jim
• brian
• serg
• mary
• ray
• tom
• peter
• robert
• bob
• jane
• joe
• dan
• dave
• matt
• steve
• smith
• stan
• bill
• bob
• jack
• fred
• ted
• adam
• brent
• alice
• anna
• brenda
• claudia
• debby
• helen
• jerry
• jimmy
• julie
• linda
• sam

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine.  The worm guesses the recipient email server, prepending the target domain name with the following strings:

• mx.
• mail.
• smtp.
• mx1.
• mxs.
• mail1.
• relay.
• ns.
• gate.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Net-Worm.Win32.Mytob.bf (AVP)

• W32.Mytob.DL@mm (Symantec)

• W32/Mytob-U (Sophos)

• W32/Mytob.EP.worm (Panda)

• Win32.Mytob.EC (CA)

• WORM_MYTOB.DX (Trend)

Characteristics

Characteristics -

This detection is for a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality.

Mail Propagation

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the apparent sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server saying that you are infected, which may not be the case.

Subject: (Varies, such as)

• Notice: **Last Warning**
• *DETECTED* Online User Violation
• Your Email Account is Suspended For Security Reasons
• Account Alert
• Important Notification
• *WARNING* Your Email Account Will Be Closed
• Security measures
• Email Account Suspension
• Notice of account limitation

Body:  (Varies, such as) 

• Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal.
• The original message has been included as an attachment.
• We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached.
• We attached some important information regarding your account.
• Please read the attached document and follow it's instructions.

Attachment: (Varies - chooses from the following list of prefaces)

• email-info
• email-doc
• information
• account-details
• document
• INFO
• instructions
• info-text
• information

The attachment name may have one or two file extensions, in which case multiple spaces may be inserted as well, for example:

• document.htm  (many spaces)  .pif

Extensions: (Varies, chooses from the following list)

First extension:

• tmp
• doc
• htm
• txt

Final extension:

• pif
• scr
• exe
• cmd
• bat

These are examples of common names, but they can also be random.  The file may also arrive in a ZIP archive.

Installation

When the attachment is run, the virus copies itself to the Windows System directory (e.g. C:\Windows\System32\ on Windows XP) as LienVdK.exe .

The Hosts file (typically found in C:\Windows\System32\Drivers\etc\) is also appended to direct several security websites to the local host, so they cannot be accessed. This file is detected and cleaned as Qhosts.apd.

Registry keys are created to load the worm at startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  RunServices "http://www.lienvandekelder.be" = LienVdK.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "http://www.lienvandekelder.be" = LienVdK.exe

Additional the following value is set:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess "Start" = 4

Symptoms

Symptoms -

The Sdbot functionality in the worm is designed to contact the following IRC server, join a specified channel, and wait for further instructions:

• irc.blackcarder.net (on TCP port 4512)

The following processes are terminated:

ACKWIN32.EXE

ADAWARE.EXE

ADVXDWIN.EXE

AGENTSVR.EXE

AGENTW.EXE

ALERTSVC.EXE

ALEVIR.EXE

ALOGSERV.EXE

AMON9X.EXE

ANTI-TROJAN.EXE

ANTIVIRUS.EXE

ANTS.EXE

APIMONITOR.EXE

APLICA32.EXE

APVXDWIN.EXE

ARR.EXE

ATCON.EXE

ATGUARD.EXE

ATRO55EN.EXE

ATUPDATER.EXE

ATUPDATER.EXE

ATWATCH.EXE

AU.EXE

AUPDATE.EXE

AUPDATE.EXE

AUTODOWN.EXE

AUTODOWN.EXE

AUTOTRACE.EXE

AUTOTRACE.EXE

AUTOUPDATE.EXE

AUTOUPDATE.EXE

AVCONSOL.EXE

AVE32.EXE

AVGCC32.EXE

AVGCTRL.EXE

AVGNT.EXE

AVGSERV.EXE

AVGSERV9.EXE

AVGUARD.EXE

AVGW.EXE

AVKPOP.EXE

AVKSERV.EXE

AVKSERVICE.EXE

AVKWCTl9.EXE

AVLTMAIN.EXE

AVNT.EXE

AVP.EXE

AVP32.EXE

AVPCC.EXE

AVPDOS32.EXE

AVPM.EXE

AVPTC32.EXE

AVPUPD.EXE

AVPUPD.EXE

AVSCHED32.EXE

AVSYNMGR.EXE

AVWINNT.EXE

AVWUPD.EXE

AVWUPD32.EXE

AVWUPD32.EXE

AVWUPSRV.EXE

AVXMONITOR9X.EXE

AVXMONITORNT.EXE

AVXQUAR.EXE

AVXQUAR.EXE

BACKWEB.EXE

BARGAINS.EXE

BD_PROFESSIONAL.EXE

BEAGLE.EXE

BELT.EXE

BIDEF.EXE

BIDSERVER.EXE

BIPCP.EXE

BIPCPEVALSETUP.EXE

BISP.EXE

BLACKD.EXE

BLACKICE.EXE

BLSS.EXE

BOOTCONF.EXE

BOOTWARN.EXE

BORG2.EXE

BPC.EXE

BRASIL.EXE

BS120.EXE

BUNDLE.EXE

BVT.EXE

CCAPP.EXE

CCEVTMGR.EXE

CCPXYSVC.EXE

CDP.EXE

CFD.EXE

CFGWIZ.EXE

CFIADMIN.EXE

CFIAUDIT.EXE

CFIAUDIT.EXE

CFINET.EXE

CFINET32.EXE

CLEAN.EXE

CLEANER.EXE

CLEANER3.EXE

CLEANPC.EXE

CLICK.EXE

CMD32.EXE

CMESYS.EXE

CMGRDIAN.EXE

CMON016.EXE

CONNECTIONMONITOR.EXE

CPD.EXE

CPF9X206.EXE

CPFNT206.EXE

CTRL.EXE

CV.EXE

CWNB181.EXE

CWNTDWMO.EXE

CLAW95CF.EXE

DATEMANAGER.EXE

DCOMX.EXE

DEFALERT.EXE

DEFSCANGUI.EXE

DEFWATCH.EXE

DEPUTY.EXE

DIVX.EXE

DLLCACHE.EXE

DLLREG.EXE

DOORS.EXE

DPF.EXE

DPFSETUP.EXE

DPPS2.EXE

DRWATSON.EXE

DRWEB32.EXE

DRWEBUPW.EXE

DSSAGENT.EXE

DVP95.EXE

DVP95_0.EXE

ECENGINE.EXE

EFPEADM.EXE

EMSW.EXE

ENT.EXE

ESAFE.EXE

ESCANHNT.EXE

ESCANV95.EXE

ESPWATCH.EXE

ETHEREAL.EXE

ETRUSTCIPE.EXE

EVPN.EXE

EXANTIVIRUS-CNET.EXE

EXE.AVXW.EXE

EXPERT.EXE

EXPLORE.EXE

F-PROT.EXE

F-PROT95.EXE

F-STOPW.EXE

FAMEH32.EXE

FAST.EXE

FCH32.EXE

FIH32.EXE

FINDVIRU.EXE

FIREWALL.EXE

FNRB32.EXE

FP-WIN.EXE

FP-WIN_TRIAL.EXE

FPROT.EXE

FRW.EXE

FSAA.EXE

FSAV.EXE

FSAV32.EXE

FSAV530STBYB.EXE

FSAV530WTBYB.EXE

FSAV95.EXE

FSGK32.EXE

FSM32.EXE

FSMA32.EXE

FSMB32.EXE

GATOR.EXE

GBMENU.EXE

GBPOLL.EXE

GENERICS.EXE

GMT.EXE

GUARD.EXE

GUARDDOG.EXE

HACKTRACERSETUP.EXE

HBINST.EXE

HBSRV.EXE

HOTACTIO.EXE

HOTPATCH.EXE

HTLOG.EXE

HTPATCH.EXE

HWPE.EXE

HXDL.EXE

HXIUL.EXE

IAMAPP.EXE

IAMSERV.EXE

IAMSTATS.EXE

IBMASN.EXE

IBMAVSP.EXE

ICLOADNT.EXE

ICMON.EXE

ICSUPP95.EXE

ICSUPPNT.EXE

IDLE.EXE

IEDLL.EXE

IEDRIVER.EXE

IEXPLORER.EXE

IFACE.EXE

IFW2000.EXE

INETLNFO.EXE

INFUS.EXE

INFWIN.EXE

INIT.EXE

INTDEL.EXE

INTREN.EXE

IOMON98.EXE

ISTSVC.EXE

JAMMER.EXE

JDBGMRG.EXE

JEDI.EXE

KAVLITE40ENG.EXE

KAVPERS40ENG.EXE

KAVPF.EXE

KAZZA.EXE

KEENVALUE.EXE

KERIO-PF-213-EN-WIN.EXE

KERIO-WRL-421-EN-WIN.EXE

KERIO-WRP-421-EN-WIN.EXE

KERNEL32.EXE

KILLPROCESSSETUP161.EXE

LAUNCHER.EXE

LDNETMON.EXE

LDPRO.EXE

LDPROMENU.EXE

LDSCAN.EXE

LNETINFO.EXE

LOADER.EXE

LOCALNET.EXE

LOCKDOWN.EXE

LOCKDOWN2000.EXE

LOOKOUT.EXE

LORDPE.EXE

LSETUP.EXE

LUALL.EXE

LUALL.EXE

LUAU.EXE

LUCOMSERVER.EXE

LUINIT.EXE

LUSPT.EXE

MAPISVC32.EXE

MCAGENT.EXE

MCMNHDLR.EXE

MCSHIELD.EXE

MCTOOL.EXE

MCUPDATE.EXE

MCUPDATE.EXE

MCVSRTE.EXE

MCVSSHLD.EXE

MD.EXE

MFIN32.EXE

MFW2EN.EXE

MFWENG3.02D30.EXE

MGAVRTCL.EXE

MGAVRTE.EXE

MGHTML.EXE

MGUI.EXE

MINILOG.EXE

MMOD.EXE

MONITOR.EXE

MOOLIVE.EXE

MOSTAT.EXE

MPFAGENT.EXE

MPFSERVICE.EXE

MPFTRAY.EXE

MRFLUX.EXE

MSAPP.EXE

MSBB.EXE

MSBLAST.EXE

MSCACHE.EXE

MSCCN32.EXE

MSCMAN.EXE

MSCONFIG.EXE

MSDM.EXE

MSDOS.EXE

MSIEXEC16.EXE

MSINFO32.EXE

MSLAUGH.EXE

MSMGT.EXE

MSMSGRI32.EXE

MSSMMC32.EXE

MSSYS.EXE

MSVXD.EXE

MU0311AD.EXE

MWATCH.EXE

N32SCANW.EXE

NAV.EXE

AUTO-PROTECT.NAV80TRY.EXE

NAVAP.NAVAPSVC.EXE

NAVAPSVC.EXE

NAVAPW32.EXE

NAVDX.EXE

NAVLU32.EXE

NAVNT.EXE

NAVSTUB.EXE

NAVW32.EXE

NAVWNT.EXE

NC2000.EXE

NCINST4.EXE

NDD32.EXE

NEOMONITOR.EXE

NEOWATCHLOG.EXE

NETARMOR.EXE

NETD32.EXE

NETINFO.EXE

NETMON.EXE

NETSCANPRO.EXE

NETSPYHUNTER-1.2.EXE

NETSTAT.EXE

NETUTILS.EXE

NISSERV.EXE

NISUM.EXE

NMAIN.EXE

NOD32.EXE

NORMIST.EXE

NORTON_INTERNET_SECU_3.0_407.EXE

NOTSTART.EXE

NPF40_TW_98_NT_ME_2K.EXE

NPFMESSENGER.EXE

NPROTECT.EXE

NPSCHECK.EXE

NPSSVC.EXE

NSCHED32.EXE

NSSYS32.EXE

NSTASK32.EXE

NSUPDATE.EXE

NT.EXE

NTRTSCAN.EXE

NTVDM.EXE

NTXconfig.EXE

NUI.EXE

NUPGRADE.EXE

NUPGRADE.EXE

NVARCH16.EXE

NVC95.EXE

NVSVC32.EXE

NWINST4.EXE

NWSERVICE.EXE

NWTOOL16.EXE

OLLYDBG.EXE

ONSRVR.EXE

OPTIMIZE.EXE

OSTRONET.EXE

OTFIX.EXE

OUTPOST.EXE

OUTPOST.EXE

OUTPOSTINSTALL.EXE

OUTPOSTPROINSTALL.EXE

PADMIN.EXE

PANIXK.EXE

PATCH.EXE

PAVCL.EXE

PAVPROXY.EXE

PAVSCHED.EXE

PAVW.EXE

PCFWALLICON.EXE

PCIP10117_0.EXE

PCSCAN.EXE

PDSETUP.EXE

PERISCOPE.EXE

PERSFW.EXE

PERSWF.EXE

PF2.EXE

PFWADMIN.EXE

PGMONITR.EXE

PINGSCAN.EXE

PLATIN.EXE

POP3TRAP.EXE

POPROXY.EXE

POPSCAN.EXE

PORTDETECTIVE.EXE

PORTMONITOR.EXE

POWERSCAN.EXE

PPINUPDT.EXE

PPTBC.EXE

PPVSTOP.EXE

PRIZESURFER.EXE

PRMT.EXE

PRMVR.EXE

PROCDUMP.EXE

PROCESSMONITOR.EXE

PROCEXPLORERV1.0.EXE

PROGRAMAUDITOR.EXE

PROPORT.EXE

PROTECTX.EXE

PSPF.EXE

PURGE.EXE

QCONSOLE.EXE

QSERVER.EXE

RAPAPP.EXE

RAV7.EXE

RAV7WIN.EXE

RAV8WIN32ENG.EXE

RAY.EXE

RB32.EXE

RCSYNC.EXE

REALMON.EXE

REGED.EXE

REGEDIT.EXE

REGEDT32.EXE

RESCUE.EXE

RESCUE32.EXE

RRGUARD.EXE

RSHELL.EXE

RTVSCAN.EXE

RTVSCN95.EXE

RULAUNCH.EXE

RUN32DLL.EXE

RUNDLL.EXE

RUNDLL16.EXE

RUXDLL32.EXE

SAFEWEB.EXE

SAHAGENT.EXE

SAVE.EXE

SAVENOW.EXE

SBSERV.EXE

SC.EXE

SCAM32.EXE

SCAN32.EXE

SCAN95.EXE

SCANPM.EXE

SCRSCAN.EXE

SETUPVAMEEVAL.EXE

SETUP_FLOWPROTECTOR_US.EXE

SFC.EXE

SGSSFW32.EXE

SH.EXE

SHELLSPYINSTALL.EXE

SHN.EXE

SHOWBEHIND.EXE

SMC.EXE

SMS.EXE

SMSS32.EXE

SOAP.EXE

SOFI.EXE

SPERM.EXE

SPF.EXE

SPHINX.EXE

SPOLER.EXE

SPOOLCV.EXE

SPOOLSV32.EXE

SPYXX.EXE

SREXE.EXE

SRNG.EXE

SS3EDIT.EXE

SSGRATE.EXE

SSG_4104.EXE

ST2.EXE

START.EXE

STCLOADER.EXE

SUPFTRL.EXE

SUPPORT.EXE

SUPPORTER5.EXE

SVC.EXE

SVCHOSTC.EXE

SVCHOSTS.EXE

SVSHOST.EXE

SWEEP95.EXE

SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE

SYMPROXYSVC.EXE

SYMTRAY.EXE

SYSEDIT.EXE

SYSTEM.EXE

SYSTEM32.EXE

SYSUPD.EXE

TASKMG.EXE

TASKMO.EXE

TASKMON.EXE

TAUMON.EXE

TBSCAN.EXE

TC.EXE

TCA.EXE

TCM.EXE

TDS-3.EXE

TDS2-NT.EXE

TEEKIDS.EXE

TFAK.EXE

TFAK5.EXE

TGBOB.EXE

TITANIN.EXE

TITANINXP.EXE

TRACERT.EXE

TRICKLER.EXE

TRJSCAN.EXE

TRJSETUP.EXE

TROJANTRAP3.EXE

TSADBOT.EXE

TVMD.EXE

TVTMD.EXE

UNDOBOOT.EXE

UPDAT.EXE

UPDATE.EXE

UPDATE.EXE

UPGRAD.EXE

UTPOST.EXE

VBCMSERV.EXE

VBCONS.EXE

VBUST.EXE

VBWIN9X.EXE

VBWINNTW.EXE

VCSETUP.EXE

VET32.EXE

VET95.EXE

VETTRAY.EXE

VFSETUP.EXE

VIR-HELP.EXE

VIRUSMDPERSONALFIREWALL.EXE

VNLAN300.EXE

VNPC3000.EXE

VPC32.EXE

VPC42.EXE

VPFW30S.EXE

VPTRAY.EXE

VSCAN40.EXE

VSCENU6.02D30.EXE

VSCHED.EXE

VSECOMR.EXE

VSHWIN32.EXE

VSISETUP.EXE

VSMAIN.EXE

VSMON.EXE

VSSTAT.EXE

VSWIN9XE.EXE

VSWINNTSE.EXE

VSWINPERSE.EXE

W32DSM89.EXE

W9X.EXE

WATCHDOG.EXE

WEBDAV.EXE

WEBSCANX.EXE

WEBTRAP.EXE

WFINDV32.EXE

WHOSWATCHINGME.EXE

WIMMUN32.EXE

WIN-BUGSFIX.EXE

WIN32.EXE

WIN32US.EXE

WINACTIVE.EXE

WINDOW.EXE

WINDOWS.EXE

WININETD.EXE

WININIT.EXE

WININITX.EXE

WINLOGIN.EXE

WINMAIN.EXE

WINNET.EXE

WINPPR32.EXE

WINRECON.EXE

WINSERVN.EXE

WINSSK32.EXE

WINSTART.EXE

WINSTART001.EXE

WINTSK32.EXE

WINUPDATE.EXE

WKUFIND.EXE

WNAD.EXE

WNT.EXE

WRADMIN.EXE

WRCTRL.EXE

WSBGATE.EXE

WUPDATER.EXE

WUPDT.EXE

WYVERNWORKSFIREWALL.EXE

XPF202EN.EXE

ZAPRO.EXE

ZAPSETUP3001.EXE

ZATUTOR.EXE

ZONALM2601.EXE

ZONEALARM.EXE

_AVP32.EXE

_AVPCC.EXE

_AVPM.EXE

CMD.EXE

TASKMGR.EXE

Method of Infection

Method of Infection -

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

• txt
• htm
• sht
• jsp
• cgi
• xml
• php
• asp
• dbx
• tbb
• adb
• pl
• wab

The worm avoids certain address, those using the following strings:

• avp
• syma
• icrosof
• msn.
• hotmail
• panda
• sopho
• borlan
• inpris
• example
• mydomai
• nodomai
• ruslis
• .gov
• gov.
• .mil
• foo.
• berkeley
• unix
• math
• bsd
• mit.e
• gnu
• fsf.
• ibm.com
• google
• kernel
• linux
• fido
• usenet
• iana
• ietf
• rfc-ed
• sendmail
• arin.
• ripe.
• isi.e
• isc.o
• secur
• acketst
• pgp
• tanford.e
• utgers.ed
• mozilla
• be_loyal:
• A
• root
• info
• samples
• postmaster
• webmaster
• noone
• nobody
• nothing
• anyone
• someone
• your
• you
• me
• bugs
• rating
• site
• contact
• soft
• no
• somebody
• privacy
• service
• help
• not
• submit
• feste
• ca
• gold-certs
• the.bat
• page
• admin
• icrosoft
• support
• ntivi
• unix
• bsd
• linux
• listserv
• certific
• google
• accoun
• spm
• fcnz
• www
• secur
• abuse
• @
• support
• administrator
• mail
• service
• admin
• info
• register
• webmaster

Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

• john
• john
• alex
• michael
• james
• mike
• kevin
• david
• george
• sam
• andrew
• jose
• leo
• maria
• jim
• brian
• serg
• mary
• ray
• tom
• peter
• robert
• bob
• jane
• joe
• dan
• dave
• matt
• steve
• smith
• stan
• bill
• bob
• jack
• fred
• ted
• adam
• brent
• alice
• anna
• brenda
• claudia
• debby
• helen
• jerry
• jimmy
• julie
• linda
• sam

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine.  The worm guesses the recipient email server, prepending the target domain name with the following strings:

• mx.
• mail.
• smtp.
• mx1.
• mxs.
• mail1.
• relay.
• ns.
• gate.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A