McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Fanbot

Characteristics

This detection is for a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality.  This variant spreads via email, P2P sharing applications, and the MS05-039 vulnerability .

Email attachments sent by this virus may be proactively detected as Generic Malware.a!zip

Mail Propagation
The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the apparent sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server saying that you are infected, which may not be the case.

• noreply
• webmaster
• register
• info
• admin
• service
• mail
• administrator
• support

Subject: (Varies, such as)

• Notice of account limitation.
• Email Account Suspension.
• Security measures.
• Members Support.
• Important Notification!
• Warning Message: Your services near to be closed.
• Your Account is Suspended For Security Reasons.
• *DETECTED* Online User Violation.
• Your Account is Suspended.
• We've got something we would like to share with you.
• Skype for Windows 1.4 - Have you got the new Skype?
• What is Skype?
• Share Skype.

Body:  (Varies, such as) 

• Dear user %recipients name% , 
  Skype is a little piece of software that lets you talk over the Internet to anyone, anywhere for free.
  And it just got even better ¡ª download the latest version of Skype:
  Our call quality is the best ever for talking, laughing and sharing stories.
  You can forward calls on to mobiles, landlines and other Skype Names.
  Make calls instantly from Outlook email or Internet Explorer with our new toolbars.
  Personalise your Skype ¡ª play around with sounds, ringtones and pictures to show the world who you are.
  For further details see the attached document.
  This message contains graphics.  If you do not see the graphics,  click here to view.
  © 2002-2005 by Skype Technologies S.A.
  Legal information
• Dear %domain name% Member,
  
  We have temporarily suspended your email account dan@fakedomain.com.
  
  This might be due to either of the following reasons:
  
  1. A recent change in your personal information (i.e. change of address).
  2. Submiting invalid information during the initial sign up process.
  3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
  See the details to reactivate your Fakedomain account.
  
  Sincerely,The %domain name% Support Team
  +++ Attachment: No Virus (Clean)
  +++ Fakedomain Antivirus - %domain name%
• Dear user %recipient name% ,
  
  It has come to our attention that your %domain name% User Profile ( x ) records are out of date. For further details see the attached document.
  
  Thank you for using %domain name% !
  The %domain name% Support Team
  
  +++ Attachment: No Virus (Clean)
  +++ Fakedomain Antivirus - %domain name%
• Dear %domain name% Member,
  
  Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
  
  If you choose to ignore our request, you leave us no choice but to cancel your membership.
  
  Virtually yours,
  The %domain name% Support Team
  
  +++ Attachment: No Virus found
  +++ Fakedomain Antivirus - %domain name%

Attachment: (Varies - chooses from the following list of prefaces)

• important-details.zip
• Skype-stuffs.zip
• Skype-info.zip
• Skype-details.zip
• Skype.zip
• readme.zip
• Skype-document.zip
• Share Skype.zip
• Skype for Windows 1.4.zip
• account-report.zip
• document.zip
• account-info.zip
• email-details.zip
• account-details.zip

The ZIP file contains a similarly named file, using the following file extension schemes.

Extensions: (Varies, chooses from the following list)

First extension:

• htm
• tmp
• txt
• doc

Final extension:

• pif
• scr
• exe
• cmd
• bat

These are examples of common names, but they can also be random.  The file may also arrive in a ZIP archive.

Installation
When the attachment is run, a fake error message is displayed:

The virus copies itself to the Windows System directory (e.g. C:\Windows\System32\ on Windows XP) as remote.exe . 

The Hosts file (typically found in C:\Windows\System32\Drivers\etc\) is also appended to direct several security websites to the local host, so they cannot be accessed. This file is detected and cleaned as Qhosts.apd.

The worm creates a service to load itself each time the system starts

• Service Name: RpcRemotes
• Display Name: Remote Procedure Call (RPC) Remote
• Description: Manages the RPC name service database.

P2P Propagation
The worm creates copies of itself with the following filenames inside of any directory containing any of the following strings:

• soft
• upload
• mule
• morpheus
• lime
• kazaa
• icq
• www
• ftp
• http
• htdocs
• donkey
• bear
• bak
• download
• incoming
• sharing
• share

The filenames created inside of these folders include:

• 1001 Sex and more.rtf.exe
• 3D Studio Max 6 3dsmax.exe
• angels.pif
• activation_crack.exe
• AcrobatReader_New.exe
• ACDSee 10.exe
• Adobe Photoshop 10 crack.exe
• Adobe Photoshop 10 full.exe
• Adobe Premiere 10.exe
• Ahead Nero 8.exe
• Altkins Diet.doc.exe
• American Idol.doc.exe
• Arnold Schwarzenegger.jpg.exe
• Bifrost.scr
• Butterfly.scr
• BlackIce_Firewall_Enterpriseactivation_Crack.exe
• Best Matrix Screensaver new.scr
• Britney sex xxx.jpg.exe
• Britney Spears and Eminem porn.jpg.exe
• Britney Spears blow--b.jpg.exe
• Britney Spears cu-shot.jpg.exe
• Britney Spears f--k.jpg.exe
• Britney Spears full album.mp3.exe
• Britney Spears porn.jpg.exe
• Britney Spears Sexy archive.doc.exe
• Britney Spears Song text archive.doc.exe
• Britney Spears.jpg.exe
• Britney Spears.mp3.exe
• cool screensaver.scr
• Clone DVD 6.exe
• Cloning.doc.exe
• Cracks & Warez Archiv.exe
• doom2.doc.pif
• dcom_patches.exe
• dictionary.doc.exe
• dolly_buster.jpg.pif
• Dark Angels new.pif
• Dictionary English 2004 - France.doc.exe
• DivX 8.0 final.exe
• Doom 3 release 2.exe
• e.book.doc.exe
• e-book.archive.doc.exe
• eminem - lick my pussy.mp3.pif
• E-Book Archive2.rtf.exe
• Eminem blowjob.jpg.exe
• Eminem full album.mp3.exe
• Eminem Poster.jpg.exe
• Eminem sex xxx.jpg.exe
• Eminem Sexy archive.doc.exe
• Eminem Song text archive.doc.exe
• Eminem Spears porn.jpg.exe
• Eminem.mp3.exe
• firefox-1.6a1.en-US.win32.installer.exe
• Full album all.mp3.pif
• Gimp 1.8 Full with Key.exe
• how to hack.doc.exe
• Harry Potter 1-6 book.txt.exe
• Harry Potter 5.mpg.exe
• Harry Potter all e.book.doc.exe
• Harry Potter e book.doc.exe
• Harry Potter game.exe
• Harry Potter.doc.exe
• How to hack new.doc.exe
• icq2005-final.exe
• Internet Explorer 9 setup.exe
• Kula.scr
• Kula.jpg.pif
• Kazaa Lite 4.0 new.exe
• Keygen 4 all new.exe
• Learn Programming 2004.doc.exe
• Lightwave 9 Update.exe
• matrix.scr
• MSN7-final.exe
• Maxthon_New.exe
• max payne 2.crack.exe
• Magix Video Deluxe 5 beta.exe
• Matrix.mpg.exe
• Microsoft Office 2003 Crack best.exe
• Microsoft WinXP Crack full.exe
• MS Service Pack 6.exe
• nuke2004.exe
• netsky source code.scr
• Norton Antivirus 2005 beta.exe
• Office_Crack.exe
• Opera 11.exe
• porno.scr
• programming basics.doc.exe
• Partitionsmagic 10 beta.exe
• Porno Screensaver britney.scr
• Rain.scr
• RealPlayer_New.exe
• RFC compilation.doc.exe
• Ringtones.doc.exe
• Ringtones.mp3.exe
• Serial.txt.exe
• strippoker.exe
• Super Dollfie.pif
• Strip-Girl-2.0b.exe
• Serials 2005_New.exe
• Saddam Hussein.jpg.exe
• Screensaver2.scr
• Serials edition.txt.exe
• Smashing the stack full.rtf.exe
• Star Office 9.exe
• TouchNet Browser 1.29b.exe
• Teen Porn 15.jpg.pif
• The Sims 4 beta.exe
• UltraEdit-32 12.01 + Cracker.exe
• Ulead Keygen 2004.exe
• virii.scr
• Visual Studio Net Crack all.exe
• Winamp5.exe
• Winxp_Crack.exe
• Win Longhorn.doc.exe
• Win Longhorn re.exe
• WinAmp 13 full.exe
• Windows 2000 Sourcecode.doc.exe
• Windows 2003 crack.exe
• Windows XP crack.exe
• WinXP eBook newest.doc.exe
• XXX hardcore pics.jpg.exe

Exploit Propagation
The worm sends SYN packets on TCP 445 to random IP addresses.  When a system responds, the worm attempts to exploit the MS05-039 vulnerability .  If this attempt is successfull the remote machine is instructed to FTP the file RAIN.EXE from the infected system (via TCP port 5262), and execute it.

Symptoms

The Sdbot functionality in the worm is designed to contact the following IRC server, join a specified channel, and wait for further instructions:

• jojogirl.3322.org
• SmallPhantom.meibu.com

Remote commands include:

• ClearEventLog
• Upload/Download files
• Read files
• Open-Close CD-ROM bay
• IRC commands
• Port
• ShellPath
• Create Reverse Shell
• Reboot/Logoff
• Navigate to URL
• Get network/system information

This worm attempts to terminate the process of security programs with the the following filenames:

• a2hijackfree.exe
• adam.exe
• AgtX0404.exe
• AgtX0411.exe
• AgtX0804.exe
• AlertAst.exe
• ALEScan.exe
• ALEUpdat.exe
• ALUNOTIFY.EXE
• antivirus_update.exe
• aports.exe
• AUPDATE.EXE
• BackRav.exe
• Blackd.exe
• Blackice.exe
• botzor.exe
• bronstab.exe
• ccEmFlSv.exe
• CCenter.exe
• CfgWiz.exe
• Cleanup.exe
• CmdAgent.exe
• coolbot.exe
• csm.exe
• csscan.exe
• CVT.exe
• d.exe
• DefWatch.exe
• DWHWizrd.exe
• EGhost.exe
• eksplorasi.pif
• fint2005.exe
• FrameworkService.exe
• FrmInst.exe
• hellmsn.scr
• HijackThis.exe
• hkcmd.exe
• HNetWiz.exe
• hpmanager.exe
• iamstats.exe
• IceSword.exe
• IDTemplate.exe
• igfxtray.exe
• InBuild.exe
• Iparmor.exe
• ISSVC.exe
• java.exe
• KATMain.EXE
• kav.exe
• KAV32.EXE
• KAVDX.EXE
• KAVLog2.EXE
• KAVPFW.EXE
• kavsend.exe
• KAVStart.exe
• kavsvc.exe
• KillBox.exe
• KMailMon.EXE
• knlps.exe
• knlsc13.exe
• KPFWSvc.EXE
• KRecycle.EXE
• KRegEx.exe
• KShrMgr.EXE
• KVCenter.kxp
• kvdetech.exe
• KvDetect.exe
• kvdisk.kxp
• KVDOS.exe
• KVMonXP.kxp
• KVOL.exe
• kvolself.exe
• KvReport.kxp
• KVScan.kxp
• KVSrvXP.exe
• KVStory.kxp
• KVStub.kxp
• kvupload.exe
• kvwsc.exe
• KvXP.kxp
• KWatch.EXE
• KWatch9x.EXE
• LangSet.exe
• LDVPREG.exe
• lockx.exe
• logparser.exe
• LRSend.exe
• LSETUP.EXE
• LUALL.EXE
• LuaWrap.exe
• LuComServer.EXE
• LUInit.exe
• MakeBoot.exe
• McAffeAv.exe
• mcconsol.exe
• McScript.exe
• McScript_InUse.exe
• mcupdate.exe
• MDAC.EXE
• mousebm.exe
• mousemm.exe
• mousesync.exe
• MsAgent.exe
• msnmsgs.exe
• MSTask.exe
• msvgr.exe
• naPrdMgr.exe
• navustub.exe
• NDETECT.EXE
• NTdhcp.exe
• nvchip4.exe
• Patch.exe
• PCCBrows.exe
• pccguide.exe
• pcclient.exe
• PccLog.exe
• pccmain.exe
• PcCmdCom.exe
• Pccspyui.exe
• PcCtlCom.exe
• PCCTool.exe
• PCCVScan.exe
• per.exe
• PFW.exe
• Phantom.exe
• picx.exe
• pireg.exe
• pm.exe
• ProcessExplorer.exe
• Rav.exe
• RAVDOS.EXE
• RavHDBak.exe
• RavMon.exe
• RavMonD.exe
• RavPatch.exe
• RavStore.exe
• RavStub.exe
• RavTimer.exe
• RavXP.exe
• realsched.exe
• RegClean.exe
• RegGuide.exe
• regsvc.exe
• REGSVR32.EXE
• regsvrcss32.exe
• Rescue.EXE
• Rfw.exe
• RfwMain.exe
• rfwsrv.exe
• rkdetector.exe
• RootkitRevealer.exe
• RsAgent.exe
• RsConfig.exe
• rssms.exe
• Rtvscan.exe
• RUNDLL32.EXE
• SavRoam.exe
• scan32.exe
• ScanBD.exe
• ScnCfg32.Exe
• scrigz.exe
• servce.exe
• SetupWiz.EXE
• shcfg32.exe
• shstat.exe
• SMARTDRV.EXE
• SmartUp.exe
• smss.exe
• SOUNDMAN.exe
• SymantecRootInstaller.exe
• SymClnUp.exe
• system.exe
• taskgmr.exe
• Tmntsrv.exe
• TMOAgent.exe
• TmPfw.exe
• tmproxy.exe
• TRA.EXE
• TRIALMSG.exe
• TrojanDetector.EXE
• Trojanwall.exe
• TrojDie.kxp
• TSC.EXE
• UnInstall.kxp
• Update.EXE
• UpdaterUI.exe
• updatexp.exe
• UpGrade.exe
• VirusBox.kxp
• VPC32.exe
• VPDN_LU.exe
• VPTray.exe
• VsTskMgr.exe
• wID32.exe
• winhost.exe
• winldr.exe
• wins.exe
• winsvc.exe
• wintbp.exe
• winupdate.exe
• wpa.exe
• WriteCan.exe
• Zonealarm.exe

The worm appends the HOSTS file to block access to the following domains (the modified HOSTS file is detected as QHosts-1!hosts):

• avp.com
• ca.com
• customer.symantec.com
• db.kingsoft.com
• dispatch.mcafee.com
• download.mcafee.com
• f-secure.com
• iduba.net
• jiangmin.com
• kaspersky.com
• kaspersky.com.cn
• kaspersky-labs.com
• kingsoft.com
• liveupdate.symantec.com
• liveupdate.symantecliveupdate.com
• mast.mcafee.com
• mcafee.com
• microsoft.com
• my-etrust.com
• nai.com
• networkassociates.com
• online.rising.com.cn
• pandasoftware.com
• rads.mcafee.com
• rising.com.cn
• scan.kingsoft.com
• secure.nai.com
• securityresponse.symantec.com
• sophos.com
• symantec.com
• symantec.com.cn
• trendmicro.com
• update.symantec.com
• Update2.JiangMin.com
• Update3.JiangMin.com
• updates.symantec.com
• us.mcafee.com
• viruslist.com
• virustotal.com
• www.avp.com
• www.ca.com
• www.f-secure.com
• www.grisoft.com
• www.iduba.net
• www.jiangmin.com
• www.kaspersky.com
• www.kaspersky.com.cn
• www.mcafee.com
• www.microsoft.com
• www.my-etrust.com
• www.nai.com
• www.networkassociates.com
• www.pandaguard.com
• www.pandasoftware.com
• www.rising.com.cn
• www.sophos.com
• www.symantec.com
• www.symantec.com.cn
• www.trendmicro.com
• www.viruslist.com
• www.virustotal.com

The worm creates the following marker registry key:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Setup "Ph4nt0m" = Ph4nt0m

The following registry values are also set:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\wuauserv "Start" = 4
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\SharedAccess "Start" = 4

Method of Infection

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

• adb
• asp
• cfg
• cgi
• dbx
• htm
• html
• jsp
• mdb
• mht
• msg
• php
• pl
• sht
• shtm
• shtml
• tbb
• txt
• vbe
• vbs
• wab
• xml

The worm avoids certain address, those using the following strings:

• avp
• syma
• icrosof
• msn.
• hotmail
• panda
• sopho
• borlan
• inpris
• example
• mydomai
• nodomai
• ruslis
• .gov
• gov.
• .mil
• foo.
• berkeley
• unix
• math
• bsd
• mit.e
• gnu
• fsf.
• ibm.com
• google
• kernel
• linux
• fido
• usenet
• iana
• ietf
• rfc-ed
• sendmail
• arin.
• ripe.
• isi.e
• isc.o
• secur
• acketst
• pgp
• tanford.e
• utgers.ed
• mozilla
• accoun
• spm
• fcnz
• www
• secur
• abuse

Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

• john
• josh
• alex
• michael
• james
• mike
• kevin
• david
• george
• sam
• andrew
• jose
• leo
• maria
• jim
• brian
• serg
• mary
• ray
• tom
• peter
• robert
• bob
• jane
• joe
• dan
• dave
• matt
• steve
• smith
• stan
• bill
• bob
• jack
• fred
• ted
• paul
• brent
• sales
• anna
• brenda
• claudia
• debby
• helen
• jerry
• jimmy
• julie
• linda
• michael
• frank
• adam
• sandra
• root
• system
• virusalert
• admin
• web
• smtp
• webmaster
• bill

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine.  The worm guesses the recipient email server, prepending the target domain name with the following strings:

• mx
• mail
• smtp
• mx1
• mxs
• mail1
• relay
• ns
• gate

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Fanbot

Characteristics

Characteristics -

This detection is for a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality.  This variant spreads via email, P2P sharing applications, and the MS05-039 vulnerability .

Email attachments sent by this virus may be proactively detected as Generic Malware.a!zip

Mail Propagation
The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the apparent sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server saying that you are infected, which may not be the case.

• noreply
• webmaster
• register
• info
• admin
• service
• mail
• administrator
• support

Subject: (Varies, such as)

• Notice of account limitation.
• Email Account Suspension.
• Security measures.
• Members Support.
• Important Notification!
• Warning Message: Your services near to be closed.
• Your Account is Suspended For Security Reasons.
• *DETECTED* Online User Violation.
• Your Account is Suspended.
• We've got something we would like to share with you.
• Skype for Windows 1.4 - Have you got the new Skype?
• What is Skype?
• Share Skype.

Body:  (Varies, such as) 

• Dear user %recipients name% , 
  Skype is a little piece of software that lets you talk over the Internet to anyone, anywhere for free.
  And it just got even better ¡ª download the latest version of Skype:
  Our call quality is the best ever for talking, laughing and sharing stories.
  You can forward calls on to mobiles, landlines and other Skype Names.
  Make calls instantly from Outlook email or Internet Explorer with our new toolbars.
  Personalise your Skype ¡ª play around with sounds, ringtones and pictures to show the world who you are.
  For further details see the attached document.
  This message contains graphics.  If you do not see the graphics,  click here to view.
  © 2002-2005 by Skype Technologies S.A.
  Legal information
• Dear %domain name% Member,
  
  We have temporarily suspended your email account dan@fakedomain.com.
  
  This might be due to either of the following reasons:
  
  1. A recent change in your personal information (i.e. change of address).
  2. Submiting invalid information during the initial sign up process.
  3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
  See the details to reactivate your Fakedomain account.
  
  Sincerely,The %domain name% Support Team
  +++ Attachment: No Virus (Clean)
  +++ Fakedomain Antivirus - %domain name%
• Dear user %recipient name% ,
  
  It has come to our attention that your %domain name% User Profile ( x ) records are out of date. For further details see the attached document.
  
  Thank you for using %domain name% !
  The %domain name% Support Team
  
  +++ Attachment: No Virus (Clean)
  +++ Fakedomain Antivirus - %domain name%
• Dear %domain name% Member,
  
  Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
  
  If you choose to ignore our request, you leave us no choice but to cancel your membership.
  
  Virtually yours,
  The %domain name% Support Team
  
  +++ Attachment: No Virus found
  +++ Fakedomain Antivirus - %domain name%

Attachment: (Varies - chooses from the following list of prefaces)

• important-details.zip
• Skype-stuffs.zip
• Skype-info.zip
• Skype-details.zip
• Skype.zip
• readme.zip
• Skype-document.zip
• Share Skype.zip
• Skype for Windows 1.4.zip
• account-report.zip
• document.zip
• account-info.zip
• email-details.zip
• account-details.zip

The ZIP file contains a similarly named file, using the following file extension schemes.

Extensions: (Varies, chooses from the following list)

First extension:

• htm
• tmp
• txt
• doc

Final extension:

• pif
• scr
• exe
• cmd
• bat

These are examples of common names, but they can also be random.  The file may also arrive in a ZIP archive.

Installation
When the attachment is run, a fake error message is displayed:

The virus copies itself to the Windows System directory (e.g. C:\Windows\System32\ on Windows XP) as remote.exe . 

The Hosts file (typically found in C:\Windows\System32\Drivers\etc\) is also appended to direct several security websites to the local host, so they cannot be accessed. This file is detected and cleaned as Qhosts.apd.

The worm creates a service to load itself each time the system starts

• Service Name: RpcRemotes
• Display Name: Remote Procedure Call (RPC) Remote
• Description: Manages the RPC name service database.

P2P Propagation
The worm creates copies of itself with the following filenames inside of any directory containing any of the following strings:

• soft
• upload
• mule
• morpheus
• lime
• kazaa
• icq
• www
• ftp
• http
• htdocs
• donkey
• bear
• bak
• download
• incoming
• sharing
• share

The filenames created inside of these folders include:

• 1001 Sex and more.rtf.exe
• 3D Studio Max 6 3dsmax.exe
• angels.pif
• activation_crack.exe
• AcrobatReader_New.exe
• ACDSee 10.exe
• Adobe Photoshop 10 crack.exe
• Adobe Photoshop 10 full.exe
• Adobe Premiere 10.exe
• Ahead Nero 8.exe
• Altkins Diet.doc.exe
• American Idol.doc.exe
• Arnold Schwarzenegger.jpg.exe
• Bifrost.scr
• Butterfly.scr
• BlackIce_Firewall_Enterpriseactivation_Crack.exe
• Best Matrix Screensaver new.scr
• Britney sex xxx.jpg.exe
• Britney Spears and Eminem porn.jpg.exe
• Britney Spears blow--b.jpg.exe
• Britney Spears cu-shot.jpg.exe
• Britney Spears f--k.jpg.exe
• Britney Spears full album.mp3.exe
• Britney Spears porn.jpg.exe
• Britney Spears Sexy archive.doc.exe
• Britney Spears Song text archive.doc.exe
• Britney Spears.jpg.exe
• Britney Spears.mp3.exe
• cool screensaver.scr
• Clone DVD 6.exe
• Cloning.doc.exe
• Cracks & Warez Archiv.exe
• doom2.doc.pif
• dcom_patches.exe
• dictionary.doc.exe
• dolly_buster.jpg.pif
• Dark Angels new.pif
• Dictionary English 2004 - France.doc.exe
• DivX 8.0 final.exe
• Doom 3 release 2.exe
• e.book.doc.exe
• e-book.archive.doc.exe
• eminem - lick my pussy.mp3.pif
• E-Book Archive2.rtf.exe
• Eminem blowjob.jpg.exe
• Eminem full album.mp3.exe
• Eminem Poster.jpg.exe
• Eminem sex xxx.jpg.exe
• Eminem Sexy archive.doc.exe
• Eminem Song text archive.doc.exe
• Eminem Spears porn.jpg.exe
• Eminem.mp3.exe
• firefox-1.6a1.en-US.win32.installer.exe
• Full album all.mp3.pif
• Gimp 1.8 Full with Key.exe
• how to hack.doc.exe
• Harry Potter 1-6 book.txt.exe
• Harry Potter 5.mpg.exe
• Harry Potter all e.book.doc.exe
• Harry Potter e book.doc.exe
• Harry Potter game.exe
• Harry Potter.doc.exe
• How to hack new.doc.exe
• icq2005-final.exe
• Internet Explorer 9 setup.exe
• Kula.scr
• Kula.jpg.pif
• Kazaa Lite 4.0 new.exe
• Keygen 4 all new.exe
• Learn Programming 2004.doc.exe
• Lightwave 9 Update.exe
• matrix.scr
• MSN7-final.exe
• Maxthon_New.exe
• max payne 2.crack.exe
• Magix Video Deluxe 5 beta.exe
• Matrix.mpg.exe
• Microsoft Office 2003 Crack best.exe
• Microsoft WinXP Crack full.exe
• MS Service Pack 6.exe
• nuke2004.exe
• netsky source code.scr
• Norton Antivirus 2005 beta.exe
• Office_Crack.exe
• Opera 11.exe
• porno.scr
• programming basics.doc.exe
• Partitionsmagic 10 beta.exe
• Porno Screensaver britney.scr
• Rain.scr
• RealPlayer_New.exe
• RFC compilation.doc.exe
• Ringtones.doc.exe
• Ringtones.mp3.exe
• Serial.txt.exe
• strippoker.exe
• Super Dollfie.pif
• Strip-Girl-2.0b.exe
• Serials 2005_New.exe
• Saddam Hussein.jpg.exe
• Screensaver2.scr
• Serials edition.txt.exe
• Smashing the stack full.rtf.exe
• Star Office 9.exe
• TouchNet Browser 1.29b.exe
• Teen Porn 15.jpg.pif
• The Sims 4 beta.exe
• UltraEdit-32 12.01 + Cracker.exe
• Ulead Keygen 2004.exe
• virii.scr
• Visual Studio Net Crack all.exe
• Winamp5.exe
• Winxp_Crack.exe
• Win Longhorn.doc.exe
• Win Longhorn re.exe
• WinAmp 13 full.exe
• Windows 2000 Sourcecode.doc.exe
• Windows 2003 crack.exe
• Windows XP crack.exe
• WinXP eBook newest.doc.exe
• XXX hardcore pics.jpg.exe

Exploit Propagation
The worm sends SYN packets on TCP 445 to random IP addresses.  When a system responds, the worm attempts to exploit the MS05-039 vulnerability .  If this attempt is successfull the remote machine is instructed to FTP the file RAIN.EXE from the infected system (via TCP port 5262), and execute it.

Symptoms

Symptoms -

The Sdbot functionality in the worm is designed to contact the following IRC server, join a specified channel, and wait for further instructions:

• jojogirl.3322.org
• SmallPhantom.meibu.com

Remote commands include:

• ClearEventLog
• Upload/Download files
• Read files
• Open-Close CD-ROM bay
• IRC commands
• Port
• ShellPath
• Create Reverse Shell
• Reboot/Logoff
• Navigate to URL
• Get network/system information

This worm attempts to terminate the process of security programs with the the following filenames:

• a2hijackfree.exe
• adam.exe
• AgtX0404.exe
• AgtX0411.exe
• AgtX0804.exe
• AlertAst.exe
• ALEScan.exe
• ALEUpdat.exe
• ALUNOTIFY.EXE
• antivirus_update.exe
• aports.exe
• AUPDATE.EXE
• BackRav.exe
• Blackd.exe
• Blackice.exe
• botzor.exe
• bronstab.exe
• ccEmFlSv.exe
• CCenter.exe
• CfgWiz.exe
• Cleanup.exe
• CmdAgent.exe
• coolbot.exe
• csm.exe
• csscan.exe
• CVT.exe
• d.exe
• DefWatch.exe
• DWHWizrd.exe
• EGhost.exe
• eksplorasi.pif
• fint2005.exe
• FrameworkService.exe
• FrmInst.exe
• hellmsn.scr
• HijackThis.exe
• hkcmd.exe
• HNetWiz.exe
• hpmanager.exe
• iamstats.exe
• IceSword.exe
• IDTemplate.exe
• igfxtray.exe
• InBuild.exe
• Iparmor.exe
• ISSVC.exe
• java.exe
• KATMain.EXE
• kav.exe
• KAV32.EXE
• KAVDX.EXE
• KAVLog2.EXE
• KAVPFW.EXE
• kavsend.exe
• KAVStart.exe
• kavsvc.exe
• KillBox.exe
• KMailMon.EXE
• knlps.exe
• knlsc13.exe
• KPFWSvc.EXE
• KRecycle.EXE
• KRegEx.exe
• KShrMgr.EXE
• KVCenter.kxp
• kvdetech.exe
• KvDetect.exe
• kvdisk.kxp
• KVDOS.exe
• KVMonXP.kxp
• KVOL.exe
• kvolself.exe
• KvReport.kxp
• KVScan.kxp
• KVSrvXP.exe
• KVStory.kxp
• KVStub.kxp
• kvupload.exe
• kvwsc.exe
• KvXP.kxp
• KWatch.EXE
• KWatch9x.EXE
• LangSet.exe
• LDVPREG.exe
• lockx.exe
• logparser.exe
• LRSend.exe
• LSETUP.EXE
• LUALL.EXE
• LuaWrap.exe
• LuComServer.EXE
• LUInit.exe
• MakeBoot.exe
• McAffeAv.exe
• mcconsol.exe
• McScript.exe
• McScript_InUse.exe
• mcupdate.exe
• MDAC.EXE
• mousebm.exe
• mousemm.exe
• mousesync.exe
• MsAgent.exe
• msnmsgs.exe
• MSTask.exe
• msvgr.exe
• naPrdMgr.exe
• navustub.exe
• NDETECT.EXE
• NTdhcp.exe
• nvchip4.exe
• Patch.exe
• PCCBrows.exe
• pccguide.exe
• pcclient.exe
• PccLog.exe
• pccmain.exe
• PcCmdCom.exe
• Pccspyui.exe
• PcCtlCom.exe
• PCCTool.exe
• PCCVScan.exe
• per.exe
• PFW.exe
• Phantom.exe
• picx.exe
• pireg.exe
• pm.exe
• ProcessExplorer.exe
• Rav.exe
• RAVDOS.EXE
• RavHDBak.exe
• RavMon.exe
• RavMonD.exe
• RavPatch.exe
• RavStore.exe
• RavStub.exe
• RavTimer.exe
• RavXP.exe
• realsched.exe
• RegClean.exe
• RegGuide.exe
• regsvc.exe
• REGSVR32.EXE
• regsvrcss32.exe
• Rescue.EXE
• Rfw.exe
• RfwMain.exe
• rfwsrv.exe
• rkdetector.exe
• RootkitRevealer.exe
• RsAgent.exe
• RsConfig.exe
• rssms.exe
• Rtvscan.exe
• RUNDLL32.EXE
• SavRoam.exe
• scan32.exe
• ScanBD.exe
• ScnCfg32.Exe
• scrigz.exe
• servce.exe
• SetupWiz.EXE
• shcfg32.exe
• shstat.exe
• SMARTDRV.EXE
• SmartUp.exe
• smss.exe
• SOUNDMAN.exe
• SymantecRootInstaller.exe
• SymClnUp.exe
• system.exe
• taskgmr.exe
• Tmntsrv.exe
• TMOAgent.exe
• TmPfw.exe
• tmproxy.exe
• TRA.EXE
• TRIALMSG.exe
• TrojanDetector.EXE
• Trojanwall.exe
• TrojDie.kxp
• TSC.EXE
• UnInstall.kxp
• Update.EXE
• UpdaterUI.exe
• updatexp.exe
• UpGrade.exe
• VirusBox.kxp
• VPC32.exe
• VPDN_LU.exe
• VPTray.exe
• VsTskMgr.exe
• wID32.exe
• winhost.exe
• winldr.exe
• wins.exe
• winsvc.exe
• wintbp.exe
• winupdate.exe
• wpa.exe
• WriteCan.exe
• Zonealarm.exe

The worm appends the HOSTS file to block access to the following domains (the modified HOSTS file is detected as QHosts-1!hosts):

• avp.com
• ca.com
• customer.symantec.com
• db.kingsoft.com
• dispatch.mcafee.com
• download.mcafee.com
• f-secure.com
• iduba.net
• jiangmin.com
• kaspersky.com
• kaspersky.com.cn
• kaspersky-labs.com
• kingsoft.com
• liveupdate.symantec.com
• liveupdate.symantecliveupdate.com
• mast.mcafee.com
• mcafee.com
• microsoft.com
• my-etrust.com
• nai.com
• networkassociates.com
• online.rising.com.cn
• pandasoftware.com
• rads.mcafee.com
• rising.com.cn
• scan.kingsoft.com
• secure.nai.com
• securityresponse.symantec.com
• sophos.com
• symantec.com
• symantec.com.cn
• trendmicro.com
• update.symantec.com
• Update2.JiangMin.com
• Update3.JiangMin.com
• updates.symantec.com
• us.mcafee.com
• viruslist.com
• virustotal.com
• www.avp.com
• www.ca.com
• www.f-secure.com
• www.grisoft.com
• www.iduba.net
• www.jiangmin.com
• www.kaspersky.com
• www.kaspersky.com.cn
• www.mcafee.com
• www.microsoft.com
• www.my-etrust.com
• www.nai.com
• www.networkassociates.com
• www.pandaguard.com
• www.pandasoftware.com
• www.rising.com.cn
• www.sophos.com
• www.symantec.com
• www.symantec.com.cn
• www.trendmicro.com
• www.viruslist.com
• www.virustotal.com

The worm creates the following marker registry key:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Setup "Ph4nt0m" = Ph4nt0m

The following registry values are also set:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\wuauserv "Start" = 4
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Services\SharedAccess "Start" = 4

Method of Infection

Method of Infection -

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

• adb
• asp
• cfg
• cgi
• dbx
• htm
• html
• jsp
• mdb
• mht
• msg
• php
• pl
• sht
• shtm
• shtml
• tbb
• txt
• vbe
• vbs
• wab
• xml

The worm avoids certain address, those using the following strings:

• avp
• syma
• icrosof
• msn.
• hotmail
• panda
• sopho
• borlan
• inpris
• example
• mydomai
• nodomai
• ruslis
• .gov
• gov.
• .mil
• foo.
• berkeley
• unix
• math
• bsd
• mit.e
• gnu
• fsf.
• ibm.com
• google
• kernel
• linux
• fido
• usenet
• iana
• ietf
• rfc-ed
• sendmail
• arin.
• ripe.
• isi.e
• isc.o
• secur
• acketst
• pgp
• tanford.e
• utgers.ed
• mozilla
• accoun
• spm
• fcnz
• www
• secur
• abuse

Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

• john
• josh
• alex
• michael
• james
• mike
• kevin
• david
• george
• sam
• andrew
• jose
• leo
• maria
• jim
• brian
• serg
• mary
• ray
• tom
• peter
• robert
• bob
• jane
• joe
• dan
• dave
• matt
• steve
• smith
• stan
• bill
• bob
• jack
• fred
• ted
• paul
• brent
• sales
• anna
• brenda
• claudia
• debby
• helen
• jerry
• jimmy
• julie
• linda
• michael
• frank
• adam
• sandra
• root
• system
• virusalert
• admin
• web
• smtp
• webmaster
• bill

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine.  The worm guesses the recipient email server, prepending the target domain name with the following strings:

• mx
• mail
• smtp
• mx1
• mxs
• mail1
• relay
• ns
• gate

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A