McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. W32/Areses.j@MM spreads to other systems via email and P2P file sharing networks.

This threat is proactively detected as New Malware.n since the 4700 DATS.

Characteristics

W32/Areses.j is a mass mailer that spreads via e-mail by harvesting e-mail addresses from the infected machine.  It also spreads via P2P file sharing networks.

Upon execution, the worm copies itself by name "csrss.exe" in %WINDIR% folder. 

The virus attempts to verify internet connectivity by downloading a file before replicating. 

Registry Changes

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger: "C:\WINDOWS\csrss.exe"

Sends out mails using its own SMTP engine. The attachments are generally in .cab format.  The attachment may also be an executable, an archive, or an HTML application (.hta) file.

Looks for following files-types for harvesting e-mail addresses.

• .adb
  
• .asp
  
• .cfg
  
• .cgi
  
• .mra
  
• .dbx
  
• .dhtm
  
• .eml
  
• .htm
  
• .html
  
• .jsp
  
• .mbx
  
• .mdx
  
• .mht
  
• .mmf
  
• .msg
  
• .nch
  
• .ods
  
• .oft
  
• .php
  
• .pl
  
• .sht
  
• .shtm
  
• .stm
  
• .tbb
  
• .txt
  
• .uin
  
• .wab
  
• .wsh
  
• .xls
  
• .xml
  
• .dhtml

Avoids sending itself to email addresses having following strings

• @example.
  
• 2003
  
• 2004
  
• 2005
  
• 2006
  
• @microsoft
  
• rating@
  
• f-secur
  
• news
  
• update
  
• .qmail
  
• .gif
  
• anyone@
  
• bugs@
  
• contract@
  
• feste
  
• gold-certs@
  
• help@
  
• info@
  
• nobody@
  
• noone@
  
• 0000
  
• Mailer-Daemon@
  
• @subscribe
  
• kasp
  
• admin
  
• icrosoft
  
• support
  
• ntivi
  
• unix
  
• bsd
  
• linux
  
• listserv
  
• certific
  
• torvalds@
  
• sopho
  
• @foo
  
• @iana
  
• free-av
  
• @messagelab
  
• winzip
  
• google
  
• winrar
  
• samples
  
• spm111@
  
• .00
  
• ---
  
• abuse
  
• panda
  
• cafee
  
• spam
  
• pgp
  
• @avp.
  
• noreply
  
• local
  
• root@
  
• postmaster@

The email message may have different subject names like:

• Hi, what's up?
  
• He, where are you?
  
• Hi, drop me a line!!!
  
• Hi! Please write to me urgently!
  
• Hi! I'm waiting you online today!
  
• Will you be online today?
  
• When you're gonna answer me?
  
• Re: write to me!
  
• Re: Call me!
  
• Re: Where are you?
  
• Re: When you're gonna answer me?
  
• Hi!!! How's the mood?
  
• Re: How's the mood?
  
• Re: Where have you been?

The message may have have different message bodies like:

• Hi!!!!! You haven't been writing for a long time. I began to worry) Where have you been? You remember, you've asked a progy from me? I've finally found it, so here it is. Check it out if this is what you've been looking for... bye
  
• Hi, what's up? Will you show up online today?
  
• Drop me a line in ICQ, ok? Btw, I'm sending you the docs you've been looking for, find them attached. Check them out, ok?
  
• Hi!
  
• I'm coming to you tomorrow, ok? When you are going to be home?
  
• You remember, you've asked some docs. Please find them attached. Check and seewhat's inside. That's it. Bye, till tomorrow...
  
• Hi!
  
• You disappeared again. If you come online, drop me a line, ok?
  
• Btw, I sent you those docs that you've been looking for. Check them out. Bye!
  
• Hi, give me a call just when you got the message! I'm tired of waiting. Btw, I'm sending that program that you've been looking for. Check it out. Appears to be that one. Bye!
  
• Hi, what's up? If you have time tomorrow, please come over. After midday. By the way, don't forget to check the enclosed documents. Bye. See you tomorrow.
  
• Hi, I got a free day tomorrow, and I'm waiting for you. Please come after midday. By the way, I'm sending you the documents that you've been asking for. Read
  
• them out... Bye!
  
• Hi, how are you? What are your plans today? If you have time, please come over, and don't forget to check the program attached. Bye!
  
• Hi, what's you gonna do today? I'll come over tonight! By the way, don't give anyone this funny program I'm sending. Check it out. Bye!
  
• Hi, I found that program you asked for. Find it attached. Bye.
  
• Hi, I saw you around today, but you didn't noticed me ( If you're gonna be at home, give a call, ok? By the way, check this file I'm sending. A very interesting program...
  
• I'm sending it out. Use it. Bye!
  
• Hi, drop me a line today, ok? And see the program I'm sending. Bye!
  
• Hi, drop me a line if you can. Btw, I have a new ICQ. Please don't forget to check the attached documents. Bye.
  
• Hi! How are you? Drop me a line if you can. I found your documents and I'm emailing them to you. Bye.

The attachment filenames will be constructed with one of the different strings followed by varying extensions (usually '.zip' or '.exe').  Some examples:

• Archive
  
• Fotos
  
• private
  
• confidential
  
• secret
  
• images
  
• your_documents
  
• backup
  
• Message
  
• File
  
• Document
  
• README
  
• Passwords
  
• Readme
  
• Important
  
• New
  
• COOL

Symptoms

Created Files

• %WINDIR%\csrss.exe

Registry Changes

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger: "C:\WINDOWS\csrss.exe"

Attempts to connect to the following servers

• [http://]85.249.23.35/[Blocked]
• [http://]207.46.250.119/[Blocked]
• [http://]84.22.161.192/[Blocked]

Unexpected SMTP traffic or high processor or disk utilization

Method of Infection

W32/Areses.j@MM spreads through harversted e-mails and via P2P file sharing networks.

P2P Propagation

W32/Areses.j@MM searches for folder names which contain any of the strings listed below:

• source
• share
• kazaa
• morpheus
• upload
• donkey
• download

When a folder is found, it will copy itself into the folder using the following filenames:

• 1001 Sex and more.rtf
• 3D Studio Max 6 3dsmax
• ACDSee 10 full
• Adobe Photoshop 10 full
• Adobe Premiere 10
• Ahead Nero 8
• Altkins Diet.doc
• American Idol.doc
• anthrax.doc
• Arnold Schwarzenegger.jpg
• Best Matrix Screensaver new
• Britney sex xxx.jpg
• Britney Spears and Eminem porn.jpg
• Britney Spears blowjob.jpg
• Britney Spears cumshot.jpg
• Britney Spears fuck.jpg
• Britney Spears full album.mp3
• Britney Spears porn.jpg
• Britney Spears Sexy archive.doc
• Britney Spears Song text archive.doc
• Britney Spears.jpg
• Britney Spears.mp3
• Clone DVD 6
• Cloning.doc
• Cracks & Warez Archiv
• Dark Angels new
• Dictionary English 2004 - France.doc
• DivX 8.0 final
• Doom 3 release 2
• E-Book Archive2.rtf
• Eminem blowjob.jpg
• Eminem full album.mp3
• Eminem Poster.jpg
• Eminem sex xxx.jpg
• Eminem Sexy archive.doc
• Eminem Spears porn.jpg
• Eminem.mp3
• Full album all.mp3
• Gimp 1.8 Full with Key
• Harry Potter 1-6 book.txt
• Harry Potter 5.mpg
• Harry Potter all e.book.doc
• Harry Potter and the Sorcerer's Stone game
• Harry Potter e book.doc
• Harry Potter game
• Harry Potter.doc
• How to hack new.doc
• Internet Explorer 9 setup
• Kazaa Lite 4.0 new
• Kazaa new
• Keygen 4 all new
• Learn Programming 2004.doc
• Lightwave 9 Update
• Magix Video Deluxe 5 beta
• Matrix 3 .mpg
• Microsoft Office 2003 Crack best
• Microsoft WinXP Crack full
• MS Service Pack 6
• Norton Antivirus 2005 beta
• Nostradamus.doc
• Opera 11 free
• Osama Bin Laden.jpg
• Osama bin Laden.mpg
• Partitionsmagic 10 beta
• Porno Screensaver britney
• RFC compilation.doc
• Ringtones.doc
• Ringtones.mp3
• Saddam Hussein.jpg
• Screensaver2
• Serials edition.txt
• Smashing the stack full.rtf
• source code
• Star Office 9
• Taliban
• Teen Porn 15.jpg
• The Sims 4 beta
• Ulead Keygen 2004
• Vista review.doc
• Visual Studio Net Crack all
• WinAmp 13 full with sources
• Windows 2003 crack
• Windows Vista Sourcecode.doc
• Windows XP crack
• WinXP eBook newest.doc
• World Trade Center last video.mpeg
• XXX hardcore pics.jpg
• Yellow Pages

The extension on the above filenames can be SCR, PIF or EXE.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. W32/Areses.j@MM spreads to other systems via email and P2P file sharing networks.

This threat is proactively detected as New Malware.n since the 4700 DATS.

Characteristics

Characteristics -

W32/Areses.j is a mass mailer that spreads via e-mail by harvesting e-mail addresses from the infected machine.  It also spreads via P2P file sharing networks.

Upon execution, the worm copies itself by name "csrss.exe" in %WINDIR% folder. 

The virus attempts to verify internet connectivity by downloading a file before replicating. 

Registry Changes

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger: "C:\WINDOWS\csrss.exe"

Sends out mails using its own SMTP engine. The attachments are generally in .cab format.  The attachment may also be an executable, an archive, or an HTML application (.hta) file.

Looks for following files-types for harvesting e-mail addresses.

• .adb
  
• .asp
  
• .cfg
  
• .cgi
  
• .mra
  
• .dbx
  
• .dhtm
  
• .eml
  
• .htm
  
• .html
  
• .jsp
  
• .mbx
  
• .mdx
  
• .mht
  
• .mmf
  
• .msg
  
• .nch
  
• .ods
  
• .oft
  
• .php
  
• .pl
  
• .sht
  
• .shtm
  
• .stm
  
• .tbb
  
• .txt
  
• .uin
  
• .wab
  
• .wsh
  
• .xls
  
• .xml
  
• .dhtml

Avoids sending itself to email addresses having following strings

• @example.
  
• 2003
  
• 2004
  
• 2005
  
• 2006
  
• @microsoft
  
• rating@
  
• f-secur
  
• news
  
• update
  
• .qmail
  
• .gif
  
• anyone@
  
• bugs@
  
• contract@
  
• feste
  
• gold-certs@
  
• help@
  
• info@
  
• nobody@
  
• noone@
  
• 0000
  
• Mailer-Daemon@
  
• @subscribe
  
• kasp
  
• admin
  
• icrosoft
  
• support
  
• ntivi
  
• unix
  
• bsd
  
• linux
  
• listserv
  
• certific
  
• torvalds@
  
• sopho
  
• @foo
  
• @iana
  
• free-av
  
• @messagelab
  
• winzip
  
• google
  
• winrar
  
• samples
  
• spm111@
  
• .00
  
• ---
  
• abuse
  
• panda
  
• cafee
  
• spam
  
• pgp
  
• @avp.
  
• noreply
  
• local
  
• root@
  
• postmaster@

The email message may have different subject names like:

• Hi, what's up?
  
• He, where are you?
  
• Hi, drop me a line!!!
  
• Hi! Please write to me urgently!
  
• Hi! I'm waiting you online today!
  
• Will you be online today?
  
• When you're gonna answer me?
  
• Re: write to me!
  
• Re: Call me!
  
• Re: Where are you?
  
• Re: When you're gonna answer me?
  
• Hi!!! How's the mood?
  
• Re: How's the mood?
  
• Re: Where have you been?

The message may have have different message bodies like:

• Hi!!!!! You haven't been writing for a long time. I began to worry) Where have you been? You remember, you've asked a progy from me? I've finally found it, so here it is. Check it out if this is what you've been looking for... bye
  
• Hi, what's up? Will you show up online today?
  
• Drop me a line in ICQ, ok? Btw, I'm sending you the docs you've been looking for, find them attached. Check them out, ok?
  
• Hi!
  
• I'm coming to you tomorrow, ok? When you are going to be home?
  
• You remember, you've asked some docs. Please find them attached. Check and seewhat's inside. That's it. Bye, till tomorrow...
  
• Hi!
  
• You disappeared again. If you come online, drop me a line, ok?
  
• Btw, I sent you those docs that you've been looking for. Check them out. Bye!
  
• Hi, give me a call just when you got the message! I'm tired of waiting. Btw, I'm sending that program that you've been looking for. Check it out. Appears to be that one. Bye!
  
• Hi, what's up? If you have time tomorrow, please come over. After midday. By the way, don't forget to check the enclosed documents. Bye. See you tomorrow.
  
• Hi, I got a free day tomorrow, and I'm waiting for you. Please come after midday. By the way, I'm sending you the documents that you've been asking for. Read
  
• them out... Bye!
  
• Hi, how are you? What are your plans today? If you have time, please come over, and don't forget to check the program attached. Bye!
  
• Hi, what's you gonna do today? I'll come over tonight! By the way, don't give anyone this funny program I'm sending. Check it out. Bye!
  
• Hi, I found that program you asked for. Find it attached. Bye.
  
• Hi, I saw you around today, but you didn't noticed me ( If you're gonna be at home, give a call, ok? By the way, check this file I'm sending. A very interesting program...
  
• I'm sending it out. Use it. Bye!
  
• Hi, drop me a line today, ok? And see the program I'm sending. Bye!
  
• Hi, drop me a line if you can. Btw, I have a new ICQ. Please don't forget to check the attached documents. Bye.
  
• Hi! How are you? Drop me a line if you can. I found your documents and I'm emailing them to you. Bye.

The attachment filenames will be constructed with one of the different strings followed by varying extensions (usually '.zip' or '.exe').  Some examples:

• Archive
  
• Fotos
  
• private
  
• confidential
  
• secret
  
• images
  
• your_documents
  
• backup
  
• Message
  
• File
  
• Document
  
• README
  
• Passwords
  
• Readme
  
• Important
  
• New
  
• COOL

Symptoms

Symptoms -

Created Files

• %WINDIR%\csrss.exe

Registry Changes

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger: "C:\WINDOWS\csrss.exe"

Attempts to connect to the following servers

• [http://]85.249.23.35/[Blocked]
• [http://]207.46.250.119/[Blocked]
• [http://]84.22.161.192/[Blocked]

Unexpected SMTP traffic or high processor or disk utilization

Method of Infection

Method of Infection -

W32/Areses.j@MM spreads through harversted e-mails and via P2P file sharing networks.

P2P Propagation

W32/Areses.j@MM searches for folder names which contain any of the strings listed below:

• source
• share
• kazaa
• morpheus
• upload
• donkey
• download

When a folder is found, it will copy itself into the folder using the following filenames:

• 1001 Sex and more.rtf
• 3D Studio Max 6 3dsmax
• ACDSee 10 full
• Adobe Photoshop 10 full
• Adobe Premiere 10
• Ahead Nero 8
• Altkins Diet.doc
• American Idol.doc
• anthrax.doc
• Arnold Schwarzenegger.jpg
• Best Matrix Screensaver new
• Britney sex xxx.jpg
• Britney Spears and Eminem porn.jpg
• Britney Spears blowjob.jpg
• Britney Spears cumshot.jpg
• Britney Spears fuck.jpg
• Britney Spears full album.mp3
• Britney Spears porn.jpg
• Britney Spears Sexy archive.doc
• Britney Spears Song text archive.doc
• Britney Spears.jpg
• Britney Spears.mp3
• Clone DVD 6
• Cloning.doc
• Cracks & Warez Archiv
• Dark Angels new
• Dictionary English 2004 - France.doc
• DivX 8.0 final
• Doom 3 release 2
• E-Book Archive2.rtf
• Eminem blowjob.jpg
• Eminem full album.mp3
• Eminem Poster.jpg
• Eminem sex xxx.jpg
• Eminem Sexy archive.doc
• Eminem Spears porn.jpg
• Eminem.mp3
• Full album all.mp3
• Gimp 1.8 Full with Key
• Harry Potter 1-6 book.txt
• Harry Potter 5.mpg
• Harry Potter all e.book.doc
• Harry Potter and the Sorcerer's Stone game
• Harry Potter e book.doc
• Harry Potter game
• Harry Potter.doc
• How to hack new.doc
• Internet Explorer 9 setup
• Kazaa Lite 4.0 new
• Kazaa new
• Keygen 4 all new
• Learn Programming 2004.doc
• Lightwave 9 Update
• Magix Video Deluxe 5 beta
• Matrix 3 .mpg
• Microsoft Office 2003 Crack best
• Microsoft WinXP Crack full
• MS Service Pack 6
• Norton Antivirus 2005 beta
• Nostradamus.doc
• Opera 11 free
• Osama Bin Laden.jpg
• Osama bin Laden.mpg
• Partitionsmagic 10 beta
• Porno Screensaver britney
• RFC compilation.doc
• Ringtones.doc
• Ringtones.mp3
• Saddam Hussein.jpg
• Screensaver2
• Serials edition.txt
• Smashing the stack full.rtf
• source code
• Star Office 9
• Taliban
• Teen Porn 15.jpg
• The Sims 4 beta
• Ulead Keygen 2004
• Vista review.doc
• Visual Studio Net Crack all
• WinAmp 13 full with sources
• Windows 2003 crack
• Windows Vista Sourcecode.doc
• Windows XP crack
• WinXP eBook newest.doc
• World Trade Center last video.mpeg
• XXX hardcore pics.jpg
• Yellow Pages

The extension on the above filenames can be SCR, PIF or EXE.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A