Content

W32/Ritacin.worm

Type
Virus
SubType
Worm
Discovery Date
08/20/2007
Length
81.920
Minimum DAT
5102 (08/21/2007)
Updated DAT
5330 (07/02/2008)
Minimum Engine
5.1.00
Description Added
08/20/2007
Description Modified
08/20/2007 2:22 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

Detection was added to cover protection against a worm originally called "cerita cinta.exe" , having a filesize of 81.920 bytes.

The file is not internally compressed with a packer.

The file is made using the msvb60 development tool.

It has a deceiving icon pretending to be a word file, insteaf of a 32 bit PE binary file that it is.

Upon execution, it runs silently, no gui messages appear on the screen.

It copies itself and creates a registry entry so that it gets launched upon system start:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "BITCH" ,  Data: C:\WINNT\System32\Bitch.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "LIAR",  Data: C:\WINNT\System32\Liar.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SVSEEHOST" , Data: C:\WINNT\System32\Svseehost.exe

The worm spreads by trying to copy itself to local & mapped drives.

It may copy itself using different names such as:

  • Loadme.reg.exe
  • c:\Ada apa dengan cinta.exe
  •  c:\Documents and Settings\All Users\Application Data\Intrik cinta.exe
  •  c:\Documents and Settings\All Users\Documents\Kau pilih dia.exe
  •  c:\Documents and Settings\All Users\Start Menu\Programs\Startup\Loadme.pif
  •  c:\Documents and Settings\user###\Application Data\Kau dan aku.exe
  •  c:\Documents and Settings\user###\Local Settings\Cinta membawamu kembali.exe
  •  c:\Documents and Settings\user###\Local Settings\Application Data\Di balas dengan dusta.exe
  •  c:\Documents and Settings\user###\My Documents\Tercipta untukmu.exe
  •  c:\Documents and Settings\user###\My Documents\My Pictures\Cintailah cinta.exe
  •  c:\WINNT\system32\Bitch.exe
  •  c:\WINNT\system32\Liar.exe
  •  c:\WINNT\system32\Svseehost.exe

It may hamper the working of MS-Outlook,  although this was not seen upon testing.

If the user opens up the Windows Task Manager then it will only be open for a few seconds as the malware will try to quit the Windows Task Manager.

It also tries to disable the displaying of the Windows SystemFileProtection popup windows.

 

 


 

Symptoms

  • Presence of the file originally called "cerita cinta.exe" , having a filesize of 81.920 bytes.
  • It has a deceiving icon pretending to be a word file, insteaf of a 32 bit PE binary file that it is.
  • Presence of the mentioned registry entries.
  • If the user opens up the Windows Task Manager then it will only be open for a few seconds as the malware will quit the Windows Task Manager.

 

 


Method of Infection

  • The worm spreads by trying to copy itself to local & mapped drives.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Detection was added to cover protection against a worm originally called "cerita cinta.exe" , having a filesize of 81.920 bytes.

Aliases

  • virus.win32.vb.eh (avp)
  • worm/vb.bij (avg)

Characteristics

Characteristics -

Detection was added to cover protection against a worm originally called "cerita cinta.exe" , having a filesize of 81.920 bytes.

The file is not internally compressed with a packer.

The file is made using the msvb60 development tool.

It has a deceiving icon pretending to be a word file, insteaf of a 32 bit PE binary file that it is.

Upon execution, it runs silently, no gui messages appear on the screen.

It copies itself and creates a registry entry so that it gets launched upon system start:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "BITCH" ,  Data: C:\WINNT\System32\Bitch.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "LIAR",  Data: C:\WINNT\System32\Liar.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SVSEEHOST" , Data: C:\WINNT\System32\Svseehost.exe

The worm spreads by trying to copy itself to local & mapped drives.

It may copy itself using different names such as:

  • Loadme.reg.exe
  • c:\Ada apa dengan cinta.exe
  •  c:\Documents and Settings\All Users\Application Data\Intrik cinta.exe
  •  c:\Documents and Settings\All Users\Documents\Kau pilih dia.exe
  •  c:\Documents and Settings\All Users\Start Menu\Programs\Startup\Loadme.pif
  •  c:\Documents and Settings\user###\Application Data\Kau dan aku.exe
  •  c:\Documents and Settings\user###\Local Settings\Cinta membawamu kembali.exe
  •  c:\Documents and Settings\user###\Local Settings\Application Data\Di balas dengan dusta.exe
  •  c:\Documents and Settings\user###\My Documents\Tercipta untukmu.exe
  •  c:\Documents and Settings\user###\My Documents\My Pictures\Cintailah cinta.exe
  •  c:\WINNT\system32\Bitch.exe
  •  c:\WINNT\system32\Liar.exe
  •  c:\WINNT\system32\Svseehost.exe

It may hamper the working of MS-Outlook,  although this was not seen upon testing.

If the user opens up the Windows Task Manager then it will only be open for a few seconds as the malware will try to quit the Windows Task Manager.

It also tries to disable the displaying of the Windows SystemFileProtection popup windows.

 

 


 

Symptoms

Symptoms -

  • Presence of the file originally called "cerita cinta.exe" , having a filesize of 81.920 bytes.
  • It has a deceiving icon pretending to be a word file, insteaf of a 32 bit PE binary file that it is.
  • Presence of the mentioned registry entries.
  • If the user opens up the Windows Task Manager then it will only be open for a few seconds as the malware will quit the Windows Task Manager.

 

 


Method of Infection

Method of Infection -

  • The worm spreads by trying to copy itself to local & mapped drives.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A