Content
W32/Vora.worm!p2p
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 11/14/2007
- Length
- 41.127 bytes decimal
- Minimum DAT
- 5162 (11/13/2007)
- Updated DAT
- 5164 (11/15/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 11/14/2007
- Description Modified
- 11/14/2007 5:18 AM (PT)
Tab Navigation
Characteristics
Detection was added to cover against a worm file originally called "protector.exe" , having a filesize of 41.127 bytes decimal.
It's detected heuristically with currently released DAT-5162 as virus or variant New Worm.
Specific detection with W32/Vora.worm!p2p will be added to the DAT-5164 and above.
The file is not internally compressed with a packer.
Upon running, a small gui message box appears on the screen.
The caption of the messagebox is: Doomsday Has Come...
The actual message of the messagebox is : YOU ARE iNFECTED BY RAVO_5002
Clicking on the OK button has little effect, it doesn't go away, it keeps on re-appearing.
Killing it manually can be easily done by killing it in the windows task manager, not only is the malicious binary process visible, it's also visible in the application tab. Viruscan is able to kill it automatically.
The worm tries to spread over peer to peer shared folders, the actual execution of the malicious binary is a manual step, there's no exploit associated with it.
It tries to spread using:
- BearShare
- eMule
- Morpheus
- Shareaza
- Kazaa
It may appear in deceiving filenames such as:
- Windows.Activation.Crack.Final-ETH0.zip
- systemcrack.exe
- Windows.Live.Messenger.Beta.Serial.Generator-PARADOX.zip
- msngen.exe
- Virtua.Girl.Serial.Pack.wih.10.Girls-TorrentZ.zip
- virtuagrl.exe
- MSN.Hacker.zip
- msnhack.exe
- Hotmail.Hacker.zip
- hotmailhack.exe
- Aim.Hacker.zip
- aimhack.exe
- Counterstrike.Source.aimbot.zip
- aimbot.exe
- Xbox.Live.Serial.Generator.zip
- xblgen.exe
- Saddam.Hanging-NEW-VERSION!.zip
- Saddam hang you bitch!.exe
- XXX.Passes.Juli.2007.zip
-
passlist.txt______________________________________.exe
It might also try to spread using irc networks, trying to spread using dcc send with filenames such as:
- RULES.TXT______________________________________.exe
- CHANNEL-RULES.zip
Upon infection it might create an autorun entry pointing to the malicious binary
Symptoms
- Presence of the mentioned file with matching filesize
- Re-appearing of a small gui message box appears on the screen with caption of the messagebox is: Doomsday Has Come..., and message : YOU ARE iNFECTED BY RAVO_5002
Method of Infection
- The worm tries to spread over peer to peer shared folders, the actual execution of the malicious binary is a manual step, there's no exploit associated with it.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
Detection was added to cover against a worm file originally called "protector.exe" , having a filesize of 41.127 bytes decimal.
Aliases
- generic worm (panda)
- p2p-worm.win32.agent.ak (avp)
- w32.sillyfdc (nav)
- w32/smallworm.amx (norman)
- win32.hllw.ravo (drweb)
- worm/generic.csp (avg)
- worm:win32/agent.fu (msmp)
Characteristics
Characteristics -
Detection was added to cover against a worm file originally called "protector.exe" , having a filesize of 41.127 bytes decimal.
It's detected heuristically with currently released DAT-5162 as virus or variant New Worm.
Specific detection with W32/Vora.worm!p2p will be added to the DAT-5164 and above.
The file is not internally compressed with a packer.
Upon running, a small gui message box appears on the screen.
The caption of the messagebox is: Doomsday Has Come...
The actual message of the messagebox is : YOU ARE iNFECTED BY RAVO_5002
Clicking on the OK button has little effect, it doesn't go away, it keeps on re-appearing.
Killing it manually can be easily done by killing it in the windows task manager, not only is the malicious binary process visible, it's also visible in the application tab. Viruscan is able to kill it automatically.
The worm tries to spread over peer to peer shared folders, the actual execution of the malicious binary is a manual step, there's no exploit associated with it.
It tries to spread using:
- BearShare
- eMule
- Morpheus
- Shareaza
- Kazaa
It may appear in deceiving filenames such as:
- Windows.Activation.Crack.Final-ETH0.zip
- systemcrack.exe
- Windows.Live.Messenger.Beta.Serial.Generator-PARADOX.zip
- msngen.exe
- Virtua.Girl.Serial.Pack.wih.10.Girls-TorrentZ.zip
- virtuagrl.exe
- MSN.Hacker.zip
- msnhack.exe
- Hotmail.Hacker.zip
- hotmailhack.exe
- Aim.Hacker.zip
- aimhack.exe
- Counterstrike.Source.aimbot.zip
- aimbot.exe
- Xbox.Live.Serial.Generator.zip
- xblgen.exe
- Saddam.Hanging-NEW-VERSION!.zip
- Saddam hang you bitch!.exe
- XXX.Passes.Juli.2007.zip
-
passlist.txt______________________________________.exe
It might also try to spread using irc networks, trying to spread using dcc send with filenames such as:
- RULES.TXT______________________________________.exe
- CHANNEL-RULES.zip
Upon infection it might create an autorun entry pointing to the malicious binary
Symptoms
Symptoms -
- Presence of the mentioned file with matching filesize
- Re-appearing of a small gui message box appears on the screen with caption of the messagebox is: Doomsday Has Come..., and message : YOU ARE iNFECTED BY RAVO_5002
Method of Infection
Method of Infection -
- The worm tries to spread over peer to peer shared folders, the actual execution of the malicious binary is a manual step, there's no exploit associated with it.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
