Content

W32/Realcen@M

Type
Virus
SubType
Email
Discovery Date
03/04/2008
Length
Minimum DAT
5244 (03/04/2008)
Updated DAT
5244 (03/04/2008)
Minimum Engine
5.1.00
Description Added
03/04/2008
Description Modified
03/09/2008 11:24 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

When executed, this worm displays the following message:


 
The worm drops then following files:

  • C:\autorun.inf
  • C:\RECYCLER\Oil.exe
  • %System%\windows.exe
  • %System%\WinMail.vxd
  • %System%\WinMS.vxd
  • %System%\WinSrc.vxd

Note:

%System% is a variable location and refers to the windows system directory

The following registry entries are modified to ensure the worm’s execution at system startup:

  • Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit = "windows.exe,userinit.exe"

Symptoms

Presence of files and registry entries mentioned earlier.
Presence of the following autorun.inf file on the root of removable, fixed and network drives:


Method of Infection

This worm spreads by copying itself to network shares and to removable devices, along with an “Autorun.inf”.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.

This worm, also uses its built-in SMTP engine, and sends itself as an attachment to email addresses harvested from the infected machine.

Email Subjects:

Hidden Realities?!
Amazing Censorship?!
Why War?!

Body:

Censored Parts of Implementation of the NPT Safeguards Agreement in the Islamic Republic of Iran
...
3. During the discussions, the Iranian leadership stated that the country's nuclear programme hadalways been exclusively for peaceful purposes and that there had never been a nuclear weaponsdevelopment programme. The Iranian authorities agreed to accelerate implementation of the work plan.
...
F. Summary

52. The Agency has been able to continue to verify the non-diversion of declared nuclear materialin Iran. Iran has provided the Agency with access to declared nuclear material and has provided therequired nuclear material accountancy reports in connection with declared nuclear material andactivities. Iran has also responded to questions and provided clarifications and amplifications on theissues raised in the context of the work plan, with the exception of the alleged studies. Iran hasprovided access to individuals in response to the Agency's requests
.... ......

Attachment:

CensoredParts.pif (99,679 bytes)
CensoredParts.Scr (99,679 bytes)

 


Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This description is for a worm which is capable of spreading via email.

The characteristics of this worm with regards to the file names, port number used, etc will differ, depending on the way in which the attacker had configured it.  Hence, this is a general description.

Characteristics

Characteristics -

When executed, this worm displays the following message:


 
The worm drops then following files:

  • C:\autorun.inf
  • C:\RECYCLER\Oil.exe
  • %System%\windows.exe
  • %System%\WinMail.vxd
  • %System%\WinMS.vxd
  • %System%\WinSrc.vxd

Note:

%System% is a variable location and refers to the windows system directory

The following registry entries are modified to ensure the worm’s execution at system startup:

  • Hkey_Local_Machine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit = "windows.exe,userinit.exe"

Symptoms

Symptoms -

Presence of files and registry entries mentioned earlier.
Presence of the following autorun.inf file on the root of removable, fixed and network drives:


Method of Infection

Method of Infection -

This worm spreads by copying itself to network shares and to removable devices, along with an “Autorun.inf”.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.

This worm, also uses its built-in SMTP engine, and sends itself as an attachment to email addresses harvested from the infected machine.

Email Subjects:

Hidden Realities?!
Amazing Censorship?!
Why War?!

Body:

Censored Parts of Implementation of the NPT Safeguards Agreement in the Islamic Republic of Iran
...
3. During the discussions, the Iranian leadership stated that the country's nuclear programme hadalways been exclusively for peaceful purposes and that there had never been a nuclear weaponsdevelopment programme. The Iranian authorities agreed to accelerate implementation of the work plan.
...
F. Summary

52. The Agency has been able to continue to verify the non-diversion of declared nuclear materialin Iran. Iran has provided the Agency with access to declared nuclear material and has provided therequired nuclear material accountancy reports in connection with declared nuclear material andactivities. Iran has also responded to questions and provided clarifications and amplifications on theissues raised in the context of the work plan, with the exception of the alleged studies. Iran hasprovided access to individuals in response to the Agency's requests
.... ......

Attachment:

CensoredParts.pif (99,679 bytes)
CensoredParts.Scr (99,679 bytes)

 


Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A