McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Efortune.31384@mm (NAV)

• W32/Raoch.A (Panda)

Characteristics

This is a file-infecting, mass-mailing, worm virus which utilizes encryption and polymorphic techniques. It is very unstable and is unlikely to spread far.

The virus arrives via e-mail with the following information:

Subject: FW: Guess what, you're mine!
Body:

You have been hit

This is the funny-attachment war! You have just been hit and by the rule book you can't hit this person back. To be in the game you need to send this message to five of your friends, try to find some small and funny attachment to send along. If you don't have time use the one you got hit by, go ahead hit someone!

Attachment: COOKIE.ZIP

This COOKIE.ZIP file contains COOKIE.EXE and a text file named FILE_ID.DIZ. The text file conatins the text:

                        FortuneCookie 32 - Version 1.0
                                * FREEWARE *

DESCRIPTION:
============

        FortuneCookie 32 is a Windows 32 version of the classical
fortune cookies you can get at some restaurants. It's very simple
double clicking on the cookie.exe file will bring up a fortune cookie.
        This program is freeware so feel free to send out a word of
wisdom to your friends!

When run, the virus copies itself to %WinDir%\KERNEL32.dll and %WinDir\SYSTEM\KERNEL32.VLL. An entry is created in the WININIT.INI file to replace the valid C:\WINDOWS\SYSTEM\KERNEL32.DLL file with the viral KERNEL32.VLL upon the next system restart.

The infected KERNEL32.DLL file hooks the functions CopyFileA, DeleteFileA, GetFileAttributesA, GetFileAttributesW, and MoveFileA.

A copy of the virus is saved to the file MMSYS32.EXE in the %WinDir%\SYSTEM directory and a registry run key is created to load the virus at startup:

HKLM\Software\Microsoft\CurrentVersion\
Run\MMSYS=%WinDir%\SYSTEM\MMSYS32.EXE

The virus also saves a zipped copy of itself to %WinDir%\SYSTEM\COOKIE.ATT, for use in further mailing. After the next reboot .EXE files viewed by explorer are infected.

Symptoms

- Presence of %WinDir%\SYSTEM\MMSYS32.EXE, or COOKIE.EXE
- Increase in file size in .EXE files

Method of Infection

This worm arrives as an email attachment, often named: COOKIE.EXE. Executing this attachment and rebooting your system infects your machine. As the virus is also a file-infector, it may be contracted by executing .EXE files which have been compromised.

Removal

Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner such as:

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Efortune.31384@mm (NAV)

• W32/Raoch.A (Panda)

Characteristics

Characteristics -

This is a file-infecting, mass-mailing, worm virus which utilizes encryption and polymorphic techniques. It is very unstable and is unlikely to spread far.

The virus arrives via e-mail with the following information:

Subject: FW: Guess what, you're mine!
Body:

You have been hit

This is the funny-attachment war! You have just been hit and by the rule book you can't hit this person back. To be in the game you need to send this message to five of your friends, try to find some small and funny attachment to send along. If you don't have time use the one you got hit by, go ahead hit someone!

Attachment: COOKIE.ZIP

This COOKIE.ZIP file contains COOKIE.EXE and a text file named FILE_ID.DIZ. The text file conatins the text:

                        FortuneCookie 32 - Version 1.0
                                * FREEWARE *

DESCRIPTION:
============

        FortuneCookie 32 is a Windows 32 version of the classical
fortune cookies you can get at some restaurants. It's very simple
double clicking on the cookie.exe file will bring up a fortune cookie.
        This program is freeware so feel free to send out a word of
wisdom to your friends!

When run, the virus copies itself to %WinDir%\KERNEL32.dll and %WinDir\SYSTEM\KERNEL32.VLL. An entry is created in the WININIT.INI file to replace the valid C:\WINDOWS\SYSTEM\KERNEL32.DLL file with the viral KERNEL32.VLL upon the next system restart.

The infected KERNEL32.DLL file hooks the functions CopyFileA, DeleteFileA, GetFileAttributesA, GetFileAttributesW, and MoveFileA.

A copy of the virus is saved to the file MMSYS32.EXE in the %WinDir%\SYSTEM directory and a registry run key is created to load the virus at startup:

HKLM\Software\Microsoft\CurrentVersion\
Run\MMSYS=%WinDir%\SYSTEM\MMSYS32.EXE

The virus also saves a zipped copy of itself to %WinDir%\SYSTEM\COOKIE.ATT, for use in further mailing. After the next reboot .EXE files viewed by explorer are infected.

Symptoms

Symptoms -

- Presence of %WinDir%\SYSTEM\MMSYS32.EXE, or COOKIE.EXE
- Increase in file size in .EXE files

Method of Infection

Method of Infection -

This worm arrives as an email attachment, often named: COOKIE.EXE. Executing this attachment and rebooting your system infects your machine. As the virus is also a file-infector, it may be contracted by executing .EXE files which have been compromised.

Removal -

Removal -

Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner such as:

Variants

Variants -

N/A