Content

W32/Whitebait.gen@MM

Type
Virus
SubType
Win32
Discovery Date
01/29/2002
Length
633,344 bytes dropper
190,976 bytes
Minimum DAT
4184 (01/30/2002)
Updated DAT
4302 (11/05/2003)
Minimum Engine
5.1.00
Description Added
01/30/2002
Description Modified
01/31/2002 8:46 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This mass-mailing worm drops a remote access trojan and attempts to send itself to email addresses found within files on the local system. Currently this worm is incapable of emailing itself to others due to the fact that the hard coded mail server used (smtp.wanadoo.fr) has turned relaying off. The worm is designed to send itself using the following information:

From: security@microsoft.com
Subject: WARNING : Black_Piranha

Si vous pouvez lire cet e-mail, c'est que les services Microsoft on dTtecter la prTsence du virus Black_Piranha dans votre systFme Windows. pour dTsinfecter votre systFme vous n'avez qu'a exTcuter le programme en piece jointe. Pour plus d'informations : http://www.microsoft.com

Attachment: MSsecu.exe

Executing the attachment infects the local machine. The MSsecu.exe file is copied to the WINDOWS directory. It's a dropper program, which displays pornographic images in a Windows.

It drops the main worm and trojan component to the WINDOWS directory as WINSYSTEM.EXE and creates a registry run key to load it at startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run\WinSystem=C:\WINDOWS\WinSystem.exe
WinSystem gathers email addresses from the following files:
  • .ASP
  • .HTM
  • .HTML
  • .PHP
  • README.TXT
These addresses are saved to the file BDN.COM in the WINDOWS directory. The worm also acts as a backdoor trojan, listening on port 314 and emails your IP address to the author: mister_314@pokelord.zzn.com

Symptoms

Presence of the following files:

  • %WinDir%\BDN.COM
  • %WinDir%\MSSECU.EXE
  • %WinDir%\WINSYSTEM.EXE

Method of Infection

Currently this worm is unable to send itself via email as the SMTP server specified prevents it from doing so.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Backdoor.Blaire (AVP)
  • W32.Whitebait@mm (NAV)
  • Win32.WhiteBait (CA)

Characteristics

Characteristics -

This mass-mailing worm drops a remote access trojan and attempts to send itself to email addresses found within files on the local system. Currently this worm is incapable of emailing itself to others due to the fact that the hard coded mail server used (smtp.wanadoo.fr) has turned relaying off. The worm is designed to send itself using the following information:

From: security@microsoft.com
Subject: WARNING : Black_Piranha

Si vous pouvez lire cet e-mail, c'est que les services Microsoft on dTtecter la prTsence du virus Black_Piranha dans votre systFme Windows. pour dTsinfecter votre systFme vous n'avez qu'a exTcuter le programme en piece jointe. Pour plus d'informations : http://www.microsoft.com

Attachment: MSsecu.exe

Executing the attachment infects the local machine. The MSsecu.exe file is copied to the WINDOWS directory. It's a dropper program, which displays pornographic images in a Windows.

It drops the main worm and trojan component to the WINDOWS directory as WINSYSTEM.EXE and creates a registry run key to load it at startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run\WinSystem=C:\WINDOWS\WinSystem.exe
WinSystem gathers email addresses from the following files:
  • .ASP
  • .HTM
  • .HTML
  • .PHP
  • README.TXT
These addresses are saved to the file BDN.COM in the WINDOWS directory. The worm also acts as a backdoor trojan, listening on port 314 and emails your IP address to the author: mister_314@pokelord.zzn.com

Symptoms

Symptoms -

Presence of the following files:

  • %WinDir%\BDN.COM
  • %WinDir%\MSSECU.EXE
  • %WinDir%\WINSYSTEM.EXE

Method of Infection

Method of Infection -

Currently this worm is unable to send itself via email as the SMTP server specified prevents it from doing so.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A