McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Supova.B.worm (Symantec)

• W32/Supova.E (Panda)

• Win32.Kitty.d (ESafe)

• Win32.Supova.D.pac (VET)

• Worm.P2P.Surnova.d (AVP)

Characteristics

The Low-Profiled risk assessment of this threat was due to media attention.

This is a minor variant of W32/Supova, and is generically identified as W32/Supova.Worm with current engine and definitions.

This worm is designed to propagate through the KaZaa peer-to-peer file-sharing network and MSN Messenger. It attempts to lure KaZaa users into downloading and running itself by posing as software titles that users may find enticing.

When run, the worm displays a bogus error message:

It then copies itself to the C:\Windows\Media folder as the following file names:

• a.exe
• age of empires 2 crack.exe
• battle.net key generator (works!!).exe
• britney spears hard porn (real!).exe
• britney spears nude.exe
• cable modem uncapper.exe
• christina aguilera fuck (real!).exe
• clonecd + crack.exe
• clonecd all-versions key generator.exe
• copy protection remover.exe
• crazy taxi crack.exe
• divx codec v6.0.exe
• divx newest version.exe
• divx patch - increases quality.exe
• divx pro key generator.exe
• divx.exe
• doom 3 preview!!.exe
• doom 3 screenshots.exe
• dragonball z complete episode guide.exe
• dragonball z episode 1.exe
• dragonball z shootout.exe
• dragonball z.exe
• gamecube emulator (works!!).exe
• grand prix 4 crack.exe
• grand theft auto 3 cd1 crack.exe
• grand theft auto 3 trainer.exe
• gta3 crack.exe
• hack into any computer!!.exe
• half-life online key generator.exe
• half-life won key generator.exe
• jedi knight 2 crack.exe
• j-lo nude (real!!).exe
• kazaa hack.exe
• kazaa lite.exe
• kazaa media desktop v2.0 unofficial.exe
• kazaa spyware remover.exe
• key generator for all windows xp versions.exe
• key generator for over 1,000 applications (really!).exe
• kiddy child incest porn.exe
• macromedia dreamweaver mx key generator.exe
• macromedia flash mx key generator.exe
• macromedia mx key generator (all products).exe
• microsoft key generator, works for all microsoft products!!.exe
• microsoft office xp (english) key generator.exe
• microsoft office xp.iso.exe
• microsoft windows xp crack pack.exe
• neverwinter nights crack.exe
• nokia simlock remover (includes new models).exe
• norton antivirus 2002.exe
• quake 4 beta.exe
• resident evil [divx].exe
• sex.exe
• shrek.exe
• star wars episode 2 downloader.exe
• starcraft 2 preview!.exe
• starcraft battle.net key generator.exe
• starcraft online crack.exe
• warcraft 3 battle.net serial generator.exe
• warcraft 3 online key generator.exe
• warcraft 3 trainer.exe
• windows xp key generator.exe
• windows xp serial generator.exe
• winrar + crack.exe
• winzip 8.0 + serial.exe
• xbox emulator (works!!).exe
• xbox.info.exe

A copy is also saved to the WINDOWS directory as BigMac.exe. A registry run key is created to load the worm at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\Supernova=C:\WINDOWS\BigMac.exe

A text file is saved to the WINDOWS directory with a random 11-character name that reads:

W32.Supernova - Ban religion
---------------------------------------------------
Religion = War
Religion = Based on fairytales
Wars based on fairytales?
Ban religion, welcome to the truth
---------------------------------------------------

The worm also attempts to use MSN Messenger to send itself to users on the contact list. However, this functionality did not work properly during testing. The worm is designed to send one of the following messages to MSN Messenger users:

• Hehe, check this out :-)
• Funny, check it out
• LOL!! See this :D
• LOL!! Check this out :)
• Hehe, this is fun :-)

This worm contains 2 payloads. One activates on the 5th of the month and uses PING as a denial of service attack against three Internet domains:

• www.beliefnet.com
• www.christianity.com
• www.islamicity.com

The other payload activates on the 7th of the month and displays several message boxes and deletes all files in the %WinDir%, %WinDir%\System, and %WinDir%\System32 folders.

Symptoms

Presence of the following files in the WINDOWS directory:

• Desktop-shooting.exe
  
• Hello-Kitty.exe
  
• BigMac.exe
  
• Cheese-Burger.exe
  
• Blaargh.exe
  

Presence of the files mentioned in the C:\Windows\Media folder.

Method of Infection

This worm attempts to use the KaZaa file-sharing network and MSN Messenger instant messaging network to spread. The worm cannot propagate on it's own without either of these programs installed on the local system. It does not contain any other payload other than to propagate.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Supova.B.worm (Symantec)

• W32/Supova.E (Panda)

• Win32.Kitty.d (ESafe)

• Win32.Supova.D.pac (VET)

• Worm.P2P.Surnova.d (AVP)

Characteristics

Characteristics -

The Low-Profiled risk assessment of this threat was due to media attention.

This is a minor variant of W32/Supova, and is generically identified as W32/Supova.Worm with current engine and definitions.

This worm is designed to propagate through the KaZaa peer-to-peer file-sharing network and MSN Messenger. It attempts to lure KaZaa users into downloading and running itself by posing as software titles that users may find enticing.

When run, the worm displays a bogus error message:

It then copies itself to the C:\Windows\Media folder as the following file names:

• a.exe
• age of empires 2 crack.exe
• battle.net key generator (works!!).exe
• britney spears hard porn (real!).exe
• britney spears nude.exe
• cable modem uncapper.exe
• christina aguilera fuck (real!).exe
• clonecd + crack.exe
• clonecd all-versions key generator.exe
• copy protection remover.exe
• crazy taxi crack.exe
• divx codec v6.0.exe
• divx newest version.exe
• divx patch - increases quality.exe
• divx pro key generator.exe
• divx.exe
• doom 3 preview!!.exe
• doom 3 screenshots.exe
• dragonball z complete episode guide.exe
• dragonball z episode 1.exe
• dragonball z shootout.exe
• dragonball z.exe
• gamecube emulator (works!!).exe
• grand prix 4 crack.exe
• grand theft auto 3 cd1 crack.exe
• grand theft auto 3 trainer.exe
• gta3 crack.exe
• hack into any computer!!.exe
• half-life online key generator.exe
• half-life won key generator.exe
• jedi knight 2 crack.exe
• j-lo nude (real!!).exe
• kazaa hack.exe
• kazaa lite.exe
• kazaa media desktop v2.0 unofficial.exe
• kazaa spyware remover.exe
• key generator for all windows xp versions.exe
• key generator for over 1,000 applications (really!).exe
• kiddy child incest porn.exe
• macromedia dreamweaver mx key generator.exe
• macromedia flash mx key generator.exe
• macromedia mx key generator (all products).exe
• microsoft key generator, works for all microsoft products!!.exe
• microsoft office xp (english) key generator.exe
• microsoft office xp.iso.exe
• microsoft windows xp crack pack.exe
• neverwinter nights crack.exe
• nokia simlock remover (includes new models).exe
• norton antivirus 2002.exe
• quake 4 beta.exe
• resident evil [divx].exe
• sex.exe
• shrek.exe
• star wars episode 2 downloader.exe
• starcraft 2 preview!.exe
• starcraft battle.net key generator.exe
• starcraft online crack.exe
• warcraft 3 battle.net serial generator.exe
• warcraft 3 online key generator.exe
• warcraft 3 trainer.exe
• windows xp key generator.exe
• windows xp serial generator.exe
• winrar + crack.exe
• winzip 8.0 + serial.exe
• xbox emulator (works!!).exe
• xbox.info.exe

A copy is also saved to the WINDOWS directory as BigMac.exe. A registry run key is created to load the worm at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\Supernova=C:\WINDOWS\BigMac.exe

A text file is saved to the WINDOWS directory with a random 11-character name that reads:

W32.Supernova - Ban religion
---------------------------------------------------
Religion = War
Religion = Based on fairytales
Wars based on fairytales?
Ban religion, welcome to the truth
---------------------------------------------------

The worm also attempts to use MSN Messenger to send itself to users on the contact list. However, this functionality did not work properly during testing. The worm is designed to send one of the following messages to MSN Messenger users:

• Hehe, check this out :-)
• Funny, check it out
• LOL!! See this :D
• LOL!! Check this out :)
• Hehe, this is fun :-)

This worm contains 2 payloads. One activates on the 5th of the month and uses PING as a denial of service attack against three Internet domains:

• www.beliefnet.com
• www.christianity.com
• www.islamicity.com

The other payload activates on the 7th of the month and displays several message boxes and deletes all files in the %WinDir%, %WinDir%\System, and %WinDir%\System32 folders.

Symptoms

Symptoms -

Presence of the following files in the WINDOWS directory:

• Desktop-shooting.exe
  
• Hello-Kitty.exe
  
• BigMac.exe
  
• Cheese-Burger.exe
  
• Blaargh.exe
  

Presence of the files mentioned in the C:\Windows\Media folder.

Method of Infection

Method of Infection -

This worm attempts to use the KaZaa file-sharing network and MSN Messenger instant messaging network to spread. The worm cannot propagate on it's own without either of these programs installed on the local system. It does not contain any other payload other than to propagate.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A