McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• 11september.exe

• W32/Anniv911.A-mm

• Win32.Chet (CA)

• WORM_CHET.A (Trend)

Characteristics

This is considered a Low-Profile threat due to media attention.

This threat is buggy and fails to function on many systems. This mass-mailing worm sends itself to all users found in the Windows Address Book (WAB) and Outlook Address book with the following information:

From: main@world.com
To: You
Subject: All people!!
Body:

Dear ladies and gentlemen!    The given letter does not contain viruses, and is not Spam. We ask you to be in earnest to this letter. As you know America and England have begun bombardment of Iraq, cause of its threat for all the world. It isn't the truth. The real reason is in money laundering and also to cover up traces after acts of terrorism September, 11, 2001. Are real proofs of connection between Bush and Al-Qaeda necessary for you? Please! There is a friendly dialogue between Bin Laden and the secretary of a state security of USA in the given photos. In the following photo you'll see, how FBI discusses how to strike over New York to lose people as much as possible. And the document representing the super confidential agreement between CIA and Al-Qaeda is submitted to your attention. All this circus was specially played to powder brains!! You'll find out the truth. Naked truth, instead of TV showed.    For your convenience, and to make letter less, all documentary materials (photos and MS Word documents) are located in one EXE file. Open it, and all materials will be installed on your computer. You will receive the freshest and classified documents automatically from our site.    It isn't a virus! You can trust us absolutely. We hope, that it will open your eyes on many things occurring in this world.

Attachment: 11september.exe

When the attachment is run, the worm copies itself to the WINDOWS SYSTEM directory as SYNCHOST1.EXE. The original file is then deleted. Two registry keys are created:

• HKEY_CURRENT_USER\DefaultLcid3=2
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Run\ICQ1=%SysDir%\Synchost1.exe

A 0 byte file, boot.txt, is saved to the root directory. The worm then accesses the Outlook client and, during testing, crashes. Upon reboot the Synchost1.exe file is executed, which sends notification messages to several mail.ru addresses:

From: F**ker
To: Ripper
Subject: Otchet from usersfirst

%address book recipients%

.

The worm then sends itself using SMTP to all address book recipients. A registry key is created to delete the worm upon startup. This action fails, as the "del" command is not recognized when called through the registry.

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Runonce\Del_Self=del C:\WINDOWS\SYSTEM\SYNCHOST1.EXE

The DefaultLcid3 key value is set to 1:

• HKEY_CURRENT_USER\DefaultLcid3=1

The next time the SYNCHOST1.EXE is run, the worm attempts to access the modem. The DefaultLcid3 key value is then set to 0:

• HKEY_CURRENT_USER\DefaultLcid3=0

Symptoms

Presence of SYNCHOST1.EXE in the Windows System directory.

Method of Infection

This worm sends itself to all users in the Windows Address Book (WAB) and Outlook Address book using SMTP.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• 11september.exe

• W32/Anniv911.A-mm

• Win32.Chet (CA)

• WORM_CHET.A (Trend)

Characteristics

Characteristics -

This is considered a Low-Profile threat due to media attention.

This threat is buggy and fails to function on many systems. This mass-mailing worm sends itself to all users found in the Windows Address Book (WAB) and Outlook Address book with the following information:

From: main@world.com
To: You
Subject: All people!!
Body:

Dear ladies and gentlemen!    The given letter does not contain viruses, and is not Spam. We ask you to be in earnest to this letter. As you know America and England have begun bombardment of Iraq, cause of its threat for all the world. It isn't the truth. The real reason is in money laundering and also to cover up traces after acts of terrorism September, 11, 2001. Are real proofs of connection between Bush and Al-Qaeda necessary for you? Please! There is a friendly dialogue between Bin Laden and the secretary of a state security of USA in the given photos. In the following photo you'll see, how FBI discusses how to strike over New York to lose people as much as possible. And the document representing the super confidential agreement between CIA and Al-Qaeda is submitted to your attention. All this circus was specially played to powder brains!! You'll find out the truth. Naked truth, instead of TV showed.    For your convenience, and to make letter less, all documentary materials (photos and MS Word documents) are located in one EXE file. Open it, and all materials will be installed on your computer. You will receive the freshest and classified documents automatically from our site.    It isn't a virus! You can trust us absolutely. We hope, that it will open your eyes on many things occurring in this world.

Attachment: 11september.exe

When the attachment is run, the worm copies itself to the WINDOWS SYSTEM directory as SYNCHOST1.EXE. The original file is then deleted. Two registry keys are created:

• HKEY_CURRENT_USER\DefaultLcid3=2
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Run\ICQ1=%SysDir%\Synchost1.exe

A 0 byte file, boot.txt, is saved to the root directory. The worm then accesses the Outlook client and, during testing, crashes. Upon reboot the Synchost1.exe file is executed, which sends notification messages to several mail.ru addresses:

From: F**ker
To: Ripper
Subject: Otchet from usersfirst

%address book recipients%

.

The worm then sends itself using SMTP to all address book recipients. A registry key is created to delete the worm upon startup. This action fails, as the "del" command is not recognized when called through the registry.

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Runonce\Del_Self=del C:\WINDOWS\SYSTEM\SYNCHOST1.EXE

The DefaultLcid3 key value is set to 1:

• HKEY_CURRENT_USER\DefaultLcid3=1

The next time the SYNCHOST1.EXE is run, the worm attempts to access the modem. The DefaultLcid3 key value is then set to 0:

• HKEY_CURRENT_USER\DefaultLcid3=0

Symptoms

Symptoms -

Presence of SYNCHOST1.EXE in the Windows System directory.

Method of Infection

Method of Infection -

This worm sends itself to all users in the Windows Address Book (WAB) and Outlook Address book using SMTP.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A