Content
W32/Fleming.worm
- Type
- Virus
- SubType
- Internet Worm
- Discovery Date
- 10/09/2002
- Length
- 53,248 bytes
(6,688 byte backdoor component) - Minimum DAT
- 4228 (10/09/2002)
- Updated DAT
- 4228 (10/09/2002)
- Minimum Engine
- 5.1.00
- Description Added
- 10/09/2002
- Description Modified
- 10/14/2002 9:35 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
--- Update October 14, 2002 ---
The risk assessment of this threat was updated to Low-Profiled due to media attention.
This virus propagates via MSN Messenger by sending messages containing a URL link pointing to a copy of itself on a remote server. It also attempts to download an additional executable which is a backdoor trojan.
The backdoor trojan is detected as BackDoor-OG by McAfee products using the 4227 DATs or greater. Products running with earlier DATs will detect the packed file heuristically as 'New BackDoor5' (4214+, with program heuristics enabled), or unpack the file and detect exactly as 'BackDoor-OG' (4135+).
When run on the victim machine, this worm displays the following window, faking a key generator:
It then sends a message containing a URL link to the worm via MSN Messenger:
Hey!! Could you please check out this program for me? :) I made it myself and want people to test it. Its a readme with the program that explains what it does!http://(removed).net/downl0ad/BR2002.exe <-- There you can download it! give me advices on what to upgrade please!!
The worm is capable of updating itself by downloading the following file:
http://(removed).net/downl0ad/Update.exe.BackDoor Component
The worm also attempts to download a backdoor trojan from:
http://(removed).net/downl0ad/CS-Keygen.exeThis file is saved as C:\hehe2397824.exe. Many variants of this remote access trojan exist, a generic description is supplied here. Specific details of this variant follow.
When the C:\hehe2397824.exe is executed:
- it copies itself to:
c:\WINDOWS\WinUpdat.exeupdate.ur.address (6688 bytes)
- the following Registry key is added to hook startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"WinUpdat" = C:\WINDOWS\WinUpdat.exeupdate.ur.address
- once running, the backdoor server attempts to connect to port 6669 of a remote Internet Relay Chat server to join a specified channel. Once connected a hacker is able to send commands to the server.
Symptoms
- outgoing MSN messages matching above description
- display of the above window
- existence of the backdoor trojan files (6,688 bytes):
- C:\hehe2397824.exe
- c:\WINDOWS\WinUpdat.exeupdate.ur.address
Method of Infection
The worm spreads by sending messages via MSN Messenger containing a URL link to a remote copy of itself. It also downloads a backdoor trojan.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- W32.HLLW.Henpeck (Symantec)
- Win32.HLLM.Fleming.53248 (Dialogue Science)
- WORM_RODOK.A (Trend)
Characteristics
Characteristics -
--- Update October 14, 2002 ---
The risk assessment of this threat was updated to Low-Profiled due to media attention.
This virus propagates via MSN Messenger by sending messages containing a URL link pointing to a copy of itself on a remote server. It also attempts to download an additional executable which is a backdoor trojan.
The backdoor trojan is detected as BackDoor-OG by McAfee products using the 4227 DATs or greater. Products running with earlier DATs will detect the packed file heuristically as 'New BackDoor5' (4214+, with program heuristics enabled), or unpack the file and detect exactly as 'BackDoor-OG' (4135+).
When run on the victim machine, this worm displays the following window, faking a key generator:
It then sends a message containing a URL link to the worm via MSN Messenger:
Hey!! Could you please check out this program for me? :) I made it myself and want people to test it. Its a readme with the program that explains what it does!http://(removed).net/downl0ad/BR2002.exe <-- There you can download it! give me advices on what to upgrade please!!
The worm is capable of updating itself by downloading the following file:
http://(removed).net/downl0ad/Update.exe.BackDoor Component
The worm also attempts to download a backdoor trojan from:
http://(removed).net/downl0ad/CS-Keygen.exeThis file is saved as C:\hehe2397824.exe. Many variants of this remote access trojan exist, a generic description is supplied here. Specific details of this variant follow.
When the C:\hehe2397824.exe is executed:
- it copies itself to:
c:\WINDOWS\WinUpdat.exeupdate.ur.address (6688 bytes)
- the following Registry key is added to hook startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"WinUpdat" = C:\WINDOWS\WinUpdat.exeupdate.ur.address
- once running, the backdoor server attempts to connect to port 6669 of a remote Internet Relay Chat server to join a specified channel. Once connected a hacker is able to send commands to the server.
Symptoms
Symptoms -
- outgoing MSN messages matching above description
- display of the above window
- existence of the backdoor trojan files (6,688 bytes):
- C:\hehe2397824.exe
- c:\WINDOWS\WinUpdat.exeupdate.ur.address
Method of Infection
Method of Infection -
The worm spreads by sending messages via MSN Messenger containing a URL link to a remote copy of itself. It also downloads a backdoor trojan.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
