Content

W32/Veedna.worm

Type
Virus
SubType
P2P Worm
Discovery Date
10/07/2002
Length
15,360 bytes
15,872 bytes
Minimum DAT
4229 (10/16/2002)
Updated DAT
4269 (06/04/2003)
Minimum Engine
5.1.00
Description Added
10/22/2002
Description Modified
05/30/2003 12:05 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Update 30 May 2003 --
Two new variants were discovered - detected as "New P2P Worm" proactively since 4243 DATs. Detection by name was added to 4268 DATs.
--

This is a floppy and KaZaa peer-to-peer file sharing network worm. It propagates by altering KaZaa default local content shares, enabling file-sharing, and copying itself to those shares. When run, it sets the default KaZaa local content folders as C:\ and C:\My Documents. It then copies itself to the following files:

  • c:\Fire.mp3.EXe
  • c:\How to make viruses.txt.EXe
  • c:\HULK.mpeg.EXe
  • c:\HULK.mpg.EXe
  • c:\Pentium 5.doc.EXe
  • c:\Pentium 5.rtf.EXe
  • c:\Playboy 9.mpeg.EXe
  • c:\Reign of Fire.mpeg.EXe
  • c:\ReignoFire.mp3.EXe
  • c:\Setup.exe.EXe
  • c:\TheTuxedo.mpeg.EXe
  • c:\Zephyr Song.mp3.EXe
It also copies itself to the A:\ drive as The Incredible Hulk.EXe.

The following registry key is modified to load the worm whenever .EXE files are run:

  • HKEY_CLASSES_ROOT\exefile\shell\open\
    command "(Default)" = %worm path% "%1" %*
Each time this occurs, a minimized form is displayed.

When that form is maximized the following Window is observed

Did you know that sex makes life better? Yes it dows. We have found out that sex benigns your life to be longer. Sex is good for the heart. Sex is what the holy book told us to do to propagate life. Sex makes life good. Sex is healthy. Sex is not bad. Just look at the person beside you. Crave with him or her. He or she will not hesitate to do this. Sex made my life better. To do is to believe. Trust me. vandEEd0

The adult website www.playboy.com is then loaded.

Symptoms

Presence of the aforementioned files, website, and windows.

Method of Infection

This worm spreads via KaZaa and floppy diskettes. It contains the following icons:

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • W32.HLLW.Veedna (Symantec)
  • Win32.HLLW.Veedna (AVP)
  • WORM_VEEDNA.A (Trend)

Characteristics

Characteristics -

-- Update 30 May 2003 --
Two new variants were discovered - detected as "New P2P Worm" proactively since 4243 DATs. Detection by name was added to 4268 DATs.
--

This is a floppy and KaZaa peer-to-peer file sharing network worm. It propagates by altering KaZaa default local content shares, enabling file-sharing, and copying itself to those shares. When run, it sets the default KaZaa local content folders as C:\ and C:\My Documents. It then copies itself to the following files:

  • c:\Fire.mp3.EXe
  • c:\How to make viruses.txt.EXe
  • c:\HULK.mpeg.EXe
  • c:\HULK.mpg.EXe
  • c:\Pentium 5.doc.EXe
  • c:\Pentium 5.rtf.EXe
  • c:\Playboy 9.mpeg.EXe
  • c:\Reign of Fire.mpeg.EXe
  • c:\ReignoFire.mp3.EXe
  • c:\Setup.exe.EXe
  • c:\TheTuxedo.mpeg.EXe
  • c:\Zephyr Song.mp3.EXe
It also copies itself to the A:\ drive as The Incredible Hulk.EXe.

The following registry key is modified to load the worm whenever .EXE files are run:

  • HKEY_CLASSES_ROOT\exefile\shell\open\
    command "(Default)" = %worm path% "%1" %*
Each time this occurs, a minimized form is displayed.

When that form is maximized the following Window is observed

Did you know that sex makes life better? Yes it dows. We have found out that sex benigns your life to be longer. Sex is good for the heart. Sex is what the holy book told us to do to propagate life. Sex makes life good. Sex is healthy. Sex is not bad. Just look at the person beside you. Crave with him or her. He or she will not hesitate to do this. Sex made my life better. To do is to believe. Trust me. vandEEd0

The adult website www.playboy.com is then loaded.

Symptoms

Symptoms -

Presence of the aforementioned files, website, and windows.

Method of Infection

Method of Infection -

This worm spreads via KaZaa and floppy diskettes. It contains the following icons:

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A