McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Sponge.html

Characteristics

AVERT has yet to receive a field sample of this threat.

This is a mass-mailing worm that appends .HTM files, overwrites .PIF and .SCR files, and also spreads through Word documents. The worm is written in Visual Basic and packed with UPX. It may arrive in a message with the following properties:

Subject: SpongeBob WallPaper
Body: Send this to your friends and make them laugh...
Attachment: Spongy.exe

When it is run:

1. It tries to send itself to entries in the Outlook address book using Microsoft Outlook.
2. It copies itself to the following locations:

   c:\Explore\Help.exe
   c:\Jokes.pif
   c:\porno.scr
   c:\SpongeBob.com
   c:\SpongeBob.eml
   c:\SpongeBob.scr
   c:\SpongeBob_Game.exe
   c:\WINDOWS\kn0x\ace1.com
   c:\WINDOWS\TEMP\Jokes.pif
   c:\WINDOWS\TEMP\SpongeBob.com
   c:\WINDOWS\TEMP\SpongeBob.scr
   c:\WINDOWS\TEMP\SpongeBob_Game.exe
   

   c:\SpongeBob.eml is a copy in MIME e-mail format.
3. A registry run key is created to load the worm at startup.
   • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
     RunServices "*WlNRUN" = c:\WINDOWS\kn0x\ace1.com
4. It adds code to HTM files to run itself, but due to a bug in the virus, the inserted code references the wrong path to the virus, therefore the virus is not run from HTM files. Most of the HTM files were detected as possible variants of Exploit-CodeBase before specific detection was added.
5. It adds a macro to NORMAL.DOT using c:\readme.txt as a temporary file to store the macro. This macro does not replicate on its own; its purpose is to add code to run the copy of the worm in c:\porno.scr to other documents. It uses a temporary file called c:\xploit.mmm to copy the code to the documents. It also turns off Word's macro security. The macro in NORMAL.DOT was already detected as W97M/Generic; the code in c:\readme.txt was already detected as VBA/Generic.src

Symptoms

Files or messages mentioned above. Macro security is disabled. HTML documents are modified. The worm may display the following message box:

Method of Infection

This is a multipartite virus. When run from the EXE it hits HTMLs and appends an XML construct to the end of HTMLs that invokes the EXE via a vulnerabilty that uses a codebase reference to "\kn0x\ace1.exe".

The EXE component introduces a module with a document_close into NORMAL.DOT. This NORMAL.DOT drops "c:\xploit.mmm" holding a short VBA source of a document_open handler imported into the DOCs. Document_close also embeds an EXE from "c:\porno.scr" into the DOCs while code in the DOCs can activate Win32 file via OLE2 automation. That means infected DOCs are also a possible vector of infection as the EXE will be activated if macros are run from the DOC (macro warning is off or users chooses the macros to run when the warning pops up). Replication in DOC/DOT form requires Word 2000 as a minimum.

NORMAL.DOT also drops "c:\vv.reg" (REG file to disable Word's security) but it is deleted by the virus itself.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Sponge.html

Characteristics

Characteristics -

AVERT has yet to receive a field sample of this threat.

This is a mass-mailing worm that appends .HTM files, overwrites .PIF and .SCR files, and also spreads through Word documents. The worm is written in Visual Basic and packed with UPX. It may arrive in a message with the following properties:

Subject: SpongeBob WallPaper
Body: Send this to your friends and make them laugh...
Attachment: Spongy.exe

When it is run:

1. It tries to send itself to entries in the Outlook address book using Microsoft Outlook.
2. It copies itself to the following locations:

   c:\Explore\Help.exe
   c:\Jokes.pif
   c:\porno.scr
   c:\SpongeBob.com
   c:\SpongeBob.eml
   c:\SpongeBob.scr
   c:\SpongeBob_Game.exe
   c:\WINDOWS\kn0x\ace1.com
   c:\WINDOWS\TEMP\Jokes.pif
   c:\WINDOWS\TEMP\SpongeBob.com
   c:\WINDOWS\TEMP\SpongeBob.scr
   c:\WINDOWS\TEMP\SpongeBob_Game.exe
   

   c:\SpongeBob.eml is a copy in MIME e-mail format.
3. A registry run key is created to load the worm at startup.
   • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
     RunServices "*WlNRUN" = c:\WINDOWS\kn0x\ace1.com
4. It adds code to HTM files to run itself, but due to a bug in the virus, the inserted code references the wrong path to the virus, therefore the virus is not run from HTM files. Most of the HTM files were detected as possible variants of Exploit-CodeBase before specific detection was added.
5. It adds a macro to NORMAL.DOT using c:\readme.txt as a temporary file to store the macro. This macro does not replicate on its own; its purpose is to add code to run the copy of the worm in c:\porno.scr to other documents. It uses a temporary file called c:\xploit.mmm to copy the code to the documents. It also turns off Word's macro security. The macro in NORMAL.DOT was already detected as W97M/Generic; the code in c:\readme.txt was already detected as VBA/Generic.src

Symptoms

Symptoms -

Files or messages mentioned above. Macro security is disabled. HTML documents are modified. The worm may display the following message box:

Method of Infection

Method of Infection -

This is a multipartite virus. When run from the EXE it hits HTMLs and appends an XML construct to the end of HTMLs that invokes the EXE via a vulnerabilty that uses a codebase reference to "\kn0x\ace1.exe".

The EXE component introduces a module with a document_close into NORMAL.DOT. This NORMAL.DOT drops "c:\xploit.mmm" holding a short VBA source of a document_open handler imported into the DOCs. Document_close also embeds an EXE from "c:\porno.scr" into the DOCs while code in the DOCs can activate Win32 file via OLE2 automation. That means infected DOCs are also a possible vector of infection as the EXE will be activated if macros are run from the DOC (macro warning is off or users chooses the macros to run when the warning pops up). Replication in DOC/DOT form requires Word 2000 as a minimum.

NORMAL.DOT also drops "c:\vv.reg" (REG file to disable Word's security) but it is deleted by the virus itself.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A