Content

W32/Poscal.worm

Type
Virus
SubType
P2P Worm
Discovery Date
11/02/2002
Length
57,344 bytes
Minimum DAT
4233 (11/13/2002)
Updated DAT
4317 (01/21/2004)
Minimum Engine
5.1.00
Description Added
11/05/2002
Description Modified
11/25/2002 6:15 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a peer-to-peer file-sharing worm that spreads via the KaZaa servent. The code also suggests that the worm attempts to email itself to all users found in the Microsoft Outlook address book. However, this mass-mailing action was not observed during testing. The intended message is as follow:

Subject: Anti-Virus Programs are corrupting your Software!
Body: Want to know why you get junk mail? Well Here is proof that AV's are corrupting your programs and Sell your Private information to Web Company's! Why do you think there are so much virus's out there? well its these Company's that spread them and then sell you there product to delete them! check it out now... (p.s. its attatched)

Attachment: F**K_AVs.exe (Note: the * character is a substitue for the real letters used).

The worm spreads when KaZaa users download and run an infected file. It uses a common icon:

When run, the worm displays a message box:

... Calposa by Industry @ ANVXgroup ...

Many copies of the worm are saved to the local system:
  • c:\Program Files\KaZaA\My Shared Folder\norton_crack.exe
  • c:\Program Files\KaZaA\My Shared Folder\Sims_Patch.exe
  • c:\Program Files\KaZaA\My Shared Folder\UT3_full_crack.exe
  • c:\Program Files\KaZaA\My Shared Folder\Windows_Hack.exe
  • c:\WINDOWS\ActiveX.exe
  • c:\WINDOWS\FUCK_AVs.exe
  • c:\WINDOWS\MSWord.exe
  • c:\WINDOWS\SCR.exe
  • c:\WINDOWS\SYSTEM\Explorer.exe
  • c:\WINDOWS\MIXER.EXE
  • c:\WINDOWS\REGEDIT.EXE
  • c:\WINDOWS\TELNET.EXE
Note: MIXER.EXE, REGEDIT.EXE, and TELNET.EXE are valid Windows programs that get overwritten by the virus.

The SYSTEM.INI file is overwritten with the following text:


[About]
Author = Industry
VXgroup =
etc ... (omitted)

Symptoms

Presence of the aforementioned files.

Method of Infection

This worm spreads via KaZaa; by copying itself to the default KaZaa shared folder, and waiting for unsuspecting users to download and run it.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • I-Worm.Calposa (AVP)
  • Worm/Calposa.exe (Central Command)
  • WORM_CALPOSA.A (Trend)

Characteristics

Characteristics -

This is a peer-to-peer file-sharing worm that spreads via the KaZaa servent. The code also suggests that the worm attempts to email itself to all users found in the Microsoft Outlook address book. However, this mass-mailing action was not observed during testing. The intended message is as follow:

Subject: Anti-Virus Programs are corrupting your Software!
Body: Want to know why you get junk mail? Well Here is proof that AV's are corrupting your programs and Sell your Private information to Web Company's! Why do you think there are so much virus's out there? well its these Company's that spread them and then sell you there product to delete them! check it out now... (p.s. its attatched)

Attachment: F**K_AVs.exe (Note: the * character is a substitue for the real letters used).

The worm spreads when KaZaa users download and run an infected file. It uses a common icon:

When run, the worm displays a message box:

... Calposa by Industry @ ANVXgroup ...

Many copies of the worm are saved to the local system:
  • c:\Program Files\KaZaA\My Shared Folder\norton_crack.exe
  • c:\Program Files\KaZaA\My Shared Folder\Sims_Patch.exe
  • c:\Program Files\KaZaA\My Shared Folder\UT3_full_crack.exe
  • c:\Program Files\KaZaA\My Shared Folder\Windows_Hack.exe
  • c:\WINDOWS\ActiveX.exe
  • c:\WINDOWS\FUCK_AVs.exe
  • c:\WINDOWS\MSWord.exe
  • c:\WINDOWS\SCR.exe
  • c:\WINDOWS\SYSTEM\Explorer.exe
  • c:\WINDOWS\MIXER.EXE
  • c:\WINDOWS\REGEDIT.EXE
  • c:\WINDOWS\TELNET.EXE
Note: MIXER.EXE, REGEDIT.EXE, and TELNET.EXE are valid Windows programs that get overwritten by the virus.

The SYSTEM.INI file is overwritten with the following text:


[About]
Author = Industry
VXgroup =
etc ... (omitted)

Symptoms

Symptoms -

Presence of the aforementioned files.

Method of Infection

Method of Infection -

This worm spreads via KaZaa; by copying itself to the default KaZaa shared folder, and waiting for unsuspecting users to download and run it.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A