McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This mass-mailer arrives as an attachment with a double-extension. The mail message contains a variable Chinese subject and message body, but may use an english message body, carried within the virus body, that is reminiscent of the Friend Greeting application.

Body:
Hi,%Recipient%

This is a nice E-greeting from your friend %Sender% !

Go and pick it up at: http://www1.kaxiu.com/*blocked*

This personal greeting will be available for 30 days.

Hope you enjoy it and have fun!


***************************************************************

Free E-greeting at Cardshow ----
http://www.kaxiu.com


***************************************************************
     You have been added to the Windows Commander mailing list.

You address is recorded as:

To remove go to the following URL:
http://ghisler.com/*blocked*

If you have a new e-mail address, point your WWW browser to the
address http://www.ghisler.com/*blocked* and use the change option.

This is an automatic reply; no response is necessary.
=============================================================

The attachment content id is:
Content-ID: <__0@Foxmail.net>

The message header is also malformed to exploit the Incorrect MIME Header (MS01-020) vulnerability. Therefore, it will automatically run on an unpatched system when the message is viewed in Microsoft Outlook or Outlook Express.

When run the worm extracts an embedded file taken from the sender's system (a .bmp, .doc, .gif, .jpeg, .jpg, .rtf, or .txt file) to the WINDOWS TEMP directory and opens it. The name of this embedded file makes up the first part of the attachment name (ie. SURVEY.DOC.EXE).

The worm then copies itself to the WINDOWS SYSTEM (%SysDir%) directory as windowsagent.exe, and creates a registry run key to load itself at system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\WindowsAgent=C:\WINDOWS|\SYSTEM\WINDOWSAGENT.EXE

Also created is an ICQ password stealing component which is saved to the WINDOWS and\or WINDOWS SYSTEM directory as drocerrbk.sys

Symptoms

Presence of WINDOWSAGENT.EXE or DROCERRBK.SYS in the WINDOWS SYSTEM directory.

The worm uses a Bart Simpson icon.

Method of Infection

The virus locates one of the following files on the local machine (.bmp, .doc, .gif .jpeg .jpg, .rtf, .txt), embeds that file in a new executable, and sends that executable with the original filename + .exe or .lnk (ie. README.TXT.EXE) to all email addresses contained in files on the system (.js, .htm, .html) using SMTP.

The worm may also attempt to spread via network shares, copying itself to the folder "\RECYCLED\notdelw.i.n.v.e.r.y.i.f.y.exe" and creating a WIN.INI run key on the remote system to load the worm at startup.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This mass-mailer arrives as an attachment with a double-extension. The mail message contains a variable Chinese subject and message body, but may use an english message body, carried within the virus body, that is reminiscent of the Friend Greeting application.

Body:
Hi,%Recipient%

This is a nice E-greeting from your friend %Sender% !

Go and pick it up at: http://www1.kaxiu.com/*blocked*

This personal greeting will be available for 30 days.

Hope you enjoy it and have fun!


***************************************************************

Free E-greeting at Cardshow ----
http://www.kaxiu.com


***************************************************************
     You have been added to the Windows Commander mailing list.

You address is recorded as:

To remove go to the following URL:
http://ghisler.com/*blocked*

If you have a new e-mail address, point your WWW browser to the
address http://www.ghisler.com/*blocked* and use the change option.

This is an automatic reply; no response is necessary.
=============================================================

The attachment content id is:
Content-ID: <__0@Foxmail.net>

The message header is also malformed to exploit the Incorrect MIME Header (MS01-020) vulnerability. Therefore, it will automatically run on an unpatched system when the message is viewed in Microsoft Outlook or Outlook Express.

When run the worm extracts an embedded file taken from the sender's system (a .bmp, .doc, .gif, .jpeg, .jpg, .rtf, or .txt file) to the WINDOWS TEMP directory and opens it. The name of this embedded file makes up the first part of the attachment name (ie. SURVEY.DOC.EXE).

The worm then copies itself to the WINDOWS SYSTEM (%SysDir%) directory as windowsagent.exe, and creates a registry run key to load itself at system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\WindowsAgent=C:\WINDOWS|\SYSTEM\WINDOWSAGENT.EXE

Also created is an ICQ password stealing component which is saved to the WINDOWS and\or WINDOWS SYSTEM directory as drocerrbk.sys

Symptoms

Symptoms -

Presence of WINDOWSAGENT.EXE or DROCERRBK.SYS in the WINDOWS SYSTEM directory.

The worm uses a Bart Simpson icon.

Method of Infection

Method of Infection -

The virus locates one of the following files on the local machine (.bmp, .doc, .gif .jpeg .jpg, .rtf, .txt), embeds that file in a new executable, and sends that executable with the original filename + .exe or .lnk (ie. README.TXT.EXE) to all email addresses contained in files on the system (.js, .htm, .html) using SMTP.

The worm may also attempt to spread via network shares, copying itself to the folder "\RECYCLED\notdelw.i.n.v.e.r.y.i.f.y.exe" and creating a WIN.INI run key on the remote system to load the worm at startup.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A