McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This mass-mailing worm spreads via email, visiting an infected website, and network shares. It arrives as an attachment (32,768 bytes) with a .SCR extension. The filename is chosen by selecting the filename (without the extension) of a file in the My Documents directory on the infected system. The subject of the message is the same as the filename but without the extension. The worm exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), to automatically execute the virus on vulnerable systems.

The message body contains the text Flash File and the attachment icon is that typically associated with a Shockwave Flash file:

When the attachment is run, the worm copies itself to the WINDOWS SYSTEM directory and creates a registry run key to load itself at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  RunServices\ZaCker

The .A variant of this threat dropped a webserver in the System directory as "CmdServ.exe" and an additional registry run key is created for it:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  RunServices\MyLife=C:\WINDOWS\SYSTEM\CmdServ.exe

This variant creates the registry entry, but not the server file itself. This variant appends .HTM, and .HTML files to contain an IFrame that links to the file "C:\WINDOWS\SYSTEM\WarIII.eml", a copy of the worm.

Additional registry keys are created as markers for the worm, for it to know if certain actions have taken place:

• HKEY_LOCAL_MACHINE\Software\Microsoft\HolyWar
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\HolyWar

Symptoms

Presence of CmdServ.exe and WarIII.eml in the WINDOWS SYSTEM directory.

Method of Infection

This worm attempts to spread via email, network shares, and webpages. It uses addresses from the Outlook Address Book, MSN Messenger Contact List, .HTM and .HTML files found on the local system.

The virus contains a damaging payload to overwrite files with the text "Bye".

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This mass-mailing worm spreads via email, visiting an infected website, and network shares. It arrives as an attachment (32,768 bytes) with a .SCR extension. The filename is chosen by selecting the filename (without the extension) of a file in the My Documents directory on the infected system. The subject of the message is the same as the filename but without the extension. The worm exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2), to automatically execute the virus on vulnerable systems.

The message body contains the text Flash File and the attachment icon is that typically associated with a Shockwave Flash file:

When the attachment is run, the worm copies itself to the WINDOWS SYSTEM directory and creates a registry run key to load itself at startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  RunServices\ZaCker

The .A variant of this threat dropped a webserver in the System directory as "CmdServ.exe" and an additional registry run key is created for it:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  RunServices\MyLife=C:\WINDOWS\SYSTEM\CmdServ.exe

This variant creates the registry entry, but not the server file itself. This variant appends .HTM, and .HTML files to contain an IFrame that links to the file "C:\WINDOWS\SYSTEM\WarIII.eml", a copy of the worm.

Additional registry keys are created as markers for the worm, for it to know if certain actions have taken place:

• HKEY_LOCAL_MACHINE\Software\Microsoft\HolyWar
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\HolyWar

Symptoms

Symptoms -

Presence of CmdServ.exe and WarIII.eml in the WINDOWS SYSTEM directory.

Method of Infection

Method of Infection -

This worm attempts to spread via email, network shares, and webpages. It uses addresses from the Outlook Address Book, MSN Messenger Contact List, .HTM and .HTML files found on the local system.

The virus contains a damaging payload to overwrite files with the text "Bye".

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A