McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Gain

• I-Worm.Skudex

• W32/Prestige

• W32/Pretige

• W32/Skud

• W32/Skudo

• Win32/Gex

• Worm/Antiax

• Worm/BogusBear

Characteristics

---Update 12/12/2002---
A new variant appeared (W32/Duksten.h@MM) also known as W32/Prestige. It requires 4238 DATs. At the time of writing AVERT have not received samples of this worm.

This worm is written in assembler language. It spreads via mailing itself to all the contacts found in the Windows address book.

This worm uses static 'Subject':

• fotos INEDITAS del PRESTIGE en el fondo del Atlantico!

The mail has no text in the body and always comes with the following 'From' field:

• Fotos_PresTiGe [freeserve@nautilus.org]

The attachment file name is 'PRESTIG.ZIP' and the archive carries a single 'PresTiG.exe' file inside (10240 bytes long). When the executable file is run (just double clicking on the ZIP will only open it if WinZip or similar software is installed, the EXE has to be run after extraction from the ZIP) it displays the following message boxes:

Symptoms

Viruses from W32/Duksten family modify a registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and add "XRF" key pointing to the virus program (eg., PresTiGe.exe").

Variants that send a ZIP file as an attachment drop files called m_base64.xrf and m_prgrm.zip. The first is MIME-encoded ZIP file, second is the ZIP file carrying the virus in an EXE file. Some variants send out an EXE file without a ZIP wrapper.

Different variants have the following properties (note that mentioned strings are not visible in encrypted executables):

Variant .a
Drops c:\NetSkudo.exe (10240 bytes long, not encrypted).

Variant .b
From: "Anti-SirCam"[Panda@PandaSoft.com]
Subject: Free Anti-Vir to protect you SirCam trojan
Attachment: 'SKUDO.EXE' (7680 bytes, encrypted)

Variants .c and .e
From:"Anti29A"[darknode@dejalo.com] or "ReEnviaMe"[Skudo@Seguro.com] or [Grupo@Anti29A.net]
Subject:grupo creador de virus 29A
Subject: AyudaME, AyudatE ... AYudEMonoS! Anti29A - SKUDO
Attachment: 'ANTI_29A.EXE' (7680 bytes, encrypted)
This variant also can send itself to USENET newsgroup 'es.comp.virus' under 'dais pena JUA JUA JUA' name.

Variant .d
From:"Anti-SirCam"[Panda@PandaSoft.com]
Subject: Run ThiS Free Anti-Vir to protect you SirCam trojan
Attachment: 'SKUDO.EXE' (7680 bytes, not encrypted)

Variants .f and .g
From:[boletin@viralert.net] or "Alerta_RaPida"[boletin@viralert.net]
Subject:ProTeccion TOTAL contra W32/Bugbear (30dias)
Attachment: 'PROTECT.ZIP' (9728 EXE inside, encrypted)

These variants also carry the following text:

WKaPCOM bY XRF,19SePtiembre2002 PandaSoftware,please,rename Duksten to WKaPExE
About::Me 1985AppleIIe.1986Univac1100.1987MV4000.1988MV20000.1990EpsonPcJ2

Method of Infection

The virus saves the copy of REGEDIT.EXE file in M_REGEDIT.EXE and copies itself under REGEDIT.EXE name. This is obviously done in an attempt to prevent the registry hook from being removed manually.

Variant .a is the only parasitic infector and hits Win32 applications on the local drive. It drops 'mbase64.xrf' file and 'program.zip'. Some variants in this family are encrypted so no strings are visible.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Gain

• I-Worm.Skudex

• W32/Prestige

• W32/Pretige

• W32/Skud

• W32/Skudo

• Win32/Gex

• Worm/Antiax

• Worm/BogusBear

Characteristics

Characteristics -

---Update 12/12/2002---
A new variant appeared (W32/Duksten.h@MM) also known as W32/Prestige. It requires 4238 DATs. At the time of writing AVERT have not received samples of this worm.

This worm is written in assembler language. It spreads via mailing itself to all the contacts found in the Windows address book.

This worm uses static 'Subject':

• fotos INEDITAS del PRESTIGE en el fondo del Atlantico!

The mail has no text in the body and always comes with the following 'From' field:

• Fotos_PresTiGe [freeserve@nautilus.org]

The attachment file name is 'PRESTIG.ZIP' and the archive carries a single 'PresTiG.exe' file inside (10240 bytes long). When the executable file is run (just double clicking on the ZIP will only open it if WinZip or similar software is installed, the EXE has to be run after extraction from the ZIP) it displays the following message boxes:

Symptoms

Symptoms -

Viruses from W32/Duksten family modify a registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and add "XRF" key pointing to the virus program (eg., PresTiGe.exe").

Variants that send a ZIP file as an attachment drop files called m_base64.xrf and m_prgrm.zip. The first is MIME-encoded ZIP file, second is the ZIP file carrying the virus in an EXE file. Some variants send out an EXE file without a ZIP wrapper.

Different variants have the following properties (note that mentioned strings are not visible in encrypted executables):

Variant .a
Drops c:\NetSkudo.exe (10240 bytes long, not encrypted).

Variant .b
From: "Anti-SirCam"[Panda@PandaSoft.com]
Subject: Free Anti-Vir to protect you SirCam trojan
Attachment: 'SKUDO.EXE' (7680 bytes, encrypted)

Variants .c and .e
From:"Anti29A"[darknode@dejalo.com] or "ReEnviaMe"[Skudo@Seguro.com] or [Grupo@Anti29A.net]
Subject:grupo creador de virus 29A
Subject: AyudaME, AyudatE ... AYudEMonoS! Anti29A - SKUDO
Attachment: 'ANTI_29A.EXE' (7680 bytes, encrypted)
This variant also can send itself to USENET newsgroup 'es.comp.virus' under 'dais pena JUA JUA JUA' name.

Variant .d
From:"Anti-SirCam"[Panda@PandaSoft.com]
Subject: Run ThiS Free Anti-Vir to protect you SirCam trojan
Attachment: 'SKUDO.EXE' (7680 bytes, not encrypted)

Variants .f and .g
From:[boletin@viralert.net] or "Alerta_RaPida"[boletin@viralert.net]
Subject:ProTeccion TOTAL contra W32/Bugbear (30dias)
Attachment: 'PROTECT.ZIP' (9728 EXE inside, encrypted)

These variants also carry the following text:

WKaPCOM bY XRF,19SePtiembre2002 PandaSoftware,please,rename Duksten to WKaPExE
About::Me 1985AppleIIe.1986Univac1100.1987MV4000.1988MV20000.1990EpsonPcJ2

Method of Infection

Method of Infection -

The virus saves the copy of REGEDIT.EXE file in M_REGEDIT.EXE and copies itself under REGEDIT.EXE name. This is obviously done in an attempt to prevent the registry hook from being removed manually.

Variant .a is the only parasitic infector and hits Win32 applications on the local drive. It drops 'mbase64.xrf' file and 'program.zip'. Some variants in this family are encrypted so no strings are visible.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A