McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Baconex (Kaspersky)

Characteristics

The W32/Ordina@MM worm was submitted directly from the virus author to AVERT. So far it has not been seen in the wild.

The worm massmailing activates only when certain conditions on random generated values are met.

The worm searches local files for e-mail addresses to send itself to.

The worm may arrive in a plain text , base64 encoded, e-mail with a ".zip" file attachment.

During testing the activation of the massmailing was not encountered frequently.

The Subject may be:
-"Fw: Interesting!Re: Thanks!"
-"hi"
-"Keep Smiling! :) Christman Greetings!"

The Body may be:
-"look what i've made!"
-"awesome stuff, check att"
-"Something Special!"

The File Attachment may be:
-"Happy_XMas.zip"
-"Happyy2k3.zip"
-"BestWishes.zip"
-"attachment.zip"

When the user manually decompresses (unzips) the .zip file attachment and runs the embedded .exe file, the worm creates files in the %windows and the %windows\%system directory, for example on a Windows2000 system:

c:\winnt\bacoorfina.exe
c:\winnt\bacoorfina.txt
c:\winnt\system32\bacoorfina.eml
c:\winnt\system32\bacoorfina.zip

The bacoorfina.exe file is a 32 bit PE file and has a filesize of 7520 bytes and is internally packed with FSG.

The bacoorfina.txt file is an ASCI file and has a filesize of 406 bytes, it's just comments by the viral author.

The bacoorfina.eml file is a Base64 encoded e-mail message file, plain text with .zip file attachment, the original .eml had a filesize of 11293 bytes.

The bacoorfina.zip file holds a compressed copy of the bacoorfina.exe inside, the original .zip had a filesize of 7646 bytes.

Symptoms

Presence of:
c:\winnt\bacoorfina.exe
c:\winnt\bacoorfina.txt
c:\winnt\system32\bacoorfina.eml
c:\winnt\system32\bacoorfina.zip

Method of Infection

Running the infected file attachment starts the infection routine.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Baconex (Kaspersky)

Characteristics

Characteristics -

The W32/Ordina@MM worm was submitted directly from the virus author to AVERT. So far it has not been seen in the wild.

The worm massmailing activates only when certain conditions on random generated values are met.

The worm searches local files for e-mail addresses to send itself to.

The worm may arrive in a plain text , base64 encoded, e-mail with a ".zip" file attachment.

During testing the activation of the massmailing was not encountered frequently.

The Subject may be:
-"Fw: Interesting!Re: Thanks!"
-"hi"
-"Keep Smiling! :) Christman Greetings!"

The Body may be:
-"look what i've made!"
-"awesome stuff, check att"
-"Something Special!"

The File Attachment may be:
-"Happy_XMas.zip"
-"Happyy2k3.zip"
-"BestWishes.zip"
-"attachment.zip"

When the user manually decompresses (unzips) the .zip file attachment and runs the embedded .exe file, the worm creates files in the %windows and the %windows\%system directory, for example on a Windows2000 system:

c:\winnt\bacoorfina.exe
c:\winnt\bacoorfina.txt
c:\winnt\system32\bacoorfina.eml
c:\winnt\system32\bacoorfina.zip

The bacoorfina.exe file is a 32 bit PE file and has a filesize of 7520 bytes and is internally packed with FSG.

The bacoorfina.txt file is an ASCI file and has a filesize of 406 bytes, it's just comments by the viral author.

The bacoorfina.eml file is a Base64 encoded e-mail message file, plain text with .zip file attachment, the original .eml had a filesize of 11293 bytes.

The bacoorfina.zip file holds a compressed copy of the bacoorfina.exe inside, the original .zip had a filesize of 7646 bytes.

Symptoms

Symptoms -

Presence of:
c:\winnt\bacoorfina.exe
c:\winnt\bacoorfina.txt
c:\winnt\system32\bacoorfina.eml
c:\winnt\system32\bacoorfina.zip

Method of Infection

Method of Infection -

Running the infected file attachment starts the infection routine.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A