INFO
Internet Worm Characteristics:
This virus spreads via email and mapped drives. It sends itself to addresses found on the victim's machine and by copying itself to folders on drives C: - Z:.
Mail propagation
The virus may be received in an email message with the subject and message body composed from the following strings:
I have your password!
about me
anything ok?
do you?
from the chatter
greetings
hello
here
here is the document.
here it is
here, the cheats
here, the introduction
here, the serials
hi
i found this document about you
i hope it is not true!
i wait for a reply!
i'm waiting
information about you
is that from you?
is that true?
is that your account?
is that your name?
kill the writer of this document!
my hero
ok
read it immediately!
read the details.
reply
see you
something about you!
something is fool
something is going wrong
something is going wrong!
stuff about you?
take it easy
that is bad
that's funny
thats wrong why?
what does it mean?
yes, really?
you are a bad writer
you are bad
you earn money
you feel the same
you try to steal
your name is wrong
The attachment may have a double-extension such as .rtf.pif and may be contained in a .ZIP file.
The mailing component harvests address from the local system. Files with the following extensions are targeted:
.msg
.oft
.sht
.dbx
.tbb
.adb
.doc
.wab
.asp
.uin
.rtf
.vbs
.html
.htm
.pl
.php
.txt
.eml
When executed, a fake error message may be displayed.
The worm copies itself into %windir% folder using the filename SERVICES.EXE. It addes a key to the registry, so it gets activated on system start.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "service" = C:\WINNT\services.exe -serv
Network propagation
The worm copies itself to various directories on the local system and on mapped network drives. The filenames are included in the worm and choosen randomly:
doom2.doc.pif
sex sex sex sex.doc.exe
rfc compilation.doc.exe
dictionary.doc.exe
win longhorn.doc.exe
e.book.doc.exe
programming basics.doc.exe
how to hack.doc.exe
max payne 2.crack.exe
e-book.archive.doc.exe
virii.scr
nero.7.exe
eminem - lick my pussy.mp3.pif
cool screensaver.scr
serial.txt.exe
office_crack.exe
hardcore porn.jpg.exe
angels.pif
porno.scr
matrix.scr
photoshop 9 crack.exe
strippoker.exe
winxp_crack.exe
dolly_buster.jpg.pif
The worm also drops numerous ZIPs (to the local drive too) containing with 22,016 bytes file inside (frequently with double extension like .doc.pif, .rtf.com, .rtf.scr). The list of ZIP names is hardcoded in the virus body:
aboutyou.zip
attachment.zip
bill.zip
concert.zip
creditcard.zip
details.zip
dinner.zip
disco.zip
final.zip
found.zip
friend.zip
jokes.zip
location.zip
mail2.zip
mails.zip
me.zip
message.zip
misc.zip
msg.zip
nomoney.zip
note.zip
object.zip
part2.zip
party.zip
posting.zip
product.zip
ps.zip
ranking.zip
release.zip
shower.zip
story.zip
stuff.zip
swimmingpool.zip
talk.zip
textfile.zip
topseller.zip
website.zip
More details will be posted when analysis is complete.
Top of Page
Symptoms
Existance of files and registry keys as mentioned above
Unexpected network traffic
Top of Page
Method Of Infection
This worm spreads by EMail and by copying itself to folders on the local harddrive as well as on mapped network drivers if available. It does not scan for open shares.
Top of Page
Removal Instructions
All Users :
Use specified engine and DAT files for detection and removal.
The following EXTRA.DAT packages are being made available prior to the regularly scheduled weekly DAT release (working with EXTRA.DAT files ).
EXTRA.DAT
SUPER EXTRA.DAT
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Internet Worm Characteristics:
This virus spreads via email and mapped drives. It sends itself to addresses found on the victim's machine and by copying itself to folders on drives C: - Z:.
Mail propagation
The virus may be received in an email message with the subject and message body composed from the following strings:
I have your password!
about me
anything ok?
do you?
from the chatter
greetings
hello
here
here is the document.
here it is
here, the cheats
here, the introduction
here, the serials
hi
i found this document about you
i hope it is not true!
i wait for a reply!
i'm waiting
information about you
is that from you?
is that true?
is that your account?
is that your name?
kill the writer of this document!
my hero
ok
read it immediately!
read the details.
reply
see you
something about you!
something is fool
something is going wrong
something is going wrong!
stuff about you?
take it easy
that is bad
that's funny
thats wrong why?
what does it mean?
yes, really?
you are a bad writer
you are bad
you earn money
you feel the same
you try to steal
your name is wrong
The attachment may have a double-extension such as .rtf.pif and may be contained in a .ZIP file.
The mailing component harvests address from the local system. Files with the following extensions are targeted:
.msg
.oft
.sht
.dbx
.tbb
.adb
.doc
.wab
.asp
.uin
.rtf
.vbs
.html
.htm
.pl
.php
.txt
.eml
When executed, a fake error message may be displayed.
The worm copies itself into %windir% folder using the filename SERVICES.EXE. It addes a key to the registry, so it gets activated on system start.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "service" = C:\WINNT\services.exe -serv
Network propagation
The worm copies itself to various directories on the local system and on mapped network drives. The filenames are included in the worm and choosen randomly:
doom2.doc.pif
sex sex sex sex.doc.exe
rfc compilation.doc.exe
dictionary.doc.exe
win longhorn.doc.exe
e.book.doc.exe
programming basics.doc.exe
how to hack.doc.exe
max payne 2.crack.exe
e-book.archive.doc.exe
virii.scr
nero.7.exe
eminem - lick my pussy.mp3.pif
cool screensaver.scr
serial.txt.exe
office_crack.exe
hardcore porn.jpg.exe
angels.pif
porno.scr
matrix.scr
photoshop 9 crack.exe
strippoker.exe
winxp_crack.exe
dolly_buster.jpg.pif
The worm also drops numerous ZIPs (to the local drive too) containing with 22,016 bytes file inside (frequently with double extension like .doc.pif, .rtf.com, .rtf.scr). The list of ZIP names is hardcoded in the virus body:
aboutyou.zip
attachment.zip
bill.zip
concert.zip
creditcard.zip
details.zip
dinner.zip
disco.zip
final.zip
found.zip
friend.zip
jokes.zip
location.zip
mail2.zip
mails.zip
me.zip
message.zip
misc.zip
msg.zip
nomoney.zip
note.zip
object.zip
part2.zip
party.zip
posting.zip
product.zip
ps.zip
ranking.zip
release.zip
shower.zip
story.zip
stuff.zip
swimmingpool.zip
talk.zip
textfile.zip
topseller.zip
website.zip
More details will be posted when analysis is complete.
Top of Page
Symptoms
Existance of files and registry keys as mentioned above
Unexpected network traffic
Top of Page
Method Of Infection
This worm spreads by EMail and by copying itself to folders on the local harddrive as well as on mapped network drivers if available. It does not scan for open shares.
Top of Page
Removal Instructions
All Users :
Use specified engine and DAT files for detection and removal.
The following EXTRA.DAT packages are being made available prior to the regularly scheduled weekly DAT release (working with EXTRA.DAT files ).
EXTRA.DAT
SUPER EXTRA.DAT
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Facebook
Twitter