Selected viruses, spyware, and other threats: sorted alphabetically
Installation
When executed, the worm creates the following folder:
C:\MSOCache
The file of the worm is copied there using the following filename:
msn.vbe
The contents of the folder are then compressed using WinRAR or WinZIP. The following file is produced:
c:\Windows\Fonts\C.Vitae.zip
The worm copies itself in the following locations:
%system%\msn.vbe
%windir%\system\msnmsgr.vbe
%windir%\system32\IEXPLORE.vbe
C:\windows\System\msnmsgr.vbe
C:\windows\System32\IEXPLORE.vbe
C:\Windows\System32\Setup\Messenger.vbs
The following files are created:
C:\Documents and Settings\All Users\Desktop\Internet Explorer.lnk
C:\Documents and Settings\All Users\Desktop\MSN Messenger.lnk
C:\Documents and Settings\All Users\Escritorio\Internet Explorer.lnk
C:\Documents and Settings\All Users\Escritorio\MSN Messenger.lnk
These are shortcuts to files of the worm.
In order to be executed on every system start, the worm sets the following Registry entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSN Messenger" = "C:\Windows\System32\Setup\Messenger.vbs"
The following Registry entries are set:
[HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings]
"Timeout" = 0
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoAdminPage" = 1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp]
"Disabled" = 1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDrives" = 67108863
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = 1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRun" = 1
Spreading via e-mail
E-mail addresses for further spreading are searched for in local files with one of the following extensions:
asp
aspx
cfm
ctt
dbx
eml
hta
htm
html
htt
htx
ini
nfo
php
shtml
wab
xls
Text of the e-mail sent is in Spanish. Subject of the message is the following:
Body of the message is the following:Adjunto Curriculum Vitae para posible vacante.
The attachment is a ZIP archive containing the worm. Its filename is the following:Adjunto Currilum Vitae, por estar interesado en algún puesto vacante en su empresa,me encantaria que lo tuviera en cuenta, ya que estoy buscando trabajo por esa zona. Sin más, reciba un cordial Saludo.
C.Vitae.zip
The worm also sends e-mails to various addresses with the following server parts:
@movistar.es
@vodafone.es
Subject of the message is the following:
Body of the message is the following:Msj Operador: Proteja su movil
The message contains a link to a file with the following name:Descarguese gratis el Antivirus para Nokias Series 60. (6630,6680,7610,7650,N70,N90), totalmente gratuito.
Antivirus.sis
Spreading via shared folders
The worm searches for network drives. The file of the worm is copied there using the following filename:
msn.vbe
Other information
The following programs are terminated:
apvxdwin.exe
AVENGINE.exe
bdnagent.exe
bdswitch.exe
mcagent.exe
mcdetect.exe
navapsvc.exe
navapw32.exe
navw32.exe
pavcl.com
PavFires.exe
savscan.exe
Logon passwords of some users may be changed to the following:
Leslie
