Win32/Ridnu.NAA | ESET Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

O
P
Q
R
S
T
U
V
W
X
Y
Z
Glossary

Installation
When executed the worm copies itself in the following locations:

%drive%\Mr_CoolFace.scr %drive%\Mr_CF\Mr_CF.exe %system%\%variable%.exe %system%\Mr_CoolFace.scr %system%\msvbvm60.dll %windir%\Negeri Serumpun Sebalai .pif .bat .com .scr .exe %userprofile%\Local Settings\Temp\inf4D2.tmp %userprofile%\Local Settings\DNALSI_AKGNAB.exe %userprofile%\Local Settings\DNALSI_AKGNAB.exe.mutant %userprofile%\Local Settings\Mr_CF_Mutation.Excalibur %userprofile%\Desktop\Message For My Princess.txt %userprofile%\Desktop\Message For My Princess.scr %userprofile%\Application Data\explorer.exe %userprofile%\Application Data\Mr_CoolFace.exe %userprofile%\Application Data\SMA Negeri 1 Pangkalpinang.exe %userprofile%\Start Menu\Programs\Startup\winlogon.exe C:\explorer.exe

%variable% stands for a random text.

The worm creates the following files:

C:\Mutant.htm %userprofile%\Application Data\Mr_CF\Folder.htt %userprofile%\Application Data\Mr_CF\Desktop.ini %userprofile%\Local Settings\Application Data\Polymorph1.exe %userprofile%\Local Settings\Application Data\Polymorph2.exe %userprofile%\Application Data\Autorun.inf

The worm may create copies of itself using the following filenames:

%allusersprofile%\Documents\Pantai Pasir Padi.scr %allusersprofile%\Documents\Bangka Island.scr %allusersprofile%\Documents\Pangkalpinang.scr %allusersprofile%\Documents\Pantai Parai.scr %allusersprofile%\Documents\Tanjung Pesona.scr %allusersprofile%\Documents\Lapangan Merdeka.scr %allusersprofile%\Documents\Sahang dan Timah.scr

The worm randomly inserts a copy of itself or text strings into the following files:

%userprofile%\Application Data\Mutant.exe %userprofile%\Application Data\Sahang.exe %userprofile%\Application Data\Timah.exe

In order to be executed on every system start, the worm sets the following Registry entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Userinit" = "%system%\userinit.exe, C:\explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell" = "explorer.exe C:\explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "%name%" = "%variable%.exe"

%name%, %variable% stand for a random text.

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN] "CheckedValue" = 2 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN] "DefaultValue" = 2 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] "CheckedValue" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] "DefaultValue" = 2 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt] "CheckedValue" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt] "DefaultValue" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden] "CheckedValue" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden] "DefaultValue" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden] "UncheckedValue" = 0 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "Hidden" = 2 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "HideFileExt" = 1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState] "FullPath" = 1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState] "FullPathAddress" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore] "DisableConfig" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore] "DisableSR" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile] "(Default)" = "File Folder" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile] "(Default)" = "File Folder" [HKEY_CURRENT_USER\Control Panel\Desktop] "SCRNSAVE.EXE" = "MR_COO~1.SCR" [HKEY_CURRENT_USER\Control Panel\Desktop] "ScreenSaverIsSecure" = 0 [HKEY_CURRENT_USER\Control Panel\Desktop] "ScreenSaveTimeOut" = 60 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Start Page" = "C:\Mutant.htm" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot] "AlternateShell" = "C:\explorer.exe" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot] "AlternateShell" = "C:\explorer.exe" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot] "AlternateShell" = "C:\explorer.exe" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot] "AlternateShell" = "C:\explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spider.exe] "Debugger" = "C:\Explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe] "Debugger" = "C:\Explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe] "Debugger" = "C:\Explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe] "Debugger" = "C:\Explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe] "Debugger" = "C:\Explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe] "Debugger" = "C:\Explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcsched.exe] "Debugger" = "C:\Explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe] "Debugger" = "C:\Explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe] "Debugger" = "C:\Explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe] "Debugger" = "C:\Explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe] "Debugger" = "C:\Explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcod.exe] "Debugger" = "C:\Explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe] "Debugger" = "C:\Explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe] "Debugger" = "C:\Explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.EXE] "Debugger" = "C:\Explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\URemovalCRC32.exe] "Debugger" = "C:\Explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winamp.exe] "Debugger" = "C:\Explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe] "Debugger" = "C:\Explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe] "Debugger" = "C:\Explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANSAV32.exe] "Debugger" = "C:\Explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANSAV.exe] "Debugger" = "C:\Explorer.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe] "Debugger" = "C:\Explorer.exe"

Spreading
The worm copies itself into the root folders of fixed and/or removable drives using the following filenames:

%drive%\Mr_CoolFace.scr %drive%\Mr_CF\Mr_CF.exe %drive%\Beautiful Lady.scr

The worm creates the following files:

%drive%\Autorun.inf %drive%\Mr_CF\Folder.htt

The worm searches local drives for files with the following file extension:

.Exe .exe .scr .PNG .png .SWF .swf .GIF .gif .BMP .bmp .PDF .pdf .BAT .bat .INF .inf .TXT .txt .RAR .rar .ZIP .zip .MDB .mdb .XLS .xls .PPT .ppt .HTML .html .HTM .htm .Avi .AVI .avi .3Gp .3GP .3gp .Mpg .MPG .mpg .MIDI .Midi .midi .Wmv .WMV .wmv .Wma .WMA .wma .Mp4 .MP4 .mp4 .Mp3 .MP3 .mp3 .Mid .MID .mid .Doc .DOC .doc .Mov .MOV mov .Jpeg .JPEG .jpeg .Rtf .RTF .rtf .Jpg .JPG .jpg

When the worm finds a file matching the search criteria, it creates a new copy of itself. The name of the new file is based on the name of the file found in the search. The extension of the file is ".scr".

Spreading via e-mail
The worm gathers e-mail addresses for further spreading from the e-mails stored locally.

Subject of the message is one of the following:

Ketika Rindu bertemu Kangen Lama Tak Jumpa Ketika Kangen bertemu Rindu I miss U Still Remember??? Please Remember Me. I Miss You So Much ! Shall I Be The One For You ? Don't Forget Me,please! Remember Our Past? Rindu Yang Tak Tertahankan Please Come Back! I don't wish to lost you again! Malarindu Tropikangen Re:

Body of the message is one of the following:

I wanna be you friend. So I give you a little present ^_^ Ehm,....would you like to be my friend ? Please check, tell me if you like it ^_^. Will I meet You my old friend... I miss You, I give you a file that will remind you... Dear My Sweetie.. Here is the file, Thank you for your friendship. Please, don't forget me...Ok! Take a look at the attacment, you will remember me. I am missing you, please come back... I give you the proof that I miss you so much! Shall I be the one for you? Still remember me ??? Do you remember me? Here, the file that you want Finally, I found the data !, what do you think ?? Sorry, I forget to send you the document. I'm oversleep. Please check, told me if there's a mistake. Take this, please tell me if there's an error. Dear My Friend.. Here is the file, Thank you for your cooperative.

The attachment is an executable of the worm. Its filename is one of the following:

Rindu dan Kangen bersatu.txt .pif Kangen dan Rindu bersatu.tmp .pif SweetMemory.doc .pif Friend Reminder.doc .exe www.lovestory.com MyMind.doc .pif CuteGame3.0 Installer.com LoveGame.bmp .exe My_Beloved.doc .exe Love_U_So_Much.txt .pif Our_Memory.ppt .pif I_Miss_U.doc .pif Rindu.doc .exe Kenangan Cinta.doc .pif Beauty ScreenSaver.scr Keygen.exe Data.doc .pif Tutorial.ppt .pif Crack.exe Mahasiswi Cantik.scr MindMap.exe NetMeeting.com Namo7.0_Installer.com www.Hacking_Tool.bat

Other information
The worm blocks keyboard and mouse input.

If the worm finds a window of a running process which contains any of the following strings in its title:

Notepad NOTEPAD UNTITLED

the worm changes the window title to:

Message For My Princess

The worm may insert any of the following text strings into edit controls of the running process:

DEAR MY PRINCESS WHEN THE STARS FILL THE SKY I WILL MEET YOU MY LOVELY PRINCESS I MISS YOU SO MUCH MY PRINCESS IN MY DEAREST MEMORY I SEE YOU REACHING OUT TO ME I WILL REMEMBER YOU AS LONG AS YOU REMEMBER ME IN YOUR DEAREST MEMORY DO YOU REMEMBER LOVING ME PLEASE DO NOT FORGET OUR PAST DID YOU KNOW THAT I HAD MIND ON YOU I NEVER WISH TO LOSE YOU AGAIN SHALL I BE THE ONE FOR YOU I WANNA TAKE YOU TO MY PALACE I WILL TAKE YOU TO OUR UTOPIA I AM FALLING IN LOVE WITH YOU I WILL BE WAITING FOR YOU I DO NOT WANT TO SAY GOOD BYE TO YOU PLEASE DO NOT FORGET YOUR PRINCE I SAW YOU SMILING AT ME WAS IT REAL OR JUST MY FANTASY YOU WILL ALWAYS IN MY HEART YOU ALWAYS IN MY DREAMS I ALWAYS SEE YOU IN MY DREAMS I HAVE BEEN POISONED BY YOUR LOVE I MISS YOU I AM STILL LOOKING FOR YOU I WILL BE THERE I WILL BE WAITING FOR YOU PLEASE COME BACK TO OUR BEAUTY ISLAND I MISS YOUR CUTE SMILE

viruses/Win32.Ridnu.NAA.Worm_example_J.bmp align="middle" />

If the worm finds a window of a running process which contains any of the following strings in its title:

MY DOCUMENTS FREECELL HEARTS MINESWEEPER PINBALL SOLITAIRE

the worm changes the window title to:

Mr_CoolFace

viruses/Win32.Ridnu.NAA.Worm_example_X.bmp align="middle">

If the worm finds a window of a running process which contains any of the following strings in its title:

COPYING..

the worm changes the window title to:

Sedang Mengopy...

viruses/Win32.Ridnu.NAA.Worm_example_N.bmp align="middle">

If the worm finds a window of a running process which contains any of the following strings in its title:

MOVING..

the worm changes the window title to:

Sedang Memindahkan...

viruses/Win32.Ridnu.NAA.Worm_example_O.bmp align="middle">

If the worm finds a window of a running process which contains any of the following strings in its title:

DELETING..

the worm changes the window title to:

Sedang Menghapus...

viruses/Win32.Ridnu.NAA.Worm_example_Z.bmp align="middle">

If the worm finds a window of a running process which contains any of the following strings in its title:

RUN CREATE NEW TASK

the worm changes the window title to:

Mr_CoolFace Has Come !

The worm may insert any of the following text strings into edit controls of the running process:

MR COOLFACE !

viruses/Win32.Ridnu.NAA.Worm_example_A.bmp align="middle">

The worm terminates any program that creates a window containing any of the following strings in its name:

ANTI VIRUS SPIDER VIROLOG TROJAN WORM MALWARE TWEAK POWERDVD HIJACK SECURITY TASK PCMAV HACKER VAKSIN NORMAN NVC ZANDA MCAFEE AVG AVP EXTENSION TEST RESULT DETAIL SCANNING STATISTIC KASPERSKY SYMANTEC TREND SECUNIA REGISTRY OPTIX PRO FORCE PANDA F-SECURE SOPHOS CASTLECOP QKILL COMPACTBYTE EARTHLINK PROTECTION ERTANTO YOHAN WASHER NORTON PROCEXP MMC GRISOFT REGCURE AVAS CILIN MACHINE REMOVER REMOVI REMOVA ABLE SPYWARE BITDEF CLEANER REALPLAYER JAMILA PROCESS VIEWER PROCESS EXPLORER SYSINTERNAL IKNOW I KNOW TASK MANAGER TASKMANAGER TASKS MANAGER TASKGUARDIAN SPY MIGHTY CHICKEN MIGHTYCHICKEN WINPATROL WAV V POWERTOOL POWER TOOL TASK PROCESS MANAGER PROCESSMANAGER WINTASK WIN TASK LUKE FILEWALKER ANVIR AVIRA TASKINFO TASK INFO PROCESSMONITOR PROCESS MONITOR PROCESSINFO PROCESS INFO CURRPROCESS CURR PROCESS PCSUMMARIZER CHRIS PC NOTESXP STARTUP ORGANIZER SIKUP REGFIX REG FIX FLAMMING WALL AD-AWARE BLACKICE POP3TRAP COMMAND BRO BACA BRO ZXI ZX1 ZX I ZX 1 ZX_I ZX_1 GEOBLACK IDIOT IDI0T PUSHM PUSH M PUSH_M ADHIE MACAN AD HIE AD_HIE EVANTA FAJAR CUEX JOWOBOT HELLSPAWN PLUTO BLUESCREEN RORO XNADROS X4NDR05 DEWA MUSIC MUSIK RHAPSODY MP3 MP 3 SONG SING MEDIA PLAYER WINAMP RTLRACK PINNACLE TUNE DR.WEB I*N FOLDER OPTION SEARCH RESULTS CONFIGURATION UTILITY CabinetW rellikitlMultikiller Multikiller Multikiller2 Registry Editor System Configuration Utility System Restore Process Viewer Process Explorer Zanda's little helper CBAV PROCEXPL PrcView TSystemCleaner TMainF TmainF TForm1 CurrProcess Warecase AnVir TShowSplash ConsoleW RegEdit ANVIE

The worm terminates processes with any of the following strings in the name:

client008.exe

The following Registry entries may be set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\freecell.exe] "Debugger" = "C:\Program Files\Common Files\freecel.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshearts.exe] "Debugger" = "C:\Program Files\Common Files\msheart.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe] "Debugger" = "C:\Program Files\Common Files\N0TEPAD.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmine.exe] "Debugger" = "C:\Program Files\Common Files\w1nm1ne.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe] "Debugger" = "C:\Program Files\Common Files\kalkulator.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe] "Debugger" = "C:\Program Files\Common Files\tskmgr.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe] "Debugger" = "C:\Program Files\Common Files\reged1t.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sol.exe] "Debugger" = "C:\Program Files\Common Files\kartu.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Append____________Nempel_Serv1ce" = "explorer.exe" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Kata_Sambutan" = "Mr_CoolFace_Datang_Lagi" [HKEY_CURRENT_USER\Identities\{%?%}\Software\Microsoft\Outlook Express\5.0\Mail] "Warn on Mapi Send" = 0

A string with variable content is used instead of %?%.

The following file is deleted:

C:\Program Files\Common Files\Mutation.bat

The worm may create copies of the following files (source, destination):

%system32%\cmd.exe, C:\Program Files\Common Files\_cmd.exe %system32%\freecell.exe, C:\Program Files\Common Files\freecel.exe %system32%\mshearts.exe, C:\Program Files\Common Files\msheart.exe %system32%\notepad.exe, C:\Program Files\Common Files\N0TEPAD.exe %system32%\winmine.exe, C:\Program Files\Common Files\w1nm1ne.exe %system32%\calc.exe, C:\Program Files\Common Files\kalkulator.exe %system32%\taskmgr.exe, C:\Program Files\Common Files\tskmgr.exe %system32%\sol.exe, C:\Program Files\Common Files\kartu.exe %system32%\spider.exe, C:\Program Files\Common Files\Laba_Laba.exe %windir%\pchealth\helpctr\binaries\msconfig.exe, C:\Program Files\Common Files\msconf1g.exe %windir%\regedit.exe, C:\Program Files\Common Files\reged1t.exe

The worm may replace these files with a copy of itself.

The worm may display a dialog box with the title:

Mr_CoolFace Mohon Maaf Lahir Dan Batin

The dialog box contains the following text:

Please Pardon Me Ya !

The worm may open the CD/DVD drive.