Selected viruses, spyware, and other threats: sorted alphabetically
Installation and Autostart Techniques
The worm will only run if VB6 Runtime is installed. This is not installed by default on a standard Windows 9X installation, but is installed on default XP systems.
Upon execution the worm copies itself into the %System% folder as “scanregw.exe”, “update.exe”, “winzip.exe” and places another copy of itself “rundll16.exe” in the %Windows% folder.
The worm also creates a zero-byte zipfile using the name of the original executable file, opens this in the explorer, and creates a mutex “HGFSMUTEX” in the second file instance (rundll16.exe).
Note: %System% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.
The worm adds the following key to the registry to make sure that it runs every time windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
“ScanRegistry” = “%System%\scanregw.exe /scan”
It also tries to delete the following registry keys:
NPROTECT
ccApp
ScriptBlocking
MCUpdateExe
VirusScan Online
MCAgentExe
VSOCheckTask
McRegWiz
CleanUp
MPFExe
MSKAGENTEXE
MSKDetectorExe
McVsRte
PCClient.exe
PCCIOMON.exe
pccguide.exe
Pop3trap.exe
PccPfw
PCCIOMON.exe
tmproxy
McAfeeVirusScanService
NAV Agent
PCCClient.exe
SSDPSRV
rtvscn95
defwatch
vptray
ScanInicio
APVXDWIN
KAVPersonal50
kaspersky
TM Outbreak Agent
AVG7_Run
AVG_CC
Avgserv9.exe
AVGW
AVG7_CC
AVG7_EMC
Vet Alert
VetTray
OfficeScanNT Monitor
avast!
DownloadAccelerator
BearShare
From:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
It also tries to modify the following registry values:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
"WebView" = "0"
"ShowSuperHidden" = "0"
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
"FullPath" = "0"
And several entries under:
HKLM\Software\Classes\Licenses
The worm also tries to delete files in the following subfolders in the Program Folder:
DAP
BearShare
Symantec\LiveUpdate
Symantec\Common Files\Symantec Shared
Norton AntiVirus
Alwil Software\Avast4
McAfee.com\VSO
McAfee.com\Agent
McAfee.com\shared
Trend Micro\PC-cillin 2002
Trend Micro\PC-cillin 2003
Trend Micro\Internet Security
NavNT
Kaspersky Lab\Kaspersky Anti-Virus Personal
Grisoft\AVG7
TREND MICRO\OfficeScan
Trend Micro\OfficeScan Client
LimeWire\LimeWire 4.2.6
Morpheus
The worm tries to terminate processes which containing the following words in the dialog title:
REMOVAL
FIX
SYMANTEC
SCAN
KASPERSKY
VIRUS
MCAFEE
TREND MICRO
NORTON
VB.NEI scans several other registry keys for program locations of:
Iface.exe
Kaspersky Anti-Virus Personal
Norton AntiVirus
Panda Antivirus 6.0 Platinum
VirusProtect6
in order to delete their security software related files.
E-mail Sender
The worm uses a spoofed email address collected during E-mail harvesting and uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to other e-mail addresses.
The worm is able to determine MSN Messenger / Yahoo Pager Accounts. It will send emails, for example, with picture previews to contacts using the correct Messenger display name and current Messenger email address. Such an email might look like this:
E-mail harvesting
The worm collects e-mail addresses from files in the internet cache folders which use one of the following extensions:
*.HTM, *.DBX, *.EML, *.MSG, *.OFT, *.NWS,
*.VCF, *.MBX, *.IMH, *.TXT, *.MSF
The worm avoids e-mail addresses which contain parts of the following list:
SYMANTEC, MCAFEE, VIRUS, TREND, PANDA, SECUR,
SPAM, NORTON, ANTI, CILLIN, CA.COM, KASPER, TRUST,
AVG, GROUPS.MSN, NOMAIL.YAHOO.COM, SCRIBE, EEYE
MICROSOFT, @HOTMAIL, @HOTPOP, @YAHOOGROUPS
E-mail subjects
Email subject lines are randomly selected from the following list:
My photos
The Best Videoclip Ever
School girl fantasies gone bad
A Great Video
Fuckin Kama Sutra pics
Arab sex DSC-00465.jpg
give me a kiss
*Hot Movie*
Fw: Funny :)
Fwd: Photo
Fwd: image.jpg
Fw: Sexy
Fw:
Fw: Picturs
Fw: DSC-00465.jpg
Word file
eBook.pdf
the file
Part 1 of 6 Video clipe
You Must View This Videoclip!
Miss Lebanon 2006
Re:
Re: Sex Video
Message Body
The e-mail might contain one of the following message texts:
Hot XXX Yahoo Groups
F!ckin Kama Sutra pics
ready to be F!CKED ;)
VIDEOS! FREE! (US$ 0,00)
Please see the file.
i just any one see my photos.
It's Free :)
how are you?
i send the details.
OK ?
Note: forwarded message attached.
forwarded message attached.
>> forwarded message
----- forwarded message -----
E-mail Attachments
The worm attaches one of the following file names with a copy of itself:
007.pif
04.pif
photo.pif
School.pif
DSC-00465.Pif
DSC-00465.pIf
image04.pif
677.pif
New_Document_file.pif
eBook.PIF
document.pif
or with one of these encoded attachments:
Video_part.mim
Attachments00.HQX
Attachments001.BHX
Attachments[001].B64
3.92315089702606E02.UUE
SeX.mim
Sex.mim
Original Message.B64
WinZip.BHX
eBook.Uu
Word_Document.hqx
Word_Document.uu
After decoding the encoded archive contains one of the following executables:
New Video,zip {spaces} .sCr
Attachments,zip {spaces} .SCR
Atta[001],zip {spaces} .SCR
Clipe,zip {spaces} .sCr
WinZip,zip {spaces} .scR
Adults_9,zip {spaces} .sCR
Photos,zip {spaces} .sCR
Attachments[001],B64 {spaces} .sCr
392315089702606E-02,UUE {spaces} .scR
SeX,zip {spaces} .scR
WinZip.zip {spaces} .sCR
ATT01.zip {spaces} .sCR
Word.zip {spaces} .sCR
Note: {space} represents a large number of blank spaces.
Network spreading technologies
The worm includes network enumerating functions to retrieve special folder locations, such as Personal Folder locations for the enumerated client. If found and access rights are detected the worm creates so called vampire files. That means it stores all available file names in a string array and selects, via Visual Basic RND (Random Function), one of these file names. The worm copies itself into this file and adds an executable extension. If these folders are empty or do not exist the worm tries to copy itself to other shares as one of the following randomly selected filenames:
movies.exe
New WinZip File.exe
Zipped Files.exe
The second network spreading task, timed with the Visual Basic Timer2 control, is to try to copy the worm as follows:
Admin$\WINZIP_TMP.exe
C$\WINZIP_TMP.exe
C$\Documentsand Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe
The worm tries to check on the target machine to see if any of the following locations exist:
C$\Program Files\Norton AntiVirus
C$\Program Files\Common Files\symantec shared
C$\Program Files\Symantec\LiveUpdate
C$\Program Files\McAfee.com\VSO
C$\Program Files\McAfee.com\Agent
C$\Program Files\McAfee.com\shared
C$\Program Files\Trend Micro\PC-cillin 2002
C$\Program Files\Trend Micro\PC-cillin 2003
C$\Program Files\Trend Micro\Internet Security
C$\Program Files\NavNT
C$\Program Files\Panda Software\Panda Antivirus Platinum
C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal
C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro
C$\Program Files\Panda Software\Panda Antivirus 6.0
C$\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus
If detected, the worm will delete all files in these locations before it tries to spread.
Payload
The worm will start a timer on every 3rd of the month to overwrite files with the following file extensions:
*.doc, *.xls, *.mdb, *.mde, *.ppt, *.pps, *.zip, *.rar, *.pdf, *.psd, *.dmp
