[CS-FSLUG] New Win Virus

Don Parris gnumathetes at gmail.com
Mon Jan 23 15:23:03 CST 2006 

For those who still keep Windows around, here's a heads-up:

Date:   1/23/06 	

Name of Virus:  Symantec calls it W32.Blackmal-E at mm,
                                 Trend Micro calls it WORM_GREW-A,
                                 Sophos calls it W32/Nyxem-D

Other Information:

Malware type: Worm

Aliases: W32.Blackmal.E at mm, W32/Kapser.A at mm, W32/MyWife.d at MM, Win32/Blackmal.F

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows 98, ME, NT, 2000, XP, 2003 Server

Encrypted: Yes

Overall risk rating:  Low
________________________________________
Reported infections:  Low

Damage potential:  High

Distribution potential:  High

Propagates via email

Propagates via network shares


Description:
This worm propagates by attaching copies of itself to email messages
that it sends to target addresses, using its own Simple Mail Transfer
Protocol (SMTP) engine. It can then send email messages without using
mailing applications, such as Microsoft Outlook.
The email message it sends out has the following details:
Subject: (any of the following)

• *Hot Movie*
• A Great Video
• Arab sex DSC-00465.jpg
• eBook.pdf
• Fw: DSC-00465.jpg
• Fw: Funny :)
• Fw: Picturs
• Fw: Real show
• Fw: SeX.mpg
• Fw: Sexy
• Fwd: Crazy illegal Sex!
• Fwd: image.jpg
• Fwd: Photo
• give me a kiss
• Miss Lebanon 2006
• My photos
• Part 1 of 6 Video clipe
• Photos
• School girl fantasies gone bad
Attachment: (any of the following)

• 007.pif
• 392315089702606E-02,.scR
• 677.pif
• Adults_9,zip.sCR
• ATT01.zip.sCR
• Attachments[001],B64.sCr
• Clipe,zip.sCr
• document.pif
• DSC-00465.Pif
• DSC-00465.pIf
• eBook.PIF
• image04.pif
• New Video,zip
• New_Document_file.pif
• photo.pif
• Photos,zip.sCR
• School.pif
• SeX,zip.scR
• Sex.mim
• Video_part.mim
• WinZip,zip.scR
• WinZip.BHX
• WinZip.zip.sCR
• Word XP.zip.sCR
• Word.zip.sCR

It gathers email addresses from files with certain extensions, such as
DOC, PSD, RAR, and ZIP.
It also propagates through network shares. It does the said routine by
searching the network for ADMIN$ and C$ shares, where it drops a copy
of itself using the file name WINZIP_TMP.EXE.
Upon execution, it drops and opens a non-malicious .ZIP archive named
SAMPLE.ZIP in the Windows system folder.
Moreover, this worm deletes autostart registry entries, as well as
associated files of several programs, most of which are related to
security and antivirus applications. The said routines may cause
referenced programs to malfunction, effectively making the affected
system more vulnerable to further attacks.
In addition, it is capable of disabling the mouse and keyboard of the
affected system.
It also creates a scheduled task using Windows Task on Windows NT,
2000, XP, and Server 2003 to execute itself on the 59th minute after
it was dropped.
On Windows 2000, XP, and Server 2003, it drops a copy of itself in the
All Users Startup folder.



Enjoy!

Don
--
DC Parris GNU Evangelist
http://matheteuo.org/
gnumathetes at gmail.com
"Hey man, whatever pickles your list!"

More information about the Christiansource mailing list