[CS-FSLUG] New Win Virus
Don Parris
gnumathetes at gmail.com
Mon Jan 23 15:23:03 CST 2006
For those who still keep Windows around, here's a heads-up:
Date: 1/23/06
Name of Virus: Symantec calls it W32.Blackmal-E at mm,
Trend Micro calls it WORM_GREW-A,
Sophos calls it W32/Nyxem-D
Other Information:
Malware type: Worm
Aliases: W32.Blackmal.E at mm, W32/Kapser.A at mm, W32/MyWife.d at MM, Win32/Blackmal.F
In the wild: Yes
Destructive: Yes
Language: English
Platform: Windows 98, ME, NT, 2000, XP, 2003 Server
Encrypted: Yes
Overall risk rating: Low
________________________________________
Reported infections: Low
Damage potential: High
Distribution potential: High
Propagates via email
Propagates via network shares
Description:
This worm propagates by attaching copies of itself to email messages
that it sends to target addresses, using its own Simple Mail Transfer
Protocol (SMTP) engine. It can then send email messages without using
mailing applications, such as Microsoft Outlook.
The email message it sends out has the following details:
Subject: (any of the following)
• *Hot Movie*
• A Great Video
• Arab sex DSC-00465.jpg
• eBook.pdf
• Fw: DSC-00465.jpg
• Fw: Funny :)
• Fw: Picturs
• Fw: Real show
• Fw: SeX.mpg
• Fw: Sexy
• Fwd: Crazy illegal Sex!
• Fwd: image.jpg
• Fwd: Photo
• give me a kiss
• Miss Lebanon 2006
• My photos
• Part 1 of 6 Video clipe
• Photos
• School girl fantasies gone bad
Attachment: (any of the following)
• 007.pif
• 392315089702606E-02,.scR
• 677.pif
• Adults_9,zip.sCR
• ATT01.zip.sCR
• Attachments[001],B64.sCr
• Clipe,zip.sCr
• document.pif
• DSC-00465.Pif
• DSC-00465.pIf
• eBook.PIF
• image04.pif
• New Video,zip
• New_Document_file.pif
• photo.pif
• Photos,zip.sCR
• School.pif
• SeX,zip.scR
• Sex.mim
• Video_part.mim
• WinZip,zip.scR
• WinZip.BHX
• WinZip.zip.sCR
• Word XP.zip.sCR
• Word.zip.sCR
It gathers email addresses from files with certain extensions, such as
DOC, PSD, RAR, and ZIP.
It also propagates through network shares. It does the said routine by
searching the network for ADMIN$ and C$ shares, where it drops a copy
of itself using the file name WINZIP_TMP.EXE.
Upon execution, it drops and opens a non-malicious .ZIP archive named
SAMPLE.ZIP in the Windows system folder.
Moreover, this worm deletes autostart registry entries, as well as
associated files of several programs, most of which are related to
security and antivirus applications. The said routines may cause
referenced programs to malfunction, effectively making the affected
system more vulnerable to further attacks.
In addition, it is capable of disabling the mouse and keyboard of the
affected system.
It also creates a scheduled task using Windows Task on Windows NT,
2000, XP, and Server 2003 to execute itself on the 59th minute after
it was dropped.
On Windows 2000, XP, and Server 2003, it drops a copy of itself in the
All Users Startup folder.
Enjoy!
Don
--
DC Parris GNU Evangelist
http://matheteuo.org/
gnumathetes at gmail.com
"Hey man, whatever pickles your list!"
More information about the Christiansource
mailing list