Type: Worm
Size: 98304 Byte
System Affected: Windows 2000,XP,NT,....
Characteristics :
1) Uses its own SMTP engine to send infected email with following
characteristics:
1-1) The email has the follwing characterictics :
From :
◊ " esafe.virus@ealaddin.com
◊ " support@symantec.com
◊ " xxx@penis.com
◊ " Assistant@software.com
◊ " support@xnxx.com
◊ " SexTutorial@swp.com
Subject :
◊ " Thank you for registered
◊ " Norton 360
◊ " Sex Toturial
◊ " Assistant 2007
◊ " Sexy screen saver
◊ " hug penis
Body :
" hi dear thank you for registration you must download and install this software
" response for request i agree a bout it downoad free software www.symantec.com
" this is the best book of sex tutorial download and read it
" +++ Assistant 2007+++
" this is very hot sex ! sex! sex! www.xnxx.com
" SEX! Sex!SEX! Sex!SEX! Sex!SEX! Sex!SEX! Sex!SEX! Sex!SEX! Sex!
Attachment :
◊ " register.pif
◊ " install.exe
◊ " tutorial.pdf.pif
◊ " messenger2007.exe
◊ " SEX.scr
◊ " sex.com.exe
2) Creates the following registry keys :
◊ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MDM32.exe = %Sysyem%\LSSASS.exe
◊ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\WinKrnl32.cab.exe = %Sysyem%\WinKrn32.cab.exe
◊ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Update.exe = %Sysyem%\Update.exe
3) Create the following files :
◊ %System%\LSSASS.exe
◊ %System%\WinKrn32.cab.exe
◊ %System%\Update.exe
◊ C:\register.pif
◊ C:\install.exe
◊ C:\tutorial.pdf.pif
◊ C:\messenger2007.exe
◊ C:\SEX.scr
◊ C:\sex.com.exe
4) Terminate the following processes :
| SHELLSPYINSTALL |
SHN |
SHOWBEHIND |
|
SMC |
SMS |
SMSS32 |
|
SOAP |
SOFI |
SPERM |
|
SPF |
SPHINX |
SPOLER |
|
SPOOLCV |
SPOOLSV32 |
SPYXX |
|
SREXE |
SRNG |
SS3EDIT |
|
SSGRATE |
SSG_4104 |
ST2 |
|
START |
STCLOADER |
SUPFTRL |
|
SUPPORT |
SUPPORTER5 |
SVC |
|
SVCHOSTC |
SVCHOSTS |
SVSHOST |
|
SWEEP95 |
SWEEPNET.SWEEPSRV.SYS.SWNETSUP |
SYMPROXYSVC |
|
SYMTRAY |
SYSEDIT |
SYSTEM |
|
SYSTEM32 |
SYSUPD |
TASKMG |
|
TASKMO |
TASKMON |
TAUMON |
|
TBSCAN |
TC |
TCA |
|
TCM |
TDS-3 |
TDS2-NT |
|
TEEKIDS |
TFAK |
TFAK5 |
|
TGBOB |
TITANIN |
TITANINXP |
|
TRACERT |
TRICKLER |
TRJSCAN |
|
TRJSETUP |
TROJANTRAP3 |
TSADBOT |
|
TVMD |
TVTMD |
UNDOBOOT |
|
UPDAT |
UPDATE |
UPDATE |
|
UPGRAD |
UTPOST |
VBCMSERV |
|
VBCONS |
VBUST |
VBWIN9X |
|
VBWINNTW |
VCSETUP |
VET32 |
|
VET95 |
vb6 |
taskmgr |
|
regedit |
notepad |
install |
|
setup |
MpfConsole |
AmIrCiViL OSTRONET |
|
OTFIX |
OUTPOST |
OUTPOST |
|
OUTPOSTINSTALL |
OUTPOSTPROINSTALL |
PADMIN |
|
PANIXK |
PATCH |
PAVCL |
|
PAVPROXY |
PAVSCHED |
PAVW |
|
PCFWALLICON |
PCIP10117_0 |
PCSCAN |
|
PDSETUP |
PERISCOPE |
PERSFW |
|
PERSWF |
PF2 |
PFWADMIN |
|
PGMONITR |
PINGSCAN |
PLATIN |
|
POP3TRAP |
POPROXY |
POPSCAN |