This worm spreads via the Internet as an attachment to infected messages and via open network resources.
It sends itself to email addresses harvested from the victim computer.
The worm itself is a PE EXE file written in Visual Basic, packed using UPX. The packed file is approximately 95KB in size, and the unpacked file is approximately 176KB in size.
Installation
Once launched, masking its main functionality, the worm creates and opens a ZIP archive in the Windows system directory. The ZIP archive has the name as the original executable file, e.g.
%System%\Sample.zip
When installing, the worm copies itself to the Windows root, system and start up directories under the following names:
%System%\New WinZip File.exe
%System%\scanregw.exe
%System%\Update.exe
%System%\Winzip.exe
%System%\WINZIP_TMP.EXE
%User Profile%\Start Menu\Programs\Startup\WinZip Quick Pick.exe
%Windir%\rundll16.exe
The worm then registers itself in the system registry, ensuring it will be launched each time Windows is rebooted on the victim machine:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="scanregw.exe /scan"
The worm also modifies the following registry keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"WebView"="0"
"ShowSuperHidden"="0"
Propagation via email
The worm harvests addresses from files with the following extensions:
dbx
eml
htm
imh
mbx
msf
msg
nws
oft
txt
vc
It also scans files if the names contain the following strings:
content
temporary
When sending infected messages, the worm attempts to establish a direct connection to the recipient's SMTP server.
Infected messages
Message subject:
*Hot Movie*
A Great Video
Arab sex DSC-00465.jpg
eBook.pdf
Fuckin Kama Sutra pics
Fw:
Fw: DSC-00465.jpg
Fw: Funny
Fw: Picturs
Fw: Real show
Fw: SeX.mpg
Fw: Sexy
Fwd: Crazy illegal Sex!
Fwd: image.jpg
Fwd: Photo
give me a kiss
Miss Lebanon 2006
My photos
Part 1 of 6 Video clipe
Photos
Re:
Re: Sex Video
School girl fantasies gone bad
The Best Videoclip Ever
You Must View This Videoclipe!
Message body:
----- forwarded message -----
>> forwarded message
forwarded message attached.
Fuckin Kama Sutra pics
hello, i send the file. Bye
Hot XXX Yahoo Groups
how are you? i send the details.
i attached the details. Thank you.
i just any one see my photos. It's Free
Note: forwarded message attached. You Must View This Videoclip!
Please see the file.
Re: Sex Video
ready to be FUCKED
The Best Videoclip Ever
VIDEOS! FREE! (US$ 0,00)
What?
Attachment name:
007.pif
04.pif
3.92315089702606E02.UUE
677.pif
Attachments[001].B64
document.pif
DSC-00465.Pif
DSC-00465.pIf
eBook.PIF
eBook.Uu
image04.pif
New_Document_file.pif
Original Message.B64
photo.pif
School.pif
SeX.mim
WinZip.BHX
Word_Document.hqx
Word_Document.uu
Propagation via open network resources
The worm copies itself to the following network resources as Winzip_TMP.exe:
ADMIN$
C$
Other
If the worm detects any of the registry values listed below on the victim machine, it will delete them:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
APVXDWIN
avast!
AVG7_CC
AVG7_EMC
AVG7_Run
AVG_CC
Avgserv9.exe
AVGW
BearShare
defwatch
DownloadAccelerator
kaspersky
KAVPersonal50
McAfeeVirusScanService
NAV Agent
OfficeScanNT Monitor
PCCClient.exe
pccguide.exe
PCCIOMON.exe
PccPfw
Pop3trap.exe
rtvscn95
ScanInicio
SSDPSRV
TM Outbreak Agent
tmproxy
Vet Alert
VetTray
vptray
NPROTECT
ccApp
ScriptBlocking
MCUpdateExe
VirusScan Online
MCAgentExe
VSOCheckTask
McRegWiz
CleanUp
MPFExe
MSKAGENTEXE
MSKDetectorExe
McVsRte
The worm also terminates active applications if the application name contains one of the following strings:
kaspersky
mcafee
norton
removal
scan
symantec
trend micro
virus
fix
It will delete all files from the following folders:
%ProgramFiles%\DAP\*.dll
%ProgramFiles%\BearShare\*.dll
%ProgramFiles%\Symantec\LiveUpdate\*.*
%ProgramFiles%\Symantec\Common Files\Symantec Shared\*.*
%ProgramFiles%\Norton AntiVirus\*.exe
%ProgramFiles%\Alwil Software\Avast4\*.exe
%ProgramFiles%\McAfee.com\VSO\*.exe
%ProgramFiles%\McAfee.com\Agent\*.*
%ProgramFiles%\McAfee.com\shared\*.*
%ProgramFiles%\Trend Micro\PC-cillin 2002\*.exe
%ProgramFiles%\Trend Micro\PC-cillin 2003\*.exe
%ProgramFiles%\Trend Micro\Internet Security\*.exe
%ProgramFiles%\NavNT\*.exe
%ProgramFiles%\Morpheus\*.dll
%ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
%ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
%ProgramFiles%\Grisoft\AVG7\*.dll
%ProgramFiles%\TREND MICRO\OfficeScan\*.dll
%ProgramFiles%\Trend Micro\OfficeScan Client\*.exe
%ProgramFiles%\LimeWire\LimeWire 4.2.6\LimeWire.jar
All of this actions make the victim machine more vulnerable to subsequent attacks.
It may also download updates to itself via the Internet, without the knowledge or consent of the user.
It will also block the mouse and the keyboard.
On the 3rd of each month, 30 minutes after the victim computer is rebooted, the worm will rewrite files with the following extensions:
.doc
.xls
.mdb
.mde
.ppt
.pps
.zip
.rar
.pdf
.psd
.dmp
Files corrupted by the worm contain the following text:
DATA Error [47 0F 94 93 F4 F5] Removal instructions
Reboot your computer in Safe Mode - press and hold F8 while the machine is rebooting and choose Safe Mode from the menu when it appears.
In Task Manager, terminate any process with one of the following names:
rundll16.exe
scanregw.exe
Update.exe
Winzip.exe
WINZIP_TMP.EXE
New WinZip File.exe
WinZip Quick Pick.exe
Manually delete the following files from the Windows root and system directories, and the system registry:
%Windir%\rundll16.exe
%System%\scanregw.exe
%System%\Update.exe
%System%\Winzip.exe
%System%\WINZIP_TMP.EXE
%System%\New WinZip File.exe
%User Profile%\Start Menu\Programs\Startup\WinZip Quick Pick.exe
Delete the following value from the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry" = "scanregw.exe /scan"
Reboot your computer and check you have deleted all infected messages from all mail folders.
If any applications have been damanged (in most cases this will be antivirus solutions and firewall programs) you will need to re-install them.
Perform a full scan of your computer (download a trial version of Kaspersky Anti-Virus) AT HERE
http://www.viruslist.com/en/viruses/...virusid=109064