Win32.Yahaa.J@mm( W32.Yaha.J@mm (NAV) )
SINTOMAS: - Files msnmsg32.exe, winReg.exe, nav32.exe in the System directory(usually c:\\windows\\system - on Windows 95/98/ME, c:\\winnt\\system32 - on Windows NT/2000, c:\\windows\\system32 - on Windows XP) - in the Windows directory there are some of the files: - bestfriend.scr - mAtRiX.scr - EvilDaemon.scr - Love.scr - Escort.scr - NeverMind.scr - HotShot.scr - Honey.scr - ScreenSaver.scr - LoverScreenSaver.scr DESCRIPCIÓN TÉCNICA: This is an Internet Worm which comes as attachment to an infected e-mail.The virus is written in Visual C++ 6.0 and the executable is packed with UPX 1.20. The format of the infected e-mail is: From: A fake sender Subject: one of: - Missing your best friend ? - mAtRiX - Wanna be a hacker ? - Check this - Help someone.. - Experience the smooooth music - Still Dreaming.. - Pamela 4 U - Friendship ScreenSaver - Are you In Love - Mission Impossible - Good Luck - Do you love your wife - Happy Cristmas - Leona and Ralph - Dedicated to kYo-3 - So Sweet - Happy Valentines Day - Who is your best friend - You are my best friend - Are you in Love - Horny Britney Spears Screensavers - Devon Loves Bill Gates - Pamela Anderson Screensavers - Enjoy the fragrance of Love - KOF Screensavers - Electric Screensavers - Accoustic Screensavers - Hardcore Screensavers - Sexy Screensavers - Bill Gates - Marcos D\'Costa - Sunrise Screensavers - Valentine Screensaver - Lover\'s Scnreensaver - IBM Screensavers - Microsoft Screensavers Attachment: one of the below, corresponding to the subject: - bestfriend.scr - mAtRiX.scr - EvilDaemon.scr - Love.scr - Escort.scr - NeverMind.scr - HotShot.scr - Honey.scr - ScreenSaver.scr - LoverScreenSaver.scr The extension might be changed as a double extension (the second always is .scr). Body: <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> This e-mail is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message. *********************************************************** Enjoy this friendship Screen Saver and Check ur friends circle... Send this screensaver from www.truefriends.net to everyone you consider a FRIEND, even if it means sending it back to the person who sent it to you. If it comes back to you, then you\'ll know you have a circle of friends. * To remove yourself from this mailing list, point your browser to: http://truefriends.net/remove?freescreensaver * Enter your email address in the field provided and click \"Unsubscribe\". OR... * Reply to this message with the word \"REMOVE\" in the subject line. <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> When the user executes the attachment the virus copies itself in the system directory under the names shown in symptoms and sets the following registry values: HKEY_CLASSES_ROOT\\exefile\\shell\\open\\command\\(default) with data: \"%sysdir%\\nav32.exe\"\"%1\"%* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\winReg and HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices\\winReg with data: \"%sysdir%\\winReg.exe\" The first registry value will cause the execution of the worm every time an executable is ran from Explorer, the other registry values will cause the execution at every logon of the virus. The worm will also attempt to close some processes of various antiviruses and firewalls to avoid the detection through monitoring his activity. It will kill any process if its name contains the following strings: ANTIVIR, APACHE.EXE, LOCKDOWNADVANCED, WEBSCANX, SAFEWEB, ICMON, CFINET, CFINET32, AVP.EXE, LOCKDOWN2000, AVP32, ZONEALARM, ALERTSVC, AMON.EXE, AVPCC.EXE, AVPM.EXE, ESAFE.EXE, PCCIOMON, PCCMAIN, POP3TRAP, WEBTRAP, AVCONSOL, AVSYNMGR, VSHWIN32, VSSTAT, NAVAPW32, NAVW32, NMAIN, LUALL, LUCOMSERVER, IAMAPP, ATRACK, MCAFEE, FRW.EXE, IAMSERV.EXE, NSCHED32, PCFWALLICON, SCAN32, TDS2-98, TDS2-NT, VETTRAY, VSECOMR, NISSERV, RESCUE32, SYMPROXYSVC, NISUM, NAVAPSVC, NAVLU32, NAVRUNR, NAVWNT, PVIEW95, F-STOPW, F-PROT95, PCCWIN98, IOMON98, FP-WIN, NVC95, NORTON. After installing, it shows a fake error message: \"Application initilisation error\" When the worm detects an active internet connection it will try to send an e-mail with the format shown above. The virus creates in the windows directory a file named zEsT.txt with the content: ==================================================== r^0^x~X pR3$@Nt$ @Y3rH$.@ tHi$ i$ jU$t tH3 b3gInNiNg.. w3 ar3 tH3 gR3@t 1nD1@N$.. w3 k1cK pAk1 a$$.. ==================================================== INSTRUCCIONES DE LIMPIEZA: - automatic removal: let BitDefender delete/disinfect files found infected.- manual: restore the registry value HKEY_CLASSES_ROOT\\exefile\\shell\\open\\command\\(default) to contain the data: [\"%1\" %*] (withouth the square brackets) ANALIZADO POR: Costin IonescuBitDefender Virus Researcher |