Win32.Mydoom.Y@mm
SINTOMAS: - Presence of the next files in %WINDOWS% folder: services.exe - Presence of any the next registry keys or entries: [HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\"RPCserv\"] [HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet\\Services\\NetBios Ext\\\"ImagePath\"=\"%WINDOWS%\\services.exe] [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\\"dflag22\"] [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\\"teee\"] [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\\"speed2\"] where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems) %SYSTEM% points to \"System\" folder on Windows 9x systems and \"System32\" folder on WinNT systems. DESCRIPCIÓN TÉCNICA: The worm arrives via mail or as a link in an ICQ message It creates copies of itself in Kazaa shared folder It downloads a backdoor with stealth capabilities, identified as Backdoor.Surila.I Uses its own smtp engine to send itself, impersonating various Outlook versions. The mail format is as follows: [b]From:[/b] (spoofed) The worm keeps a big database of names and domains, and uses them to construct this field. the domain may be: @ziplink.net @yahoo.com @wwc.com @worldshare.net @worldcom.com @wanadoo.com @verizon.net @ultimanet.com @toad.net @tiscali.com @t-online.de @t-online.com @surfree.com @ricochet.com @rcn.com @pics.com @peoplepc.com @pathlink.com @palm.net @pacific.net.sg @netzero.net @netrox.net @netcenter.com @nccw.net @msn.com @madriver.com @macconnect.com @loa.com @juno.com @istep.com @ispwest.com @isp.com @iquest.net @infoave.net @inext.fr @ieway.com @hiwaay.net @highstream.net @globetrotter.net @globalbiz.net @gbronline.com @flex.com @fcc.net @fast.net @excite.com @ev1.net @eisa.com @eclipse.net @earthlink.net @dialupnet.com @cybernex.net @cox.net @core.com @compuserve.com @chello.com @ccpc.net @ccp.com @cayuse.net @canada.com @cais.com @cableone.net @att.net @aristotle.net @arczip.com @apci.net @aol.com @ameralinx.net @address.com @accessus.net @a1isp.net @1access.net @yahoo.co.uk @gmx.net @hotmail.com @mail.com [b]Subject:[/b] (one of the following) Re[2]:fun pictures Re:fun pictures FW:fun pictures Re[2]:COOL! Re:COOL! FW:COOL! Re[2]:cool Re:cool FW:cool Re[2]: FW: Cool LOOK! new photos 2 new photos hi, it\'s me it\'s me (no subject) that\'s me :-D my photos hello sweety :> remember me?.. FW: jenna\'s photos :) FW: new photos FW: 2 new photos FW: hi, it\'s me FW: it\'s me FW: (no subject) FW: that\'s me :-D FW: my photos FW: hello sweety :> FW: hi FW: remember me?.. [b]Body:[/b] (one of the follwing) -----Original Message----- From: Jeny K. Sent: Monday, September 13, 2004 8:57 PM To: Morpheus check my new photos miss you, jeny k -----Original Message----- From: Jena K. Sent: Monday, September 13, 2004 5:23 AM To: friends Check Out Archive.. So.. What Do You Think... Am I Hot? :) Waining For Your Answer Jena Key -----Original Message----- From: jenny k. Sent: Monday, September 13, 2004 10:23 AM To: My Tiger (e-mail) new fotos(archived) you asked jenny k -----Original Message----- From: jenna k. (e-mail) Sent: Monday, September 13, 2004 11:38 AM To: Cat my new fotos archived )) kiss, jenna k -----Original Message----- From: Jeny Sent: Monday, September 13, 2004 8:57 PM To: Neo see the photos in attached archive kiss you, jeny -----Original Message----- From: Jena Sent: Monday, September 13, 2004 5:23 AM To: friend Photos in archive.. So.. Am I Hot? :) Waining For Your Answer Jena -----Original Message----- From: Jenna Knukles Sent: Monday, September 13, 2004 9:05 AM To: Friends Group in self-extracting archive my photos Jenna :) -----Original Message----- From: jenna (e-mail) Sent: Monday, September 13, 2004 11:38 AM To: ma kittie my photos archived )) kiss, jenna -----Original Message----- From: Jeny K. Sent: Monday, September 13, 2004 8:57 PM To: Morpheus check out the new photos miss you, jeny k -----Original Message----- From: Jena K. Sent: Monday, September 13, 2004 5:23 AM To: friends So.. What Do You Think... Am I Hot? :) Waining For Your Answer Jena Key -----Original Message----- From: Jenna Knukles Sent: Monday, September 13, 2004 9:05 AM in archive my new fotos Jenna K :) -----Original Message----- From: jenny k. Sent: Monday, September 13, 2004 10:23 AM To: My Tiger (e-mail) new fotos you asked jenny k -----Original Message----- From: jenna k. (e-mail) Sent: Monday, September 13, 2004 11:38 AM To: Cat my new fotos zipped )) kiss, jenna k -----Original Message----- From: Jeny Sent: Monday, September 13, 2004 8:57 PM To: Neo see the photos kiss you, jeny -----Original Message----- From: Jena Sent: Monday, September 13, 2004 5:23 AM To: friend So.. Am I Hot? :) Waining For Your Answer Jena -----Original Message----- From: Jenna Knukles Sent: Monday, September 13, 2004 9:05 AM To: Friends Group in archive my photos Jenna :) -----Original Message----- From: jenny Sent: Monday, September 13, 2004 10:23 AM To: Mr.X (e-mail) photos you asked jenny -----Original Message----- From: jenna (e-mail) Sent: Monday, September 13, 2004 11:38 AM To: ma kittie my photos zipped )) kiss, jenna do you know this girl? do you know this people? do you know this ppl? Is it your photo? LOOK! my new photos with best wishes a lot of fun. Hello...Funny pic...hehehe I\'ve never seen this before. Look at that ! Look :) Hello! You\'ve got a postcard. To view this postcard, click on the attached file have you seen this before? Loool!! :-) fun pictures look at new photos fun flash game! fun flash! game! fun game! Print money at home! look at atach Additionally, the body may contain: +++ Attachment: No Virus found +++ %AV_PROD% where %AV_PROD% may be: Norton AntiVirus - www.symantec.de F-Secure AntiVirus - www.f-secure.com Norman AntiVirus - www.norman.com Panda AntiVirus - www.pandasoftware.com Kaspersky AntiVirus - www.kaspersky.com MC-Afee AntiVirus - www.mcafee.com Bitdefender AntiVirus - www.bitdefender.com MessageLabs AntiVirus - www.messagelabs.com [b]Attachment:[/b] (may be one of the following) my_photo.jpg .pif flowers.jpg .pif document.jpg .pif pic.jpg .pif photo.jpg .pif black.gif .pif DCP_0002.JPG .pif me_01.jpg .pif 2004042301.jpg .pif with_flowers.jpg .pif sunny.jpg .pif photo08.jpg .pif nude_.jpg .pif marie_dancing.jpg .pif julia038.jpg .pif arhive.zip new_pic.zip pic.zip new_photos.zip images.zip fotos.zip my_photos.zip myphotos.zip photos.zip myfoto.cpl photoarchive.cpl photofile.cpl arc.cpl my_foto.cpl fotos.cpl foto.cpl photo_se.cpl new_photos.cpl newphotos.cpl my_photos.cpl photos_arc.cpl myfoto.exe photos.selfextracting.exe photoarchive.exe photofile.exe arc.exe my_foto.exe fotos.exe foto.exe photos.exe.safe photo_se.exe new_photos.exe newphotos.exe myphotos_arc.exe my_photos.exe photos_arc.exe Once the virus is run, it does the following: 1. Creates the mutex \"ertglddfgd\" 2. Creates the aforementioned registry keys, to run at startup 3. May create some bat files and run them, eg kill.bat, qwe.bat 4. On Windows XP, it may modify the authorized firewall application list/policy 5. Overwrites the file %SYSTEM%\\drivers\\etc\\hosts in order to disable updates for various antivirus products 6. Attempts to terminate services: NETSKY navapsvc NProtectService Norton Antivirus Server VexiraAntivirus dvpinit dvpapi schscnt BackWeb Client - 7681197 F-Secure Gatekeeper Handler Starter FSMA AVPCC KAVMonitorService Norman NJeeves NVCScheduler nvcoas Norman ZANDA PASSRV SweepNet SWEEPSRV.SYS NOD32ControlCenter NOD32Service PCCPFW Tmntsrv AvxIni XCOMM ravmon8 SmcService BlackICE PersFW McAfee Firewall OutpostFirewall NWService NISUM NISSERV vsmon 7. Attempts to terminate the following processes: F-AGOBOT.EXE HIJACKTHIS.EXE _AVPM.EXE _AVPCC.EXE _AVP32.EXE ZONEALARM.EXE ZONALM2601.EXE ZATUTOR.EXE ZAPSETUP3001.EXE ZAPRO.EXE XPF202EN.EXE WYVERNWORKSFIREWALL.EXE WUPDT.EXE WUPDATER.EXE WRCTRL.EXE WRADMIN.EXE WNT.EXE WNAD.EXE WKUFIND.EXE WINUPDATE.EXE WINTSK32.EXE WINSTART001.EXE WINSTART.EXE WINSSK32.EXE WINRECON.EXE WINPPR32.EXE WINMAIN.EXE WINLOGIN.EXE WININITX.EXE WININIT.EXE WININETD.EXE WINDOWS.EXE WINDOW.EXE WINACTIVE.EXE WIN32US.EXE WIN32.EXE WIN-BUGSFIX.EXE WIMMUN32.EXE WHOSWATCHINGME.EXE WGFE95.EXE WFINDV32.EXE WEBTRAP.EXE WEBSCANX.EXE WEBDAV.EXE WATCHDOG.EXE W9X.EXE W32DSM89.EXE VSWINPERSE.EXE VSWINNTSE.EXE VSWIN9XE.EXE VSSTAT.EXE VSMON.EXE VSMAIN.EXE VSISETUP.EXE VSHWIN32.EXE VSECOMR.EXE VSCHED.EXE VSCENU6.02D30.EXE VSCAN40.EXE VPTRAY.EXE VPFW30S.EXE VPC42.EXE VPC32.EXE VNPC3000.EXE VNLAN300.EXE VIRUSMDPERSONALFIREWALL.EXE VIR-HELP.EXE VFSETUP.EXE VETTRAY.EXE VET95.EXE VET32.EXE VCSETUP.EXE VBWINNTW.EXE VBWIN9X.EXE VBUST.EXE VBCONS.EXE VBCMSERV.EXE UTPOST.EXE UPGRAD.EXE UPDAT.EXE UNDOBOOT.EXE TVTMD.EXE TVMD.EXE TSADBOT.EXE TROJANTRAP3.EXE TRJSETUP.EXE TRJSCAN.EXE TRICKLER.EXE TRACERT.EXE TITANINXP.EXE TITANIN.EXE TGBOB.EXE TFAK5.EXE TFAK.EXE TEEKIDS.EXE TDS2-NT.EXE TDS2-98.EXE TDS-3.EXE TCM.EXE TCA.EXE TC.EXE TBSCAN.EXE TAUMON.EXE TASKMON.EXE TASKMO.EXE SYSUPD.EXE SYSTEM32.EXE SYSTEM.EXE SYSEDIT.EXE SYMTRAY.EXE SYMPROXYSVC.EXE SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE SWEEP95.EXE SVCHOSTC.EXE SVC.EXE SUPPORTER5.EXE SUPPORT.EXE SUPFTRL.EXE STCLOADER.EXE START.EXE ST2.EXE SSG_4104.EXE SSGRATE.EXE SS3EDIT.EXE SRNG.EXE SREXE.EXE SPYXX.EXE SPOOLSV32.EXE SPOOLCV.EXE SPHINX.EXE SPF.EXE SPERM.EXE SOFI.EXE SOAP.EXE SMSS32.EXE SMS.EXE SMC.EXE SHOWBEHIND.EXE SHN.EXE SHELLSPYINSTALL.EXE SH.EXE SGSSFW32.EXE SFC.EXE SETUP_FLOWPROTECTOR_US.EXE SETUPVAMEEVAL.EXE SERVLCES.EXE SERVLCE.EXE SERV95.EXE SD.EXE SCRSVR.EXE SCRSCAN.EXE SCANPM.EXE SCAN95.EXE SCAN32.EXE SCAM32.EXE SC.EXE SBSERV.EXE SAVENOW.EXE SAVE.EXE SAHAGENT.EXE SAFEWEB.EXE RUXDLL32.EXE RUNDLL16.EXE RUNDLL.EXE RULAUNCH.EXE RTVSCN95.EXE RTVSCAN.EXE RSHELL.EXE RRGUARD.EXE RESCUE32.EXE RESCUE.EXE REGED.EXE REALMON.EXE RCSYNC.EXE RB32.EXE RAY.EXE RAV8WIN32ENG.EXE RAV7WIN.EXE RAV7.EXE RAPAPP.EXE QSERVER.EXE QCONSOLE.EXE PVIEW95.EXE PUSSY.EXE PURGE.EXE PSPF.EXE PROTECTX.EXE PROPORT.EXE PROGRAMAUDITOR.EXE PROCEXPLORERV1.0.EXE PROCESSMONITOR.EXE PROCDUMP.EXE PRMVR.EXE PRMT.EXE PRIZESURFER.EXE PPVSTOP.EXE PPTBC.EXE PPINUPDT.EXE POWERSCAN.EXE PORTMONITOR.EXE PORTDETECTIVE.EXE POPSCAN.EXE POPROXY.EXE POP3TRAP.EXE PLATIN.EXE PINGSCAN.EXE PGMONITR.EXE PFWADMIN.EXE PF2.EXE PERSWF.EXE PERSFW.EXE PERISCOPE.EXE PENIS.EXE PDSETUP.EXE PCSCAN.EXE PCIP10117_0.EXE PCFWALLICON.EXE PCDSETUP.EXE PCCWIN98.EXE PCCWIN97.EXE PCCNTMON.EXE PCCIOMON.EXE PCC2K_76_1436.EXE PCC2002S902.EXE PAVW.EXE PAVSCHED.EXE PAVPROXY.EXE PAVCL.EXE PATCH.EXE PANIXK.EXE PADMIN.EXE OUTPOSTPROINSTALL.EXE OUTPOSTINSTALL.EXE OTFIX.EXE OSTRONET.EXE OPTIMIZE.EXE ONSRVR.EXE OLLYDBG.EXE NWTOOL16.EXE NWSERVICE.EXE NWINST4.EXE NVC95.EXE NVARCH16.EXE NUI.EXE NTXconfig.EXE NTRTSCAN.EXE NT.EXE NSUPDATE.EXE NSTASK32.EXE NSSYS32.EXE NSCHED32.EXE NPSSVC.EXE NPSCHECK.EXE NPROTECT.EXE NPFMESSENGER.EXE NPF40_TW_98_NT_ME_2K.EXE NOTSTART.EXE NORTON_INTERNET_SECU_3.0_407.EXE NORMIST.EXE NOD32.EXE NMAIN.EXE NISUM.EXE NISSERV.EXE NETUTILS.EXE NETSPYHUNTER-1.2.EXE NETSCANPRO.EXE NETMON.EXE NETINFO.EXE NETD32.EXE NETARMOR.EXE NEOWATCHLOG.EXE NEOMONITOR.EXE NDD32.EXE NCINST4.EXE NC2000.EXE NAVWNT.EXE NAVW32.EXE NAVSTUB.EXE NAVNT.EXE NAVLU32.EXE NAVENGNAVEX15.NAVLU32.EXE NAVDX.EXE NAVAPW32.EXE NAVAPSVC.EXE NAVAP.NAVAPSVC.EXE AUTO-PROTECT.NAV80TRY.EXE NAV.EXE N32SCANW.EXE MWATCH.EXE MU0311AD.EXE MSVXD.EXE MSSYS.EXE MSSMMC32.EXE MSMSGRI32.EXE MSMGT.EXE MSLAUGH.EXE MSINFO32.EXE MSIEXEC16.EXE MSDOS.EXE MSDM.EXE MSCONFIG.EXE MSCMAN.EXE MSCCN32.EXE MSCACHE.EXE MSBLAST.EXE MSBB.EXE MSAPP.EXE MRFLUX.EXE MPFTRAY.EXE MPFSERVICE.EXE MPFAGENT.EXE MOSTAT.EXE MOOLIVE.EXE MONITOR.EXE MMOD.EXE MINILOG.EXE MGUI.EXE MGHTML.EXE MGAVRTE.EXE MGAVRTCL.EXE MFWENG3.02D30.EXE MFW2EN.EXE MFIN32.EXE MD.EXE MCVSSHLD.EXE MCVSRTE.EXE MCTOOL.EXE MCSHIELD.EXE MCMNHDLR.EXE MCAGENT.EXE MAPISVC32.EXE LUSPT.EXE LUINIT.EXE LUCOMSERVER.EXE LUAU.EXE LSETUP.EXE LORDPE.EXE LOOKOUT.EXE LOCKDOWN2000.EXE LOCKDOWN.EXE LOCALNET.EXE LOADER.EXE LNETINFO.EXE LDSCAN.EXE LDPROMENU.EXE LDPRO.EXE LDNETMON.EXE LAUNCHER.EXE KILLPROCESSSETUP161.EXE KERNEL32.EXE KERIO-WRP-421-EN-WIN.EXE KERIO-WRL-421-EN-WIN.EXE KERIO-PF-213-EN-WIN.EXE KEENVALUE.EXE KAVPF.EXE KAVPERS40ENG.EXE KAVLITE40ENG.EXE JEDI.EXE JDBGMRG.EXE JAMMER.EXE ISTSVC.EXE ISRV95.EXE ISASS.EXE IRIS.EXE IPARMOR.EXE IOMON98.EXE INTREN.EXE INTDEL.EXE INIT.EXE INFWIN.EXE INFUS.EXE INETLNFO.EXE IFW2000.EXE IFACE.EXE IEDRIVER.EXE IEDLL.EXE IDLE.EXE ICSUPPNT.EXE ICMON.EXE ICLOADNT.EXE ICLOAD95.EXE IBMAVSP.EXE IBMASN.EXE IAMSTATS.EXE IAMSERV.EXE IAMAPP.EXE HXIUL.EXE HXDL.EXE HWPE.EXE HTPATCH.EXE HTLOG.EXE HOTPATCH.EXE HOTACTIO.EXE HBSRV.EXE HBINST.EXE HACKTRACERSETUP.EXE GUARDDOG.EXE GUARD.EXE GMT.EXE GENERICS.EXE GBPOLL.EXE GBMENU.EXE GATOR.EXE FSMB32.EXE FSMA32.EXE FSM32.EXE FSGK32.EXE FSAV95.EXE FSAV530WTBYB.EXE FSAV530STBYB.EXE FSAV32.EXE FSAV.EXE FSAA.EXE FRW.EXE FPROT.EXE FP-WIN_TRIAL.EXE FP-WIN.EXE FNRB32.EXE FLOWPROTECTOR.EXE FIREWALL.EXE FINDVIRU.EXE FIH32.EXE FCH32.EXE FAST.EXE FAMEH32.EXE F-STOPW.EXE F-PROT95.EXE F-PROT.EXE F-AGNT95.EXE EXPLORE.EXE EXPERT.EXE EXE.AVXW.EXE EXANTIVIRUS-CNET.EXE EVPN.EXE ETRUSTCIPE.EXE ETHEREAL.EXE ESPWATCH.EXE ESCANV95.EXE ESCANHNT.EXE ESCANH95.EXE ESAFE.EXE ENT.EXE EMSW.EXE EFPEADM.EXE ECENGINE.EXE DVP95_0.EXE DVP95.EXE DSSAGENT.EXE DRWEB32.EXE DRWATSON.EXE DPPS2.EXE DPFSETUP.EXE DPF.EXE DOORS.EXE DLLREG.EXE DLLCACHE.EXE DEPUTY.EXE DEFWATCH.EXE DEFSCANGUI.EXE DEFALERT.EXE DCOMX.EXE DATEMANAGER.EXE Claw95.EXE CWNTDWMO.EXE CWNB181.EXE CV.EXE CTRL.EXE CPFNT206.EXE CPF9X206.EXE CPD.EXE CONNECTIONMONITOR.EXE CMON016.EXE CMGRDIAN.EXE CMESYS.EXE CMD32.EXE CLICK.EXE CLEANPC.EXE CLEANER3.EXE CLEANER.EXE CLEAN.EXE CLAW95CF.EXE CFINET32.EXE CFINET.EXE CFIADMIN.EXE CFGWIZ.EXE CFD.EXE CDP.EXE CCPXYSVC.EXE CCEVTMGR.EXE CCAPP.EXE BVT.EXE BUNDLE.EXE BS120.EXE BRASIL.EXE BPC.EXE BORG2.EXE BOOTWARN.EXE BOOTCONF.EXE BLSS.EXE BLACKICE.EXE BLACKD.EXE BISP.EXE BIPCPEVALSETUP.EXE BIPCP.EXE BIDSERVER.EXE BIDEF.EXE BELT.EXE BD_PROFESSIONAL.EXE BARGAINS.EXE BACKWEB.EXE AVXMONITORNT.EXE AVXMONITOR9X.EXE AVWUPSRV.EXE AVWUPD.EXE AVWINNT.EXE AVWIN95.EXE AVSYNMGR.EXE AVSCHED32.EXE AVPTC32.EXE AVPM.EXE AVPDOS32.EXE AVPCC.EXE AVP32.EXE AVP.EXE AVNT.EXE AVLTMAIN.EXE AVKWCTl9.EXE AVKSERVICE.EXE AVKSERV.EXE AVKPOP.EXE AVGW.EXE AVGUARD.EXE AVGSERV9.EXE AVGSERV.EXE AVGNT.EXE AVGCTRL.EXE AVGCC32.EXE AVE32.EXE AVCONSOL.EXE AU.EXE ATWATCH.EXE ATRO55EN.EXE ATGUARD.EXE ATCON.EXE ARR.EXE APVXDWIN.EXE APLICA32.EXE APIMONITOR.EXE ANTS.EXE ANTIVIRUS.EXE ANTI-TROJAN.EXE AMON9X.EXE ALOGSERV.EXE ALEVIR.EXE ALERTSVC.EXE AGENTW.EXE AGENTSVR.EXE ADVXDWIN.EXE ADAWARE.EXE ACKWIN32.EXE BEAGLE.EXE d3dupdate.exe sysxp.exe winxp.exe ssgrate.exe jammer2nd.exe fvprotect.exe hxdef.exe VisualGuard.exe GfxAcc.exe RAVMOND.exe Systra.exe MCUPDATE.EXE CFIAUDIT.EXE AVXQUAR.EXE AUTOUPDATE.EXE AUTOTRACE.EXE AUTODOWN.EXE AUPDATE.EXE NUPGRADE.EXE UPDATE.EXE ICSUPP95.EXE ICSSUPPNT.EXE DRWEBUPW.EXE LUALL.EXE AVPUPD.EXE AVWUPD32.EXE ATUPDATER.EXE wuamga.exe taskmanagr.exe wuamgrd.exe wowpos32.exe dailin.exe rasmngr.exe msssss.exe backdoor.rbot.gen_(17).exe backdoor.rbot.gen.exe b055262c.dll RB.EXE IAOIN.EXE OUTPOST.EXE 8. Verifies if the computer is connected to internet by quering InternetGetConnectedState or checking gooogle.com 9. Downloads a backdoor from one of these addresses: http://www.masteratwork.com/heyyo/??????/00000008.cgi http://www.professionals-active.com/??????/click.dat http://www.il-legno.it/???????/postmsg.gif http://www.mercyships.de/html/content/guestbook/????/data2.dat http://www.llc.unibo.it/claroline142/?????????/index.gif http://www.scionicmusic.com/??????/cover_v3.jpg http://64.40.98.94/??????/images/apache.gif 10. May copy itself in Kazza shared folder as: dap53 crack.exe iMeshV4 crack.exe icqpro2003b crack.exe wrar330 crack.exe WinZip 9.0 crack.exe dap71.exe trillian-v2.74h.exe wrar330.exe LimeWireWin.exe Morpheus.exe zlsSetup_45_538_001.exe icqpro2003b.exe iMeshV4.exe WinZip 9.0.exe icqlite.exe kmd.exe trillian 2.0 crack.exe dap53.exe dvdplayer.exe opera7.x crack.exe crazzygirls.scr childporno.pif opera7.7.exe winamp6.exe eroticgirls2.0.exe tropicallagoonss.scr nicegirlsshowv12.scr icq2004-final.exe winamp5.exe 1.exe mymusic.pif rulezzz.scr matrix.scr newvirus.exe mylove.pif antibush.scr icqcrack.exe myfack.pif hello.pif pinguin5.exe you the best.scr fantasy.scr coolgame.zip .exe mynewphoto.zip .exe mult.exe 11. May send itself to ICQ\'s contacts of the victim as a message: funn http://64.40.98.94/????/game.exe :-):-):-) http://64.40.98.94/????/game.exe :-):-) http://64.40.98.94/????/game.exe funny :-) http://65.110.51.150/????/game.exe best game http://65.110.51.150/????/game.exe http://65.110.51.150/????/game.exe LOL!! http://www.llc.unibo.it/????????????/photo.exe i cried :-) http://www.llc.unibo.it/????????????/photo.exe lol :-):-) my photos (archived) http://www.llc.unibo.it/????????????/photo.exe i now play in game http://www.scionicmusic.com/???/game.exe :-):-) funy game http://www.scionicmusic.com/???/game.exe fun game http://www.scionicmusic.com/???/game.exe :-):-):-) 12. Searches in various locations on the disk (eg: My Documents, Temporary Internet Files) for e-mail addresses matching files with extension: wab, xls, uin, txt, tbb, stm, sht, php, msg, mht, mbx, jsp, htm, eml, dht, dbx, cgi, cfg, asp but avoiding e-mail addresses containing: gold-certs feste submit help service privacy somebody contact site someone anyone nothing nobody noreply noone webmaster news rating postmaster samples info root upport abuse accoun certific listserv ntivi admin icq.com mozilla utgers.ed tanford.e acketst secur isc.o isi.e ripe. arin. sendmail rfc-ed ietf iana usenet fido kernel ibm.com fsf. mit.e math berkeley support messagelabs antivi kasp linux unix spam @iana @foo. .mil gov. .gov icrosoft ruslis nodomai mydomai example inpris borlan sopho panda icrosof syman avp. 13. Sends itself in the e-mail format described above, using it\'s own smtp engine. INSTRUCCIONES DE LIMPIEZA: - automatic removal: let BitDefender delete/disinfect files found infected. ANALIZADO POR: Patrik Vicol BitDefender Virus Researcher |