Details:
Arrival Details
This worm may be downloaded from remote site(s) by other malware.
It may be downloaded unknowingly by a user when visiting malicious Web site(s).
It arrives via removable drives.
Installation
This worm drops the following copy(ies) of itself:
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003. )
It sets the attributes of its dropped file(s) to the following:
It injects codes into the following process(es):
Autostart Techniques
This worm creates the following registry entry(ies) to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
conime.exe
Debugger = "MsCjClient.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
conime.exe = "conime.exe"
Other System Modifications
This worm modifies the following registry entry(ies) to disable Automatic Windows Update:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = "4"
(Note: The default value data for the said registry entry is 2.)
It modifies the following registry entry(ies) to disable Security Center functions:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = "1"
(Note: The default value data for the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = "1"
(Note: The default value data for the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = "1"
(Note: The default value data for the said registry entry is 0.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = "1"
(Note: The default value data for the said registry entry is 0.)
It creates the following registry entry to automatically exclude itself from DEP (data execution prevention):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers
{malware path and filename} = "DisableNXShowUI"
It creates the following registry key(s)/entry(ies) as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "2"
It creates the following registry entry to disable Microsoft Windows Malicious Software Removal Tool:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\MRT
DontReportInfectionInformation = "1"
It creates the following registry entries to include itself in the trusted applications list of Windows Firewall:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\
List
{malware path and filename} = "{malware path and filename}:*:Enabled:LAN Router"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and filename} = "{malware path and filename}:*:Enabled:LAN Router"
It creates the following registry entry to disable Sytem Restore:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SystemRestore
DisableSR = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\SystemRestore
DisableConfig = "1"
It adds the following key(s) as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
conime.exe
It deletes the following registry key(s) to disable Safe Booting:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network
Propagation via Instant Messaging (IM) Applications
This worm sends messages to target recipients using the following instant messaging application(s):
Propagation via Physical/Removable/Floppy Drives
This worm creates the following folder(s) in all removable drives:
It drops the following copy(ies) of itself in all removable drives:
It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.
The said .INF file contains the following strings:
[Autorun]
open=~temp\63643.exe
icon=%windir%\system32\SHELL32.dll,8
action=Open folder to view files using Windows Explorer
shell\open=Open
shell\open\command=~temp\63643.exe
shell\open\default=1
shell\explore=Explore
shell\explore\command=~temp\63643.exe
shell\search=Search...
shell\search\command=~temp\63643.exe
useautoplay=1
Backdoor Capabilities
This worm connects to any of the following IRC server(s):
- ns58.{BLOCKED}port4you.net
It joins any of the following IRC channel(s):
It executes the following command(s) from a remote malicious user:
- Connect to other IRC servers
- Download and execute files
- Remove itself
- Start/Stop spreading in Instant Messeging Applications
Process Termination
This worm terminates the following service(s), if found on the system:
- acssrv
- AntiVirService
- avast! Antivirus
- avg8wd
- avg9wd
- cmdAgent
- CSIScanner
- ekrn
- K7RTscan
- K7TSMngr
- KPF4
- McShield
- MsMpSvc
- NOD32krn
- OutpostFirewall
- PASRV
- SAVAdminService
- SAVService
- SbPF.Launcher
- SmcService
- Sophos AutoUpdate Service
- Sophos Client Firewall
- Sophos Client Firewall Manager
- SPF4
- TmPfw
- vsmon
- VSSERV
It terminates the following process(es), if found running in memory:
- 123.COM
- 123.EXE
- A2HIJACKFREESETUP.EXE
- APM.EXE
- APORTS.EXE
- APT.EXE
- ASVIEWER.EXE
- ATF-CLEANER.EXE
- AUTORUNS.EXE
- AVENGER.EXE
- AVG_AVWT_STB_EN_9_40_FREE.EXE
- AVGARKT.EXE
- AVINSTALL.EXE
- AVIRA_ANTIVIR_PERSONAL_EN.EXE
- AVZ.EXE
- BC5CA6A.EXE
- BITDEFENDER_ANTIVIRUS.EXE
- BOOTSAFE.EXE
- BUSCAREG.EXE
- CATCHME.EXE
- CF9409.EXE
- COMBO-FIX.EXE
- COMBOFIX.BAT
- COMBOFIX.COM
- COMBOFIX.EXE
- COMBOFIX.SCR
- COMPAQ_PROPIETARIO.EXE
- CPF.EXE
- CPORTS.EXE
- CPROCESS.EXE
- CUREIT.EXE
- DARKSPY105.EXE
- DELAYDELFILE.EXE
- DLLCOMPARE.EXE
- DLLHOSTS.EXE
- DRWEB-600-WIN-PRO-X86.EXE
- DUBATOOL_AV_KILLER.EXE
- EAV_NT32_ENU.MSI
- EAV_NT64_ENU.MSI
- ELISTA.EXE
- ESCW_90_SA_SFX.EXE
- EULALYZERSETUP.EXE
- FILEALYZ.EXE
- FILEFIND.EXE
- FIXBAGLE.EXE
- FIXPATH.EXE
- FOLDERCURE.EXE
- FPORT.EXE
- FSB.EXE
- FSBL.EXE
- GMER.EXE
- GUARD.EXE
- GUARDXKICKOFF.EXE
- GUARDXSERVICE.EXE
- HACKMON.EXE
- HELIOS.EXE
- HIJACK-THIS.EXE
- HIJACKTHIS.EXE
- HIJACKTHIS_SFX.EXE
- HIJACKTHIS_V2.EXE
- HJ.EXE
- HJTINSTALL.EXE
- HJTSETUP.EXE
- HOOKANLZ.EXE
- HOSTSFILEREADER.EXE
- ICESWORD.EXE
- IEFIX.EXE
- INSTALLWATCHPRO25.EXE
- ISSDM_EN_32.EXE
- JAJA.EXE
- K7TS_SETUP.EXE
- KAKASETUPV6.EXE
- KILLAUTOPLUS.EXE
- KILLBOX.EXE
- LISTO.EXE
- LORDPE.EXE
- MBAM-SETUP.EXE
- MBAM.EXE
- MBR.EXE
- MRT.EXE
- MRTSTUB.EXE
- MSASCUI.EXE
- MSMPENG.EXE
- MSNCLEANER.EXE
- MSNFIX.EXE
- MYPHOTOKILLER.EXE
- NAV-TW-30-17-1-0-19TBEN.EXE
- NETALYZ.EXE
- NETSTAT.EXE
- NS360S300EN
- NTVDM.EXE
- OBJMONSETUP.EXE
- OLLYDBG.EXE
- OTL.EXE
- OTM.EXE
- OTMOVEIT.EXEMBAM-SETUP.EXE
- P08PROMO.EXE
- PAVARK.EXE
- PENCLEAN.EXE
- PG2.EXE
- PGSETUP.EXE
- PORTDETECTIVE.EXE
- PORTMONITOR.EXE
- PREVX.EXE
- PREVXCSIFREE.EXE
- PROCDUMP.EXE
- PROCESSMONITOR.EXE
- PROCEXP.EXE
- PROCMON.EXE
- PROJECTWHOISINSTALLER.EXE
- PSKILL.EXE
- RAVP.EXE
- REANIMATOR.EXE
- REG.EXE
- REGALYZ.EXE
- REGCOOL.EXE
- REGEDIT.COM
- REGEDIT.SCR
- REGISTRAR_LITE.EXE
- REGMON.EXE
- REGSCANNER.EXE
- REGSHOT.EXE
- REGUNLOCKER.EXE
- REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGRENAB.EXE
- REGX2.EXE
- RKD.EXE
- ROOTALYZER.EXE
- ROOTKIT_DETECTIVE.EXE
- ROOTKITBUSTER.EXE
- ROOTKITNO.EXE
- ROOTKITREVEALER.EXE
- ROOTREPEAL.EXE
- SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTSXPERT.EXEDAFT.EXE
- SDFIX.EXE
- SECCENTER.EXE
- SEEM.EXE
- SETUP_AV_FREE.EXE
- SPF.EXE
- SPYBOTSD.EXE
- SPYBOTSD160.EXE
- SRENGLDR.EXE
- SRENGPS.EXE
- SRESTORE.EXE
- STARTDRECK.EXE
- SUPERANTISPYWARE.EXE
- SUPERKILLER.EXE
- SYSANALYZER_SETUP.EXE
- TASKKILL.EXE
- TASKLIST.EXE
- TASKMAN.EXE
- TASKMON.EXE
- TCPVIEW.EXE
- TEATIMER.EXE
- TrendMicro_TISPro_16.1_1063_x32.EXE
- UNHACKME.EXE
- UNIEXTRACT.EXE
- UNLOCKER.EXE
- UNLOCKER1.8.7.EXE
- UNLOCKERASSISTANT.EXE
- USBGUARD.EXE
- VBA32-PERSONAL-LATEST-ENGLISH.EXE
- VIPRE.EXE
- VIRUS.EXE
- VIRUSUTILITIES.EXE
- WINDOWS-KB890930-V2.2.EXE
- WINDOWSDEFENDER.MSI
- WIRESHARK.EXE
- WITSETUP.EXE
- ZLCLIENT.EXE
It closes application windows that contain the following string(s):
- avast!Free Antivirus
- avast!Free Antivirus Setup
- AVG 9.0 build 730 (1/7/2010)
- AVG Anti-Virus
- AVG Download Manager
- Avira AntiVir Personal - Free Antivirus
- AVP.AlertDialog
- AVP.ScanProgressWindow
- AVZ Antiviral Toolkit
- BitDefender Antivirus 2010 Setup
- BitDefender Antivirus Scanner
- BitDefender Security Center
- BitDefender Setup
- Computer Scan - ESET NOD32 Antivirus
- Custom Scan
- ESET NOD32 Antivirus
- ESET NOD32 Antivirus Setup
- Full System Scan
- HijackThis
- Kaspersky Anti-Virus 2010
- Kaspersky Anti-Virus 2010 Setup
- Luke Filewalker
- MalwareBtyes AntiMalware
- Malwarebytes' AntiMalware
- Microsoft Security Essentials
- Norton 360
- Norton Antivirus
- Norton Antivirus 2010
- Norton QuickScan
- Prevx
- PrevxWindowClass
- Regshot 1.8.2
- SAVScanDlgs
- Scan
- Sophos Endpoint Security and Control
- Sophos Endpoint Security and Control installation wizard
- Sophos Endpoint Security and Control standalone installer
- Sophos.SAV.ScanDlg
- Symantec Endpoint Protection
- TCPViewClass
- The Avenger
- The Avenger,(c) by Swandog46
- The Wireshark Network Analyzer
- ThunderRT6Main
- TWizardForm
- Updater
- Windows Defender
Modification
This worm modifies the system's HOSTS files to prevent users from accessing the following Web site(s):
- 13iii.com
- acs.pandasoftware.com
- ad-aware-se.uptodown.com
- ad.harrenmedianetwork.com
- ad13.geekstogo.com
- aknow.prevx.com
- alerta-antivirus.inteco.es
- alerta-antivirus.red.es
- alfrasha.maktoob.com
- andymanchesta.com
- anggiawan.web.id
- angui123.cn
- answers.yahoo.com
- anti-virus-software-review.toptenreviews.com
- antitrick.com
- antonbi.web.id
- ar.answers.yahoo.com
- ariefew.com
- artsoftdesign.com
- atazita.blogspot.com
- avast-home.uptodown.com
- avg.vo.llnwd.net
- ba-k.com
- baike.360.cn
- baike.360.com
- banes-pages.blogspot.com
- bb1.th3kings.net
- bbs.360safe.cn
- bbs.360safe.com
- bbs.cfan.com.cn
- bbs.duba.net
- bbs.ikaka.com
- bbs.kafan.cn
- bbs.kafan.com
- bbs.kaspersky.com.cn
- bbs.kpfans.com
- bbs.s-sos.net
- bbs.taisha.org
- bbs.winzheng.com
- beniono.wordpress.com
- beta.eset.com
- bisnismudahsaja.blogspot.com
- blog.hispasec.com
- blog.rnsafe.com
- blog.threatfire.com
- blogs.icerocket.com
- blokvesti.net
- board.protecus.de
- board.softpedia.com
- boardreader.com
- bokwer.com
- bub.th3kings.net
- ca.answers.yahoo.com
- cairopt.net
- cert.inteco.es
- changelog.fr
- cit.kookmin.ac.kr
- club.myce.com
- cmmings.cn
- codehard.wordpress.com
- cofradia.org
- community.mcafee.com
- community.norton.com
- community.thaiware.com
- comprolive.com
- comprolive.vox.com
- computadoras.migold.com
- comunidad.wilkinsonpc.com.co
- customer.symantec.com
- danielorza.net
- darkzone.in.th
- debates.motos.net
- deckard.geekstogo.com
- destavision-forum.com
- devbuilds.kaspersky-labs.com
- devirusare.com
- diamondcs.com.au
- discussions.virtualdr.com
- dl.360safe.com
- dl2.agnitum.com
- dlpe.antivir.com
- dnl-eu8.kaspersky-labs.com
- down.360safe.cn
- down.360safe.com
- down.www.kingsoft.com
- download.bleepingcomputer.com
- download.eset.com
- download.f-secure.com
- download.mcafee.com
- download.microsoft.com
- download.nai.com
- download.sysinternals.com
- download.zonealarm.com
- downloads.andymanchesta.com
- downloads.malwarebytes.org
- downloads.novirusthanks.org
- downloads.sophos.com
- dr-web-cureit.softonic.com
- egavisa.blogspot.com
- es.answers.yahoo.com
- es.kioskea.net
- es.mcafee.com
- es.trendmicro-europe.com
- es.wasalive.com
- esetnod32antivirus.blogspot.com
- espanol.answers.yahoo.com
- espanol.dir.groups.yahoo.com
- espanol.groups.yahoo.com
- fgp.e2doo.com
- fgsite.com
- file.ikaka.cn
- file.ikaka.com
- files.filefont.com
- fineartschance.com
- fixmyim.com
- foro.el-hacker.com
- foro.elhacker.net
- foro.ethek.com
- foro.infiernohacker.com
- foro.msgpluslive.es
- foro.noticias3d.com
- foro.portalhacker.net
- foros.3dgames.com.ar
- foros.abcdatos.com
- foros.mcanime.net
- foros.softonic.com
- foros.toxico-pc.com
- foros.zonavirus.com
- forospyware.com
- forum.aiutamici.com
- forum.antivir-pe.de
- forum.antivirus365.net
- forum.avast.com
- forum.avira.com
- forum.avira.de
- forum.bullguard.com
- forum.burek.com
- forum.chip.de
- forum.clubedohardware.com.br
- forum.dobreprogramy.pl
- forum.drweb.com
- forum.gsmhosting.com
- forum.hardware.fr
- forum.hijackthis.de
- forum.hocit.com
- forum.kaspersky.com
- forum.kasperskyclub.com
- forum.lowyat.net
- forum.lrytas.lt
- forum.malekal.com
- forum.p30world.com
- forum.piriform.com
- forum.programosy.pl
- forum.romeonet.ro
- forum.securitycadets.com
- forum.skype.com
- forum.smadav.net
- forum.softpedia.com
- forum.swzone.it
- forum.sysinternals.com
- forum.telecharger.01net.com
- forum.torrents.ro
- forum.tweaks.com
- forum.zazana.com
- forum.zebulon.fr
- forums.afterdawn.com
- forums.avg.com
- forums.cnet.com
- forums.comodo.com
- forums.devshed.com
- forums.eternion-wow.com
- forums.maddoktor2.com
- forums.malwarebytes.org
- forums.overclockzone.com
- forums.techguy.org
- forums.whatthetech.com
- forums.zonealarm.com
- free.antivirus.com
- free.avg.com
- front.prevx.com
- ftp.drweb.com
- ftp.f-secure.com
- ftp.pcpitstop.com
- ftp01net.telechargement.fr
- golpe.dyndns.org
- gotoknow.org
- greatis.com
- gulaley.blogspot.com
- guru.avg.com
- guru0.grisoft.cz
- guru1.grisoft.cz
- guru2.grisoft.cz
- guru3.grisoft.cz
- guru4.grisoft.cz
- guru5.grisoft.cz
- hana-ahmad.blogspot.com
- harrenmedianetwork.com
- heavenward.ru
- hi.baidu.com
- hijackthis.download3000.com
- hjt-data.trend-braintree.com
- hjt.networktechs.com
- housecall.trendmicro.com
- housecall65.trendmicro.com
- images.malwareremoval.com
- in.answers.yahoo.com
- info.prevx.com
- inspiresoft.blogspot.com
- irc.ekizmedia.com
- irc.evoporn.com
- irc.snahosting.net
- it.answers.yahoo.com
- justfane.blogspot.com
- k2r.th3kings.net
- kaba.360.cn
- kaba.360.com
- kaspersky.com
- kb.eset.com
- kr.ahnlab.com
- ladooscuro.es
- lexikon.ikarus.at
- linhadefensiva.uol.com.br
- liveupdate.symantec.com
- liveupdate.symantecliveupdate.com
- lurker.clamav.net
- mailcenter.rising.com
- mailcenter.rising.com.cn
- majorgeeks.com
- malekal.com
- malwarebytes-anti-malware.softonic.com
- malwarebytes.org
- mast.mcafee.com
- melcy.wordpress.com
- mks.com.pl
- modelayu.com
- msncleaner.softonic.com
- msnfix.changelog.fr
- msntubers.freehostia.com
- mustlovewine.com
- mvps.org
- mx.answers.yahoo.com
- myantispyware.com
- new.taringa.net
- news.support.veritas.com
- nitroamd.spaces.live.com
- nod32-antivirus.en.softonic.co
- ntfaq.co.kr
- oldtimer.geekstogo.com
- onecare.live.com
- oolbar.cyberdefender.com
- ot-indo.blogspot.com
- p3dev.taringa.net
- pastebin.com
- pcvids.wordpress.com
- pogonyuto.forospanish.com
- poolcoversite.com
- positiveroot.wordpress.com
- psychoski.blogspot.com
- quickscan.bitdefender.com
- rareartonline.com
- regfixerror.pctools.revenuewire.net
- research.pandasecurity.com
- research.sunbelt-software.com
- rootrepeal.googlepages.com
- rootrepeal.psikotick.com
- sabithpocker.blogspot.com
- safecomputing.umn.edu
- samroeng.hi5.com
- sapcupgrades.com
- scanner.virus.org
- search.mcafee.com
- secubox.aldria.com
- secunia.com
- secure.sophos.com
- security.symantec.com
- securityresponse.symantec.com
- securitywonks.net
- service1.symantec.com
- sf.tapuz.co.il
- share.skype.com
- shield.prevx.com
- shitit.net
- shop.symantecstore.com
- shv4.ath.cx
- simplyrudz.blogspot.com
- sip4.voipkosovasite.com
- sis-admin.blogspot.com
- smadaver.com
- sniff.runescapetube.com
- social.answers.microsoft.com
- social.microsoft.com
- software-files.download.com
- softwaresecuritysolutions.com
- solit.us
- somostuyyounnuevodiaoficial.obolog.com
- sophos.com
- sopiansantosa.blogspot.com
- sosvirus.changelog.fr
- spywarefiles.prevx.com
- spywarehammer.com
- static.commentcamarche.net
- stdio-labs.blogspot.com
- store.norton.com
- story.dnsentrymx.com
- subs.geekstogo.com
- support.emsisoft.com
- support.f-secure.com
- support.kaspersky.com
- swandog46.geekstogo.com
- tech.pantip.com
- thaicert.nectec.or.th
- thailand.itmylike.com
- thedudesemo.blogspot.com
- thejokerx.blogspot.com
- topsy.com
- trbotnet.sytes.net
- trialware.norton.com
- uk.answers.yahoo.com
- universomanualidades.foroactivo.com
- update.360safe.cn
- update.360safe.com
- update.symantec.com
- updatem.360safe.cn
- updatem.360safe.com
- upload.changelog.fr
- us.mcafee.com
- us3.download.comodo.com
- us4.download.comodo.com
- usa.kaspersky.com
- v.dreamwiz.com
- vaksin.com
- vil.nai.com
- vil.nail.com
- virscan.org
- virusinfo.info
- virusinfo.prevx.com
- wakoopa.com
- wap.elakiri.com
- wasteland-bg.com
- wenwen.soso.com
- whois.domaintools.com
- www.2-spyware.com
- www.247fixes.com
- www.360.cn
- www.360.com
- www.360safe.cn
- www.360safe.com
- www.365groups.com
- www.4-gsmteam.com
- www.51nb.com
- www.abgenis.net
- www.alabamawomen.org
- www.analysis.seclab.tuwien.ac.at
- www.antirootkit.com
- www.antivir.es
- www.antivirus.about.com
- www.antivirus.comodo.com
- www.arenajunkies.com
- www.arswp.com
- www.askmehelpdesk.com
- www.auditmypc.com
- www.avast.com
- www.avg-antivirus.net
- www.avira.com
- www.avp.com
- www.avpclub.ddns.info
- www.avsoft.ru
- www.babooforum.com.br
- www.bakunos.com
- www.betterantivirus.com
- www.bitdefender.com
- www.bitdefender.es
- www.bleedingthreats.net
- www.bleepingcomputer.com
- www.blindedbytech.com
- www.blogschapines.com
- www.bloodzone.net
- www.box.net
- www.ca.com
- www.carigold.com
- www.castlecops.com
- www.castlecrops.com
- www.cddchiangmai.net
- www.cfan.com.cn
- www.changedetection.com
- www.chkrootkit.org
- www.cisrt.org
- www.clamav.net
- www.clamwin.com
- www.clubic.com
- www.codelain.com
- www.com-th.net
- www.commentcamarche.net
- www.computerforum.com
- www.computerhilfen.de
- www.computing.net
- www.configurarequipos.com
- www.corozilla.net
- www.cwsandbox.org
- www.cyberdefender.com
- www.cybertechhelp.com
- www.daboweb.com
- www.daniweb.com
- www.darkclockers.com
- www.dazhizhu.cn
- www.decido.de
- www.devirusare.com
- www.dicasweb.com.br
- www.dl4all.com
- www.dougknox.com
- www.downtr.net
- www.drweb.com.es
- www.duba.net
- www.eeload.com
- www.el-hacker.com
- www.elakiri.com
- www.elektroda.pl
- www.elguruinformatico.com
- www.elhacker.org
- www.elitepvpers.de
- www.eliters.com
- www.emsisoft.com
- www.emsisoft.de
- www.eradicatespyware.net
- www.eset-la.com
- www.eset.com
- www.eset.eu
- www.eudict.com
- www.ewido.net
- www.experts-exchange.com
- www.f-prot.com
- www.f-secure.com
- www.faravirusi.com
- www.feedage.com
- www.file.net
- www.fileresearchcenter.com
- www.final4ever.com
- www.firewallguide.com
- www.fixya.com
- www.forofantasiasmiguel.com
- www.forospanish.com
- www.forospyware.com
- www.forospyware.es
- www.fortiguardcenter.com
- www.fortinet.com
- www.forum.kaspersky.com
- www.forums.majorgeeks.com
- www.free-av.com
- www.free.avg.com
- www.free.grisoft.com
- www.freedrweb.com
- www.freefixer.com
- www.freespywareremoval.info
- www.freshwap.net
- www.ftw.ro
- www.funkytoad.com
- www.futurenow.bitdefender.com
- www.gamexeon.com
- www.geekpolice.net
- www.geekstogo.com
- www.gmer.net
- www.greatis.com
- www.grisoft.com
- www.groupwhere.org
- www.gsmph.com
- www.gsmph.net
- www.guiadohardware.net
- www.gyakorikerdesek.hu
- www.hijackthis.de
- www.hotshare.net
- www.housecall.trendmicro.com
- www.huaifai.go.th
- www.hvaonline.net
- www.identi.es
- www.ikaka.cn
- www.ikaka.com
- www.ikarus.net
- www.incodesolutions.com
- www.indowebster.web.id
- www.infos-du-net.com
- www.infosecpodcast.com
- www.infospyware.com
- www.ipaddresser.com
- www.ixtorrent.com
- www.jackbloodforum.com
- www.javacoolsoftware.com
- www.javacoolsoftware.net
- www.jbtalks.cc
- www.jiwang.org
- www.judj.com
- www.jvme.com
- www.k7computing.com
- www.kaldata.com
- www.kaskus.us
- www.kaspersky-labs.com
- www.kaspersky.com
- www.kaspersky.es
- www.killtrojan.net
- www.kosandpol.elakiri.com
- www.krupunmai.com
- www.kztechs.com
- www.laneros.com
- www.latest-virus.com
- www.lavasoft.com
- www.leforo.com
- www.linhadefensiva.org
- www.linkmania.ro
- www.looktr.com
- www.malekal.com
- www.malwarebytes.org
- www.malwarecrypt.com
- www.malwareremoval.com
- www.manuelruvalcaba.com
- www.mcafee.com
- www.mcanime.net
- www.Merijn.org
- www.messengeradictos.com
- www.misec.net
- www.mostz.com
- www.mozilla-hispano.org
- www.msnvirusremoval.com
- www.mvps.org
- www.mxttchina.com
- www.mycity.rs
- www.mypcsafe.com
- www.nabble.com
- www.net-security.org
- www.networkworld.com
- www.nhatnghe.com
- www.norman.com
- www.offensivecomputing.net
- www.onlinescan.avast.com
- www.oprekpc.com
- www.ozzu.com
- www.pandasecurity.com
- www.pantip.com
- www.pc1news.com
- www.pcentraide.com
- www.pcguide.com
- www.pchell.com
- www.pchelpforum.com
- www.pcsupportadvisor.com
- www.pctools.com
- www.pcwelt.de
- www.pcworld.com
- www.personal.psu.edu
- www.personalfirewall.comodo.com
- www.pinoyden.com
- www.pinoyhackers.com
- www.pinoytambaygroup.com
- www.precisesecurity.com
- www.prevx.com
- www.protecus.de
- www.psicofxp.com
- www.quickheal.co.in
- www.raymond.cc
- www.regrun.com
- www.resplendence.com
- www.rising.com
- www.rising.com.cn
- www.rolandovera.com
- www.rootkit.com
- www.rootkit.nl
- www.rss-verzeichnis.de
- www.runscanner.net
- www.safer-networking.org
- www.sandboxie.com
- www.securitynewsportal.com
- www.securitystronghold.com
- www.securitywonks.net
- www.sergiwa.com
- www.shitit.net
- www.siteadvisor.com
- www.smokey-services.eu
- www.soccersuck.com
- www.softonic.com
- www.sophos.com
- www.spamhaus.org
- www.spyany.com
- www.spybot.info
- www.spybotupdates.com
- www.spychecker.com
- www.spywarecease.com
- www.spywaredb.com
- www.spywaredemon.com
- www.spywarefri.dk
- www.spywareinfo.com
- www.spywareremovalblog.com
- www.spywareterminator.com
- www.sunbeltsecurity.com
- www.sunbeltsoftware.com
- www.superadblocker.com
- www.superantispyware.com
- www.superdicas.com.br
- www.superuser.co.kr
- www.symantec.com
- www.sysinternals.com
- www.sz-pet.com
- www.tallemu.com
- www.tanya-it.com
- www.taringa.net
- www.techimo.com
- www.techspot.com
- www.techsupportforum.com
- www.tecno-soft.com
- www.thaicert.org
- www.thailandsusu.com
- www.thaivisa.com
- www.thecomputerpitstop.com
- www.thehelper.net
- www.thetechguide.com
- www.thinkpad.cn
- www.threatexpert.com
- www.tongjimba.com
- www.tpu.ro
- www.trendmicro.com
- www.trendsecure.com
- www.trojaner-board.de
- www.trucoswindows.es
- www.trucoswindows.net
- www.tweaksforgeeks.com
- www.ulop.net
- www.unhackme.com
- www.usbcleaner.cn
- www.utilidades-utiles.com
- www.velocidadmaxima.com
- www.vietcaravan.us
- www.viprasys.org
- www.virscan.org
- www.virus-com.com
- www.viruschief.com
- www.virusdoctor.jp
- www.viruslist.com
- www.virusspy.com
- www.virustotal.com
- www.vivalared.com
- www.vsantivirus.com
- www.vupen.com
- www.webimmune.net
- www.webphand.com
- www.webroot.com
- www.whatthetech.com
- www.wikio.es
- www.wilderssecurity.com
- www.winbots.es
- www.windowexe.com
- www.worton.com
- www.xmarks.com
- www.yoreparo.com
- www.ziggamza.net
- www.zonavirus.com
- www.zone-it.com
- www.zonealarm.com
- www.zyzoom.org
- www2.gmer.net
- www3.malekal.com
- wwww.experts-exchange.com
- wwww.mcafee.com
- x.360safe.com
- yourartmuseum.com
- z-oleg.com
- zastita.com
- zenovy.com
- zhidao.baidu.com
- zhidao.ikaka.com
- zone.arminboutique.com
Download Routine
This worm downloads an updated copy of itself from the following Web site(s):
- http://{BLOCKED}3xme1fucan.com/net/debug2.zip
- http://{BLOCKED}.s3xme1fucan.com/net/debug2.zip
Other Details
This worm creates the following mutex(es) to ensure that only one instance of itself is running in memory:
It connects to the following URL(s) to send and receive commands from a remote malicious user:
- http://{BLOCKED}.{BLOCKED}.74.40/net/debug2.txt
It modifies the following registry entry(ies) to hide files with Hidden attributes:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\SuperHidden
CheckedValue = "1"
(Note: The default value data for the said registry entry is 0.)
It terminates antivirus-related processes.
Affected Platforms
This worm runs on Windows 98, ME, NT, 2000, XP, and Server 2003.
Analysis By: Karl Dominguez
Revision History:
Connect with us on
| | | |