For Consumer

Virus Profile: W32/Winur.worm.b

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 2/4/2003
Date Added: 2/5/2003
Origin: Unknown
Length: 69,632 bytes
Type: Virus
Subtype: P2P Worm
DAT Required: 4246
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

- Presence of the aforementioned files, and message box.
- Firewall program alerting you that PING is attempting to access the Internet on the 5th, 15th, or 25th of the month.

Methods of Infection

This worm spreads through the ICQ, KaZaa, Grokster, and WinMX file-sharing applications. It also may spread through network share propagation.

Aliases

W32/Flow, Worm.P2P.VB.o (AVP)
   

Virus Characteristics

This threat is proactively detected as "New P2P Worm" with the 4215-4245 DAT files when scanning with program heuristics enabled.

This worm spreads via network shares, peer-to-peer file-sharing software, and floppy diskettes. The worm contains a payload to initiate a Denial of Service attack against 3 white supremacist websites. The worm propagates via ICQ, KaZaa, and Grokster using filenames found on the infected system, and the following names:

  • .exe
  • Adobe Photoshop crack.exe
  • Age of Empire crack.exe
  • Age of Mythology crack.exe
  • All Microsoft games crack.exe
  • American concuest crack.exe
  • Anno 1503 Crack - No cd.exe
  • AOL hacker.exe
  • AOL password stealer.exe
  • Beach life crack nocd.exe
  • Britney spears game.exe
  • Bugbear remover.exe
  • Christina Aguilera game.exe
  • Die another Day DVD full.exe
  • Die another day flash movie(1).exe
  • Die another day flash movie.exe
  • Driver 2 crack.exe
  • Dvd ripper.exe
  • EA games Keygen.exe
  • Esafe desktop protection crack.exe
  • Fifa 2003 crack.exe
  • Fifa 2004 crack.exe
  • Free ADSl.exe
  • Frontline attack war over Europe noCD crack.exe
  • Frontpage cracker.exe
  • GTA 3 game crack noCD.exe
  • GTA3 game crack noCD.exe
  • Highland warriors crack.exe
  • Hotmail account hacker in 30 minutes.exe
  • Hotmail hacker.exe
  • Hotmailhacker v1.0.exe
  • Icon extractor v1.7 - full.exe
  • ICQ hacker.exe
  • ICQ password stealer.exe
  • Jack the ripper v1.0.exe
  • Jackie chan dvd collection.exe
  • James Bond game - Die another day.exe
  • John the ripper v1.0.exe
  • Justin Timberlake Debute movie.exe
  • Klez fixtool.exe
  • Lord of the rings VCD.exe
  • Love calculator.exe
  • Mad Jack crack.exe
  • MadJack crack.exe
  • Mafia game crack noCD.exe
  • Mcafee virusscanner crack.exe
  • Microangelo crack.exe
  • Most important hacker tool ever!.exe
  • mp3 ripper.exe.exe
  • msconfig.exe
  • MSN 5.0 Banner remover.exe
  • MSN Messenger commercial crack.exe
  • MSN Password crack.exe
  • MSN PLUS!.exe
  • MXlinx 0.30 crack.exe
  • Nikki cox game and movie.exe
  • Norton antivirus crack.exe
  • Office XP license crack.exe
  • pornmovie (hardcore sex adult asian).exe
  • Powerful MP3 ripper.exe
  • Red Alert 2 [noCD].exe
  • Red Alert 2 YR [noCD].exe
  • Red Alert cracker crack - All versions (yuri, 1 ,2 etc).exe
  • Rollercoaster tycoon 2 crack.exe
  • Rollercoaster tycoon cracker.exe
  • shortcut to northwind.lnk.exe
  • Shriek DVD crack patch.exe
  • Sim City 4 - no cd crack.exe
  • Sim City 4 - no cd patch.exe
  • Sim City 4 [noCD].exe
  • Sim city 4 crack.exe
  • Stop the war (intro).exe
  • Stronghold Crusader crack- All versions [noCD].exe
  • Stuart Little 2 crack game noCD.exe
  • Super 2000key keygen.exe
  • The Sims crack.exe
  • Theme park world cracker.exe
  • Tropico crack.exe
  • Warcraft 3 crack.exe
  • Webcracker.exe
  • Website hacker v1.0.exe
  • Windows Me crack.exe
  • Windows XP license crack.exe
  • Yaha Fixtool.exe
Peer-to-peer Propagation
When run, the worm creates a hidden directory, c:\winrun, and copies itself to that directory using the aforementioned filenames, as well as filenames found in the Shell Folders Personal, My Music, and My Video. This WINRUN folder is then set as the default share for the KaZaa, Grokster, and WinMX file-sharing applications.

The worm also copies itself to c:\klez_removal.exe and creates a registry run key to load itself at startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "msconfig" = C:\winrun\msconfig.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    RunServices "winrun" = C:\winrun\msconfig.exe
The following additional registry keys are created:
  • HKEY_CURRENT_USER\Software\Grokster\
    InstantMessaging "IgnoreAll" = REG_DWORD:1
  • HKEY_CURRENT_USER\Software\Grokster\
    LocalContent "DisableSharing" = REG_DWORD:0
  • HKEY_CURRENT_USER\Software\Grokster\
    Resultsfilter "adult_filter_level" = REG_DWORD:0
  • HKEY_CURRENT_USER\Software\Grokster\
    Resultsfilter "virus_filter" = REG_DWORD:0
  • HKEY_CURRENT_USER\Software\KaZaa\
    Advanced "ScanFolder" = REG_DWORD:1
  • HKEY_CURRENT_USER\Software\KaZaa\
    InstantMessaging "IgnoreAll" = REG_DWORD:1
  • HKEY_CURRENT_USER\Software\KaZaa\
    LocalContent "DisableSharing" = REG_DWORD:0
  • HKEY_CURRENT_USER\Software\KaZaa\
    ResultsFilter "adult_filter_level" = REG_DWORD:0
  • HKEY_CURRENT_USER\Software\KaZaa\
    ResultsFilter "bogus_filter" = REG_DWORD:0
  • HKEY_CURRENT_USER\Software\KaZaa\
    ResultsFilter "firewall_filter" = REG_DWORD:0
  • HKEY_CURRENT_USER\Software\KaZaa\
    ResultsFilter "virus_filter" = REG_DWORD:0
  • HKEY_CURRENT_USER\Software\KaZaa\
    Settings "FolderWarning" = REG_DWORD:0
  • HKEY_CURRENT_USER\Software\KaZaa\
    Settings "Quarantine" = C:\WINDOWS\Start Menu\Programs\StartUp
  • HKEY_CURRENT_USER\Software\KaZaa\
    UserDetails "AutoConnected" = REG_DWORD:1
  • HKEY_LOCAL_MACHINE\Software\Microsoft\MessengerService\
    Policies "IMWarning" = (M)Warning: The person who you are talking to is infected with a virus. Send him the removal tool that can be found in C:\klez_removal.exe(M)
The last key is designed to display a warning message on the local MSN Messenger user's system to encourage them to send the worm to that user.

Floppy Propagation
A copy of the worm is saved to the A: drive as:

  • IMPORTANT - READ THIS.DOC < 62 spaces > .exe
Payload
On the 24th of the month a message box is displayed:

On the 5th, 15th, and 25th of the month, a Denial of Service attack is initiated against 3 white supremacist websites.

Network Share Propagation
The worm creates the file c:\Autostart.bat, which redirects the output of the NET VIEW command to the file c:\ntwrk32.dll. This file provides the virus a list of systems in the current workgroup for the worm to spread to. Using the share c, the worm copies itself to the following paths:

  • windows\Start Menu\Programs\StartUp\msoffice32.exe
  • windows\start menu\Programma's\Opstarten\msoffice32.exe
  • Documents and Settings\All Users\Start menu\
    programs\startup\msoffice32.exe
  • Documents and Settings\All Users\Menu Start\
    Programma's\Opstarten\msoffice32.exe
During testing, the worm failed to spread successfully using this propagation method.
   

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95