For Home

Virus Profile: W32/Blurt@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 9/4/2003
Date Added: 9/4/2003
Origin: Unknown
Length: 18,432 bytes
Type: Virus
Subtype: E-mail
DAT Required: 4284
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

The virus terminates the following processes:

  • ADVXDWIN.EXE
  • ALERTSVC.EXE
  • ALOGSERV.EXE
  • AMON9X.EXE
  • ANTI-TROJAN.EXE
  • ANTS.EXE
  • APVXDWIN.EXE
  • ATCON.EXE
  • ATUPDATER.EXE
  • ATWATCH.EXE
  • AUTODOWN.EXE
  • AVCONSOL.EXE
  • AVE32.EXE
  • AVGCC32.EXE
  • AVGCTRL.EXE
  • AVGSERV.EXE
  • AVGSERV9.EXE
  • AVGW.EXE
  • AVKSERV.EXE
  • AVNT.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPDOS32.EXE
  • AVPM.EXE
  • AVPTC32.EXE
  • AVPUPD.EXE
  • AVSCHED32.EXE
  • AVSYNMGR.EXE
  • AVWIN95.EXE
  • AVWINNT.EXE
  • AVWUPD32.EXE
  • AVXMONITOR9X.EXE
  • AVXMONITORNT.EXE
  • AVXQUAR.EXE.EXE
  • AVXW.EXE
  • AgentSvr.exe
  • AutoTrace.exe
  • Avgctrl.exe
  • Avsched32.exe
  • BLACKD.EXE
  • BLACKICE.EXE
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • CFINET32.EXE
  • CLAW95.EXE
  • CLAW95CF.EXE
  • CLEANER.EXE
  • CLEANER3.EXE
  • CMGRDIAN.EXE
  • CONNECTIONMONITOR.EXE
  • CPD.EXE
  • CPDCLNT.EXE
  • DEFWATCH.EXE
  • DOORS.EXE
  • DVP95.EXE
  • DVP95_0.EXE
  • ECENGINE.EXE
  • EFPEADM.EXE
  • ESAFE.EXE
  • ESPWATCH.EXE
  • ETRUSTCIPE.EXE
  • EVPN.EXE
  • EXPERT.EXE
  • F-AGNT95.EXE
  • F-PROT.EXE
  • F-PROT95.EXE
  • F-STOPW.EXE
  • FINDVIRU.EXE
  • FP-WIN.EXE
  • FPROT.EXE
  • FRW.EXE
  • GENERICS.EXE
  • GUARD.EXE
  • GUARDDOG.EXE
  • IAMAPP.EXE
  • IAMSERV.EXE
  • IBMASN.EXE
  • IBMAVSP.EXE
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IFACE.EXE
  • IOMON98.EXE
  • ISRV95.EXE
  • InoRT.exe
  • InoRpc.exe
  • InoTask.exe
  • JEDI.EXE
  • LDNETMON.EXE
  • LDPROMENU.EXE
  • LDSCAN.EXE
  • LOCKDOWN.EXE
  • LOCKDOWN2000.EXE
  • LOOKOUT.EXE
  • LUALL.EXE
  • LUCOMSERVER.EXE
  • MCAGENT.EXE
  • MCMNHDLR.EXE
  • MCSHIELD.EXE
  • MCTOOL.EXE
  • MCUPDATE.EXE
  • MCVSRTE.EXE
  • MCVSSHLD.EXE
  • MGAVRTCL.EXE
  • MGAVRTE.EXE
  • MGHTML.EXE
  • MINILOG.EXE
  • MONITOR.EXE
  • MOOLIVE.EXE
  • MPFTRAY.EXE
  • MWATCH.EXE
  • N32SCANW.EXE
  • NAVAPSVC.EXE
  • NAVAPW32.EXE
  • NAVLU32.EXE
  • NAVNT.EXE
  • NAVW32.EXE
  • NAVWNT.EXE
  • NDD32.EXE
  • NETUTILS.EXE
  • NISSERV.EXE
  • NISUM.EXE
  • NMAIN.EXE
  • NORMIST.EXE
  • NPROTECT.EXE
  • NPSSVC.EXE
  • NSCHED32.EXE
  • NTVDM.EXE
  • NTXconfig.exe
  • NUPGRADE.EXE
  • NVC95.EXE
  • NWService.exe
  • NWTOOL16.EXE
  • Navapw32.exe
  • NeoWatchLog.exe
  • Nui.EXE
  • PADMIN.EOUTPOST.EXE
  • PADMIN.EXE
  • PAVCL.EXE
  • PAVSCHED.EXE
  • PAVW.EXE
  • PCCIOMON.EXE
  • PCCWIN98.EXE
  • PCFWALLICON.EXE
  • PERSFW.EXE
  • POP3TRAP.EXE
  • POPROXY.EXE
  • PORTMONITOR.EXE
  • PROCESSMONITOR.EXE
  • PVIEW95.EXE
  • RAV7.EXE
  • RAV7WIN.EXE
  • REALMON.EXE
  • RESCUE.EXE
  • RTVSCN95.EXE
  • Realmon.exe
  • SAFEWEB.EXE
  • SCAN32.EXE
  • SCAN95.EXE
  • SCANPM.EXE
  • SCRSCAN.EXE
  • SERV95.EXE
  • SMC.EXE
  • SPHINX.EXE
  • SPYXX.EXE
  • SS3EDIT.EXE
  • SWEEP95.EXE
  • SWNETSUP.EXE
  • SYMPROXYSVC.EXE
  • SYMTRAY.EXE
  • SymProxySvc.exe
  • TBSCAN.EXE
  • TC.EXE
  • TCA.EXE
  • TCM.EXE
  • TDS-3.EXE
  • TDS2-98.EXE
  • TDS2-NT.EXE
  • TFAK.EXE
  • VET32.EXE
  • VET95.EXE
  • VETTRAY.EXE
  • VIR-HELP.EXE
  • VPC32.EXE
  • VPTRAY.EXE
  • VSCAN40.EXE
  • VSCHED.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • VSMAIN.EXE
  • VSMON.EXE
  • VSSTAT.EXE
  • VbCons.exe
  • WATCHDOG.EXE
  • WEBSCANX.EXE
  • WEBTRAP.EXE
  • WFINDV32.EXE
  • WGFE95.EXE
  • WIMMUN32.EXE
  • WRADMIN.EXE
  • WRCTRL.EXE
  • ZAPRO.EXE
  • ZONEALARM.EXE
  • _AVP32.EXE
  • _AVPCC.EXE
  • _AVPM.EXE
  • apvxdwin.exe
  • avkpop.exe
  • avkservice.exe
  • avkwctl9.exe
  • defscangui.exe
  • fameh32.exe
  • fch32.exe
  • fih32.exe
  • fnrb32.exe
  • fsaa.exe
  • fsav32.exe
  • fsgk32.exe
  • fsm32.exe
  • fsma32.exe
  • fsmb32.exe
  • gbmenu.exe
  • gbpoll.exe
  • zapro.exe
  • iamapp.exe
  • netstat.exe
  • nisum.exe
  • ntrtscan.EXE
  • nvsvc32.exe
  • pavproxy.exe
  • pccntmon.EXE
  • pccwin97.EXE
  • pcscan.EXE
  • regedit.exe
  • sbserv.exe
  • sscansvc.exe
  • taskmgr.exe
  • vbcmserv.exe
  • vsmon.exe
  • zonealarm.exe

The virus attempts to stop the following services:

  • Event Log
  • Messenger
  • Zonealarm
  • TrueVector Internet Monitor
  • Norton Antivirus Auto Protect Service
  • Norton Internet Security Accounts Manager
  • Norton Internet Security Proxy Service
  • Norton Internet Security Service 
  • Norton AntiVirus Server
  • Norton AntiVirus Auto Protect Service
  • Norton AntiVirus Client
  • Symantec AntiVirus Client
  • McShield
  • IPSEC Policy Agent
  • DefWatch
  • WMDM PMSP Service

Methods of Infection

This virus spreads via Microsoft Outlook (by sending itself to Outlook Address Book recipients) and the mIRC Internet Relay Chat client.

Aliases

I-Worm.Blare (AVP), W32.Blare@mm (Symantec), WORM_BLARE.A (Trend)
   

Virus Characteristics

This threat is deemed Low-Profiled due to media attention at http://www.theregister.co.uk/content/56/32662.html

McAfee users are proactively protected from this threat when scanning with the 4252 DAT files, compressed executables, and the 4.2.40 scan engine.  4.1.60 engine users are also protected under the same scenario, but also require program heuristics.  The detection name varies with DAT file version and engine, and will be along the lines of W32/Generic or New Worm.

The virus is detected as W32/Generic.worm!irc This worm attempts to spread via Microsoft Outlook, and Internet Relay Chat. The worm also terminates security software, contains a Denial of Service attack payload, a web page overwriting payload, and disables the registry editor and task manager. The virus may be received in an email message as follows:

    Subject : (one of the following)
  • Your Account Infomation.
  • Your Account is on hold.
  • Your Account has been suspended.
  • Account Infomation.
  • Account Invoice.
  • Email Account Infomation.
  • This quaters invoice.
  • Account Billing Information.
  • YOUR ACCOUNT REF:
  • ORDER CONFIRMATION:
  • Account,is on hold.
    Body :
  • Dear Sir,

Followed by

  • Please can you check that your account information is up to date.
    Your details are attached to this email.
  • Please can you confirm that your account information is correct.
    Your current details are attached to this email.
  • Please find attached this quaters invoice for your Internet Account. 
  • Please find your details attached. Thank you.
    Details are attached to this email. 

Followed by

  • Regards, Billing Team.
    Regards, Support Team.
    Attachment : (one of the following)
  • Account Invoice.Doc.exe
  • Your Account.Doc.exe
  • Account Details.Doc.exe
  • Your Account Info.Doc.exe
  • Account Information.Doc.exe
  • Billing Information.Doc.exe
  • Invoice.Doc.exe
  • Account Update.Doc.exe
  • Account Status.Doc.exe
  • Your Account Status.exe

For example:

When the attachment is run (manually accessed with the mouse or keyboard), the virus attempts to copy itself to the PROGRA~1 (Program Files) directory as ACCOUNT_DETAILS.DOC.exe. This failed during testing. A registry key is created to load this, non-existent, file:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "Windows Task Manager" = c:\progra~1\ACCOUNT_DETAILS.DOC.exe
A file named WIN32.SORT-IT-OUT-BLAIR.TXT is created on the root directory of the C: drive. This file contains the following text:
  • Infected by the WIN32.SORT-IT-OUT-BLAIR Virus!
The virus contains a payload to overwrite the following files with this text:
  • c:\inetpub\wwwroot\default.asp
  • c:\inetpub\wwwroot\default.htm
  • c:\inetpub\wwwroot\default.html
  • c:\inetpub\wwwroot\index.asp
  • c:\inetpub\wwwroot\index.htm
  • c:\inetpub\wwwroot\index.html
The mIRC script is overwritten with instructions to send the virus to users who join the same channel as the infected user. The following message is sent along with the virus:
    Hey, Do you want to take part of the iRC chain mail world record? If so all you have to do is load up the program add your irc nick and press submit! Just rename the file from .irc to .exe and your ready to go!
The following registry keys are created to disable the registry editor and task manager:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Policies\System "DisableRegistryTools" = 1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Policies\System "DisableTaskMgr" = 1
On the 11th of the month, an ICMP denial of service attack is launched on the domain www.number-10.gov.uk .
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.