Les informations contenues dans cette rubrique de notre site web sont constamment mises à jour. Afin de vous garantir un contenu le plus actualisé possible, elles sont uniquement diffusées en anglais.

Virus Profile: W32/Amus.a@MM

Threat Search
Imprimer
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 13/09/2004
Date Added: 13/09/2004
Origin: Unknown
Length: 73561 bytes
Type: Virus
Subtype: Internet Worm
DAT Required: 4253
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Current versions of Outlook will display a warning that an external application is trying to access the Addressbook, trying to send a mail on your behalf, which has a potentionally dangerous attachment.

Methods of Infection

The worm arrives via email, it does not make use of any exploit in order to execute the attachment manually.
   

Virus Characteristics

-- Update September 14th, 2004 --
 The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://news.zdnet.com/2100-1009_22-5363988.html

--

Proactive detection: Products running the 4.2.40 engine with the 4253 DATs (03/19/2004) or greater detect this threat as "virus or variant W32/Generic.a@MM" (with scanning of compressed files enabled).

4314DATs (01/14/2004) are required for complete removal of this worm.

This worm spreads by email using the MAPI/Outlook. It searches the Windows Addressbook (WAB) for addresses.

Subject: Listen and Smile

Body: Hey. I beg your pardon. You must listen.

Attachment: masum.exe

Example:

 

On Windows XP, the worm calls the Microsoft Speech engine and user will hear this message:

  • How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule.

A playback of the message can be downloaded here . (72kb/MP3)

The worm creates this registry key, so it gets executed each time the system starts:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Microzoft_Ofiz" = %windir%\KdzEregli.exe

It also created this key:

  • HKEY_CURRENT_USER\Software\Microsoft\Masum
    "Who" = OnEmLi_DeGiL

and copies itself to following folders:

  • C:\Masum.exe
  • C:\WINDOWS\Adapazari.exe
  • C:\WINDOWS\Ankara.exe
  • C:\WINDOWS\Anti_Virus.exe
  • C:\WINDOWS\Cekirge.exe
  • C:\WINDOWS\KdzEregli.exe
  • C:\WINDOWS\Messenger.exe
  • C:\WINDOWS\Meydanbasi.exe
  • C:\WINDOWS\My_Pictures.exe
  • C:\WINDOWS\Pide.exe
  • C:\WINDOWS\Pire.exe

Payload:

The worm tries to delete files from the Windows directory, based on the systemdate:

  • *.DLL   on the 2nd, 15th and 17th of each month.
  • *.INI     on the 10th and 23rd of each month.
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

   

Un ordinateur infecté ? Obtenez l'aide d'un expert !

McAfee
Service de suppression des virus

Contactez l'un de nos spécialistes en sécurité par téléphone. Regardez votre PC pendant que nous résolvons le problème à distance.

$89.95 (USD)

Publicité