Virus Profile: W32/Floodnet@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 5/1/2002
Date Added: 5/7/2002
Origin: Unknown
Length: 228,352 bytes
Type: Virus
Subtype: Remote Access
DAT Required: 4200
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

- Presence of %WinDir%\KERNEL32.EXE (228,352 bytes) - A fake error message may be displayed

Methods of Infection

This virus arrives as a UPX packed Delphi executable. When run, it acts as a remote access server and worm.

Aliases

Backdoor.Delf.bd (AVP), Trojan/FldNet.A (Panda), W32.Tendoolf (Symantec), Win32/Cute.Worm (CA), WORM_TENDOOLF.A (Trend)
   

Virus Characteristics

This threat has a risk assessment of Low Profiled as media interest was sparked due to a recent news report on Incidents.org.

This is a remote access trojan and worm. When run, it attempts to send a message to the alias
"All Users" using Microsoft Outlook. If this address is not present in a local or global address book, or not an alias on the specified SMTP server, then the message will not get sent. Otherwise, the following message is sent:

Subject: Thoughts...
Body: I just found this program, and, i dont know why...but it reminded me of you. check it out.
Attachment: Cute.exe (228,352 bytes)

When the attachment is run, a copy is saved to the WINDOWS directory and 2 registry keys are created:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run\Windows=C:\WINDOWS\KERNEL32.EXE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    RunServices\Windows=C:\WINDOWS\KERNEL32.EXE
Two INI keys are also created:
  • SYSTEM.INI - [boot]\shell=explorer.exe C:\WINDOWS\KERNEL32.EXE
  • WIN.INI - [windows]\load=C:\WINDOWS\KERNEL32.EXE
The worm looks for the following security programs (including anti-virus and firewall programs) in memory and terminates them if found:
  • Anti-Trojan.exe
  • ANTS.EXE
  • APLICA32.EXE
  • AVCONSOL.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPCC.EXE
  • AVPM.EXE
  • AVPM.EXE
  • blackd.exe
  • blackice.exe
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • CFINET32.EXE
  • cleaner.exe
  • cleaner3.exe
  • expl32.exe
  • FRW.EXE
  • iamapp.exe
  • iamserv.exe
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IFACE.EXE
  • LIBUPDATE.EXE
  • lockdown2000.exe
  • minilog.exe
  • MooLive.exe
  • MPGSRV32.EXE
  • Mssmmc32.exe
  • NAVAPW32.EXE
  • NAVW32.EXE
  • nvarch16.exe
  • PCFWallIcon.EXE
  • RunDii.exe
  • RunDIl.exe
  • rundli.exe
  • SAFEWEB.EXE
  • Sphinx.exe
  • tca.exe
  • TDS2-.EXE
  • TDS2-.EXE
  • TEMP.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • vsmon.exe
  • VSSTAT.EXE
  • WEBSCANX.EXE
  • WinDll.exe
  • WrAdmin.exe
  • WrCtrl.exe
  • zonealarm.exe
This event helps conceal the actions of this threat. The .VX extension is registered on the system:
  • HKEY_CLASSES_ROOT\.vx\(Default)=exefile
  • HKEY_CLASSES_ROOT\.vx\Content Type=application/x-msdownload
  • HKEY_CLASSES_ROOT\.vx\NeverShowExt=
An attacker can send various commands to the infected machine. The commands include:
  • Sending instant messages via MSN Messenger and AOL Instant Messenger
  • Sending email
  • Flood commands, to initiate a denial of service attack
  • Various IRC commands (join/part channels, privmsg, etc)
  • FTP commands (file access, copy, move, delete)
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations