Virus Profile: W32/Supova.d.worm

Threat Search
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 7/18/2002
Date Added: 7/30/2002
Origin: United States
Length: 14,336 bytes
Type: Virus
Subtype: P2P Worm
DAT Required: 4214
Removal Instructions


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Presence of the following files in the WINDOWS directory:

  • Desktop-shooting.exe
  • Hello-Kitty.exe
  • BigMac.exe
  • Cheese-Burger.exe
  • Blaargh.exe

Presence of the files mentioned in the C:\Windows\Media folder.

Methods of Infection

This worm attempts to use the KaZaa file-sharing network and MSN Messenger instant messaging network to spread. The worm cannot propagate on it's own without either of these programs installed on the local system. It does not contain any other payload other than to propagate.


W32.Supova.B.worm (Symantec), W32/Supova.E (Panda), Win32.Kitty.d (ESafe), Win32.Supova.D.pac (VET), Worm.P2P.Surnova.d (AVP)

Virus Characteristics

The Low-Profiled risk assessment of this threat was due to media attention.

This is a minor variant of W32/Supova, and is generically identified as W32/Supova.Worm with current engine and definitions.

This worm is designed to propagate through the KaZaa peer-to-peer file-sharing network and MSN Messenger. It attempts to lure KaZaa users into downloading and running itself by posing as software titles that users may find enticing.

When run, the worm displays a bogus error message:

It then copies itself to the C:\Windows\Media folder as the following file names:

  • a.exe
  • age of empires 2 crack.exe
  • key generator (works!!).exe
  • britney spears hard porn (real!).exe
  • britney spears nude.exe
  • cable modem uncapper.exe
  • christina aguilera fuck (real!).exe
  • clonecd + crack.exe
  • clonecd all-versions key generator.exe
  • copy protection remover.exe
  • crazy taxi crack.exe
  • divx codec v6.0.exe
  • divx newest version.exe
  • divx patch - increases quality.exe
  • divx pro key generator.exe
  • divx.exe
  • doom 3 preview!!.exe
  • doom 3 screenshots.exe
  • dragonball z complete episode guide.exe
  • dragonball z episode 1.exe
  • dragonball z shootout.exe
  • dragonball z.exe
  • gamecube emulator (works!!).exe
  • grand prix 4 crack.exe
  • grand theft auto 3 cd1 crack.exe
  • grand theft auto 3 trainer.exe
  • gta3 crack.exe
  • hack into any computer!!.exe
  • half-life online key generator.exe
  • half-life won key generator.exe
  • jedi knight 2 crack.exe
  • j-lo nude (real!!).exe
  • kazaa hack.exe
  • kazaa lite.exe
  • kazaa media desktop v2.0 unofficial.exe
  • kazaa spyware remover.exe
  • key generator for all windows xp versions.exe
  • key generator for over 1,000 applications (really!).exe
  • kiddy child incest porn.exe
  • macromedia dreamweaver mx key generator.exe
  • macromedia flash mx key generator.exe
  • macromedia mx key generator (all products).exe
  • microsoft key generator, works for all microsoft products!!.exe
  • microsoft office xp (english) key generator.exe
  • microsoft office xp.iso.exe
  • microsoft windows xp crack pack.exe
  • neverwinter nights crack.exe
  • nokia simlock remover (includes new models).exe
  • norton antivirus 2002.exe
  • quake 4 beta.exe
  • resident evil [divx].exe
  • sex.exe
  • shrek.exe
  • star wars episode 2 downloader.exe
  • starcraft 2 preview!.exe
  • starcraft key generator.exe
  • starcraft online crack.exe
  • warcraft 3 serial generator.exe
  • warcraft 3 online key generator.exe
  • warcraft 3 trainer.exe
  • windows xp key generator.exe
  • windows xp serial generator.exe
  • winrar + crack.exe
  • winzip 8.0 + serial.exe
  • xbox emulator (works!!).exe

A copy is also saved to the WINDOWS directory as BigMac.exe. A registry run key is created to load the worm at startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\

A text file is saved to the WINDOWS directory with a random 11-character name that reads:

W32.Supernova - Ban religion
Religion = War
Religion = Based on fairytales
Wars based on fairytales?
Ban religion, welcome to the truth

    The worm also attempts to use MSN Messenger to send itself to users on the contact list. However, this functionality did not work properly during testing. The worm is designed to send one of the following messages to MSN Messenger users:
    • Hehe, check this out :-)
    • Funny, check it out
    • LOL!! See this :D
    • LOL!! Check this out :)
    • Hehe, this is fun :-)

    This worm contains 2 payloads. One activates on the 5th of the month and uses PING as a denial of service attack against three Internet domains:

    The other payload activates on the 7th of the month and displays several message boxes and deletes all files in the %WinDir%, %WinDir%\System, and %WinDir%\System32 folders.


    All Users:

    Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

    1.Disable System Restore .

    2.Update to current engine and DAT files for detection and removal.

    3.Run a complete system scan.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

    1. Please go to the Microsoft Recovery Console and restore a clean MBR.

    On windows XP:

    Insert the Windows XP CD into the CD-ROM drive and restart the computer.
    When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
    Select the Windows installation that is compromised and provide the administrator password
    Issue 'fixmbr' command to restore the Master Boot Record
    Follow onscreen instructions
    Reset and remove the CD from CD-ROM drive.

    On Windows Vista and 7:

    Insert the Windows CD into the CD-ROM drive and restart the computer.
    Click on "Repair Your Computer"
    When the System Recovery Options dialog comes up, choose the Command Prompt.
    Issue 'bootrec /fixmbr' command to restore the Master Boot Record
    Follow onscreen instructions
    Reset and remove the CD from CD-ROM drive.


    PC Infected? Get Expert Help

    Virus Removal Service

    Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!