Virus Profile: W32/Mydoom.ab@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 9/15/2004
Date Added: 9/14/2004
Origin: Unknown
Length: 69,632 bytes
Type: Virus
Subtype: E-mail worm
DAT Required: 4391
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Existence of the files and registry entries listed above
  • The worm attempts to shut down the following services on the infected machine:
    • IBMAVSP.EXE
    • ICLOAD95.EXE
    • ICLOADNT.EXE
    • ICMON.EXE
    • ICSSUPPNT.EXE
    • ICSUPP95.EXE
    • ICSUPPNT.EXE
    • IDLE.EXE
    • IEDLL.EXE
    • IEDRIVER.EXE
    • IFACE.EXE
    • IFW2000.EXE
    • INETLNFO.EXE
    • INFUS.EXE
    • INFWIN.EXE
    • INIT.EXE
    • INTDEL.EXE
    • INTREN.EXE
    • IOMON98.EXE
    • IPARMOR.EXE
    • IRIS.EXE
    • ISASS.EXE
    • ISRV95.EXE
    • ISTSVC.EXE
    • JAMMER.EXE
    • jammer2nd.exe
    • JDBGMRG.EXE
    • JEDI.EXE
    • KAVLITE40ENG.EXE
    • KAVPERS40ENG.EXE
    • KAVPF.EXE
    • KEENVALUE.EXE
    • KERIO-PF-213-EN-WIN.EXE
    • KERIO-WRL-421-EN-WIN.EXE
    • KERIO-WRP-421-EN-WIN.EXE
    • KERNEL32.EXE
    • KILLPROCESSSETUP161.EXE
    • LAUNCHER.EXE
    • LDNETMON.EXE
    • LDPRO.EXE
    • LDPROMENU.EXE
    • LDSCAN.EXE
    • LNETINFO.EXE
    • LOADER.EXE
    • LOCALNET.EXE
    • LOCKDOWN.EXE
    • LOCKDOWN2000.EXE
    • LOOKOUT.EXE
    • LORDPE.EXE
    • LSETUP.EXE
    • LUALL.EXE
    • LUAU.EXE
    • LUCOMSERVER.EXE
    • LUINIT.EXE
    • LUSPT.EXE
    • MAPISVC32.EXE
    • MCAGENT.EXE
    • MCMNHDLR.EXE
    • MCSHIELD.EXE
    • MCTOOL.EXE
    • MCUPDATE.EXE
    • MCVSRTE.EXE
    • MCVSSHLD.EXE
    • MD.EXE
    • MFIN32.EXE
    • MFW2EN.EXE
    • MFWENG3.02D30.EXE
    • MGAVRTCL.EXE
    • MGAVRTE.EXE
    • MGHTML.EXE
    • MGUI.EXE
    • MINILOG.EXE
    • MMOD.EXE
    • MONITOR.EXE
    • MOOLIVE.EXE
    • MOSTAT.EXE
    • MPFAGENT.EXE
    • MPFSERVICE.EXE
    • MPFTRAY.EXE
    • MRFLUX.EXE
    • MSAPP.EXE
    • MSBB.EXE
    • MSBLAST.EXE
    • MSCACHE.EXE
    • MSCCN32.EXE
    • MSCMAN.EXE
    • MSCONFIG.EXE
    • MSDM.EXE
    • MSDOS.EXE
    • MSIEXEC16.EXE
    • MSINFO32.EXE
    • MSLAUGH.EXE
    • MSMGT.EXE
    • MSMSGRI32.EXE
    • MSSMMC32.EXE
    • msssss.exe
    • MSSYS.EXE
    • MSVXD.EXE
    • MU0311AD.EXE
    • MWATCH.EXE
    • N32SCANW.EXE
    • NAV.EXE
    • NAVAP.NAVAPSVC.EXE
    • NAVAPSVC.EXE
    • NAVAPW32.EXE
    • NAVDX.EXE
    • NAVENGNAVEX15.NAVLU32.EXE
    • NAVLU32.EXE
    • NAVNT.EXE
    • NAVSTUB.EXE
    • NAVW32.EXE
    • NAVWNT.EXE
    • NC2000.EXE
    • NCINST4.EXE
    • NDD32.EXE
    • NEOMONITOR.EXE
    • NEOWATCHLOG.EXE
    • NETARMOR.EXE
    • NETD32.EXE
    • NETINFO.EXE
    • NETMON.EXE
    • NETSCANPRO.EXE
    • NETSPYHUNTER-1.2.EXE
    • NETUTILS.EXE
    • NISSERV.EXE
    • NISUM.EXE
    • NMAIN.EXE
    • NOD32.EXE
    • NORMIST.EXE
    • NORTON_INTERNET_SECU_3.0_407.EXE
    • NOTSTART.EXE
    • NPF40_TW_98_NT_ME_2K.EXE
    • NPFMESSENGER.EXE
    • NPROTECT.EXE
    • NPSCHECK.EXE
    • NPSSVC.EXE
    • NSCHED32.EXE
    • NSSYS32.EXE
    • NSTASK32.EXE
    • NSUPDATE.EXE
    • NT.EXE
    • NTRTSCAN.EXE
    • NTXconfig.EXE
    • NUI.EXE
    • NUPGRADE.EXE
    • NVARCH16.EXE
    • NVC95.EXE
    • NWINST4.EXE
    • NWSERVICE.EXE
    • NWTOOL16.EXE
    • OLLYDBG.EXE
    • ONSRVR.EXE
    • OPTIMIZE.EXE
    • OSTRONET.EXE
    • OTFIX.EXE
    • OUTPOST.EXE
    • OUTPOSTINSTALL.EXE
    • OUTPOSTPROINSTALL.EXE
    • PADMIN.EXE
    • PANIXK.EXE
    • PATCH.EXE
    • PAVCL.EXE
    • PAVPROXY.EXE
    • PAVSCHED.EXE
    • PAVW.EXE
    • PCC2002S902.EXE
    • PCC2K_76_1436.EXE
    • PCCIOMON.EXE
    • PCCNTMON.EXE
    • PCCWIN97.EXE
    • PCCWIN98.EXE
    • PCDSETUP.EXE
    • PCFWALLICON.EXE
    • PCIP10117_0.EXE
    • PCSCAN.EXE
    • PDSETUP.EXE
    • PENIS.EXE
    • PERISCOPE.EXE
    • PERSFW.EXE
    • PERSWF.EXE
    • PF2.EXE
    • PFWADMIN.EXE
    • PGMONITR.EXE
    • PINGSCAN.EXE
    • PLATIN.EXE
    • POP3TRAP.EXE
    • POPROXY.EXE
    • POPSCAN.EXE
    • PORTDETECTIVE.EXE
    • PORTMONITOR.EXE
    • POWERSCAN.EXE
    • PPINUPDT.EXE
    • PPTBC.EXE
    • PPVSTOP.EXE
    • PRIZESURFER.EXE
    • PRMT.EXE
    • PRMVR.EXE
    • PROCDUMP.EXE
    • PROCESSMONITOR.EXE
    • PROCEXPLORERV1.0.EXE
    • PROGRAMAUDITOR.EXE
    • PROPORT.EXE
    • PROTECTX.EXE
    • PSPF.EXE
    • PURGE.EXE
    • PUSSY.EXE
    • PVIEW95.EXE
    • QCONSOLE.EXE
    • QSERVER.EXE
    • RAPAPP.EXE
    • rasmngr.exe
    • RAV7.EXE
    • RAV7WIN.EXE
    • RAV8WIN32ENG.EXE
    • RAVMOND.exe
    • RAY.EXE
    • RB.EXE
    • RB32.EXE
    • RCSYNC.EXE
    • REALMON.EXE
    • REGED.EXE
    • RESCUE.EXE
    • RESCUE32.EXE
    • RRGUARD.EXE
    • RSHELL.EXE
    • RTVSCAN.EXE
    • RTVSCN95.EXE
    • RULAUNCH.EXE
    • RUNDLL.EXE
    • RUNDLL16.EXE
    • RUXDLL32.EXE
    • SAFEWEB.EXE
    • SAHAGENT.EXE
    • SAVE.EXE
    • SAVENOW.EXE
    • SBSERV.EXE
    • SC.EXE
    • SCAM32.EXE
    • SCAN32.EXE
    • SCAN95.EXE
    • SCANPM.EXE
    • SCRSCAN.EXE
    • SCRSVR.EXE
    • SD.EXE
    • SERV95.EXE
    • SERVLCE.EXE
    • SERVLCES.EXE
    • SETUP_FLOWPROTECTOR_US.EXE
    • SETUPVAMEEVAL.EXE
    • SFC.EXE
    • SGSSFW32.EXE
    • SH.EXE
    • SHELLSPYINSTALL.EXE
    • SHN.EXE
    • SHOWBEHIND.EXE
    • SMC.EXE
    • SMS.EXE
    • SMSS32.EXE
    • SOAP.EXE
    • SOFI.EXE
    • SPERM.EXE
    • SPF.EXE
    • SPHINX.EXE
    • SPOOLCV.EXE
    • SPOOLSV32.EXE
    • SPYXX.EXE
    • SREXE.EXE
    • SRNG.EXE
    • SS3EDIT.EXE
    • SSG_4104.EXE
    • SSGRATE.EXE
    • ssgrate.exe
    • ST2.EXE
    • START.EXE
    • STCLOADER.EXE
    • SUPFTRL.EXE
    • SUPPORT.EXE
    • SUPPORTER5.EXE
    • SVC.EXE
    • SVCHOSTC.EXE
    • SWEEP95.EXE
    • SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
    • SYMPROXYSVC.EXE
    • SYMTRAY.EXE
    • SYSEDIT.EXE
    • SYSTEM.EXE
    • SYSTEM32.EXE
    • Systra.exe
    • SYSUPD.EXE
    • sysxp.exe
    • taskmanagr.exe
    • TASKMO.EXE
    • TASKMON.EXE
    • TAUMON.EXE
    • TBSCAN.EXE
    • TC.EXE
    • TCA.EXE
    • TCM.EXE
    • TDS2-98.EXE
    • TDS2-NT.EXE
    • TDS-3.EXE
    • TEEKIDS.EXE
    • TFAK.EXE
    • TFAK5.EXE
    • TGBOB.EXE
    • TITANIN.EXE
    • TITANINXP.EXE
    • TRACERT.EXE
    • TRICKLER.EXE
    • TRJSCAN.EXE
    • TRJSETUP.EXE
    • TROJANTRAP3.EXE
    • TSADBOT.EXE
    • TVMD.EXE
    • TVTMD.EXE
    • UNDOBOOT.EXE
    • UPDAT.EXE
    • UPDATE.EXE
    • UPGRAD.EXE
    • UTPOST.EXE
    • VBCMSERV.EXE
    • VBCONS.EXE
    • VBUST.EXE
    • VBWIN9X.EXE
    • VBWINNTW.EXE
    • VCSETUP.EXE
    • VET32.EXE
    • VET95.EXE
    • VETTRAY.EXE
    • VFSETUP.EXE
    • VIR-HELP.EXE
    • VIRUSMDPERSONALFIREWALL.EXE
    • VisualGuard.exe
    • VNLAN300.EXE
    • VNPC3000.EXE
    • VPC32.EXE
    • VPC42.EXE
    • VPFW30S.EXE
    • VPTRAY.EXE
    • VSCAN40.EXE
    • VSCENU6.02D30.EXE
    • VSCHED.EXE
    • VSECOMR.EXE
    • VSHWIN32.EXE
    • VSISETUP.EXE
    • VSMAIN.EXE
    • VSMON.EXE
    • VSSTAT.EXE
    • VSWIN9XE.EXE
    • VSWINNTSE.EXE
    • VSWINPERSE.EXE
    • W32DSM89.EXE
    • W9X.EXE
    • WATCHDOG.EXE
    • WEBDAV.EXE
    • WEBSCANX.EXE
    • WEBTRAP.EXE
    • WFINDV32.EXE
    • WGFE95.EXE
    • WHOSWATCHINGME.EXE
    • WIMMUN32.EXE
    • WIN32.EXE
    • WIN32US.EXE
    • WINACTIVE.EXE
    • WIN-BUGSFIX.EXE
    • WINDOW.EXE
    • WINDOWS.EXE
    • WININETD.EXE
    • WININIT.EXE
    • WININITX.EXE
    • WINLOGIN.EXE
    • WINMAIN.EXE
    • WINPPR32.EXE
    • WINRECON.EXE
    • WINSSK32.EXE
    • WINSTART.EXE
    • WINSTART001.EXE
    • WINTSK32.EXE
    • WINUPDATE.EXE
    • winxp.exe
    • WKUFIND.EXE
    • WNAD.EXE
    • WNT.EXE
    • wowpos32.exe
    • WRADMIN.EXE
    • WRCTRL.EXE
    • wuamga.exe
    • wuamgrd.exe
    • WUPDATER.EXE
    • WUPDT.EXE
    • WYVERNWORKSFIREWALL.EXE
    • XPF202EN.EXE
    • ZAPRO.EXE
    • ZAPSETUP3001.EXE
    • ZATUTOR.EXE
    • ZONALM2601.EXE
    • ZONEALARM.EXE

Methods of Infection

This worm tries to spread via email and by sending itself through ICQ networks if they are present.

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

  • asp
  • cfg
  • cgi
  • dbx
  • dht
  • eml
  • htm
  • jsp
  • mbx
  • mht
  • msg
  • php
  • sht
  • stm
  • tbb
  • txt
  • uin
  • wab
  • xls

The worm avoids certain address, those using the following strings:

  • .gov
  • .mil
  • @foo.
  • @iana
  • abuse
  • accoun
  • acketst
  • admin
  • antivi
  • anyone
  • arin.
  • avp.
  • berkeley
  • borlan
  • bsd
  • certific
  • contact
  • example
  • feste
  • fido
  • fsf.
  • gnu
  • gold-certs
  • google
  • gov.
  • help
  • iana
  • ibm.com
  • icq.com
  • icrosof
  • icrosoft
  • ietf
  • info
  • inpris
  • isc.o
  • isi.e
  • kasp
  • kernel
  • linux
  • listserv
  • math
  • messagelabs
  • mit.e
  • mozilla
  • mydomai
  • news
  • nobody
  • nodomai
  • noone
  • noreply
  • nothing
  • ntivi
  • panda
  • pgp
  • postmaster
  • privacy
  • rating
  • rfc-ed
  • ripe.
  • root
  • ruslis
  • samples
  • secur
  • sendmail
  • service
  • site
  • somebody
  • someone
  • sopho
  • spam
  • submit
  • support
  • syman
  • tanford.e
  • unix
  • upport
  • usenet
  • utgers.ed
  • webmaster
  • www
   

Virus Characteristics

This is a mass-mailing worm that bears the following characteristics:
  • contains its own SMTP engine to construct outgoing messages
  • harvests target email addresses from the victim machine
  • forges the "From" header of outgoing messages
  • downloads BackDoor-CEB.e over HTTP
  • sends itself as a link through ICQ networks
  • shuts down security services

The virus arrives in an email message as follows:

From: (Spoofed email sender)

Do not assume that the sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Constructed from a list of common names and email domains hardcoded into the virus body. Below is the list of email domains used to forge the email sender's address.

  • @1access.net
  • @a1isp.net
  • @accessus.net
  • @address.com
  • @ameralinx.net
  • @aol.com
  • @apci.net
  • @arczip.com
  • @aristotle.net
  • @att.net
  • @cableone.net
  • @cais.com
  • @canada.com
  • @cayuse.net
  • @ccp.com
  • @ccpc.net
  • @chello.com
  • @compuserve.com
  • @core.com
  • @cox.net
  • @cybernex.net
  • @dailymail.co.uk
  • @dialupnet.com
  • @earthlink.net
  • @eclipse.net
  • @eisa.com
  • @ev1.net
  • @excite.com
  • @fast.net
  • @fcc.net
  • @flex.com
  • @gbronline.com
  • @globalbiz.net
  • @globetrotter.net
  • @gmx.net
  • @highstream.net
  • @hiwaay.net
  • @hotmail.com
  • @ieway.com
  • @inext.fr
  • @infoave.net
  • @iquest.net
  • @isp.com
  • @ispwest.com
  • @istep.com
  • @juno.com
  • @loa.com
  • @macconnect.com
  • @madriver.com
  • @mail.com
  • @msn.com
  • @nccw.net
  • @netcenter.com
  • @netrox.net
  • @netzero.net
  • @pacific.net.sg
  • @palm.net
  • @pathlink.com
  • @peoplepc.com
  • @pics.com
  • @rcn.com
  • @ricochet.com
  • @surfree.com
  • @tiscali.com
  • @toad.net
  • @t-online.com
  • @t-online.de
  • @ultimanet.com
  • @verizon.net
  • @wanadoo.com
  • @worldcom.com
  • @worldshare.net
  • @wwc.com
  • @yahoo.co.uk
  • @yahoo.com
  • @ziplink.net

Subject: (Varies, such as)

  • do you know this girl?
  • do you know this people?
  • do you know this ppl?
  • Is it your photo?
  • LOOK!
  • my new photos
  • with best wishes
  • a lot of fun.
  • Hello...Funny pic...hehehe
  • I've never seen this before. Look at that !
  • Look :)
  • Hello!
  • have you seen this before?
  • Loool!! :-)
  • fun
  • fun pictures
  • Re[2]:fun pictures
  • Re:fun pictures
  • FW:fun pictures
  • Re[2]:COOL!
  • Re:COOL!
  • FW:COOL!
  • Re[2]:cool
  • Re:cool
  • FW:cool
  • Re[2]:
  • Re:
  • FW:
  • :)
  • :))
  • FW: Cool
  • LOOK!
  • new photos
  • 2 new photos
  • hi, it's me
  • it's me
  • (no subject)
  • that's me :-D
  • my photos
  • hello sweety :>
  • hi
  • remember me?..
  • FW: jenna's photos :)
  • FW: new photos
  • FW: 2 new photos
  • FW: hi, it's me
  • FW: it's me
  • FW: (no subject)
  • FW: that's me :-D
  • FW: my photos
  • FW: hello sweety :>
  • FW: hi
  • FW: remember me?..

Body:  (Varies, such as)  

  • -----Original Message-----
    From: Jeny K.
    Sent: Monday, September 13, 2004 8:57 PM
    To: Morpheus
    check my new photos
    :))
    miss you, jeny k
  • -----Original Message-----
    From: Jena K.
    Sent: Monday, September 13, 2004 5:23 AM
    To: friends
    Check Out Archive.. So.. What Do You Think... Am I Hot? :)
    Waining For Your Answer
    Jena Key
  • -----Original Message-----
    From: jenny k.
    Sent: Monday, September 13, 2004 10:23 AM
    To: My Tiger (e-mail)
    new fotos(archived) you asked
    jenny k
  • -----Original Message-----
    From: jenna k. (e-mail)
    Sent: Monday, September 13, 2004 11:38 AM
    To: Cat
    my new fotos archived ))
    kiss, jenna k
  • -----Original Message-----
    From: Jeny
    Sent: Monday, September 13, 2004 8:57 PM
    To: Neo
    see the photos in attached archive
    :))
    kiss you, jeny
  • -----Original Message-----
    From: Jena
    Sent: Monday, September 13, 2004 5:23 AM
    To: friend
    Photos in archive.. So.. Am I Hot? :)
    Waining For Your Answer
    Jena
  • -----Original Message-----
    From: Jenna Knukles
    Sent: Monday, September 13, 2004 9:05 AM
    To: Friends Group
    in self-extracting archive my photos
    Jenna :)
  • -----Original Message-----
    From: jenna (e-mail)
    Sent: Monday, September 13, 2004 11:38 AM
    To: ma kittie
    my photos archived ))
    kiss, jenna
    fun flash game!
    fun flash!
    game!
    fun game!
    Print money at home!
    look at atach
  • -----Original Message-----
    From: Jeny K.
    Sent: Monday, September 13, 2004 8:57 PM
    To: Morpheus check out the new photos
    :))
    miss you, jeny k
  • -----Original Message-----
    From: Jena K.
    Sent: Monday, September 13, 2004 5:23 AM
    To: friends
    So.. What Do You Think... Am I Hot? :)
    Waining For Your Answer
    Jena Key
  • -----Original Message-----
    From: Jenna Knukles
    Sent: Monday, September 13, 2004 9:05 AM in archive my new fotos
    Jenna K :)
  • -----Original Message-----
    From: jenny k.
    Sent: Monday, September 13, 2004 10:23 AM
    To: My Tiger (e-mail)
    new fotos you asked
    jenny k
  • -----Original Message-----
    From: jenna k. (e-mail)
    Sent: Monday, September 13, 2004 11:38 AM
    To: Cat
    my new fotos zipped ))
    kiss, jenna k
  • -----Original Message-----
    From: Jeny
    Sent: Monday, September 13, 2004 8:57 PM
    To: Neo
    see the photos
    :))
    kiss you, jeny
  • -----Original Message-----
    From: Jena
    Sent: Monday, September 13, 2004 5:23 AM
    To: friend
    So.. Am I Hot? :)
    Waining For Your Answer
    Jena
  • -----Original Message-----
    From: Jenna Knukles
    Sent: Monday, September 13, 2004 9:05 AM
    To: Friends Group
    in archive my photos
    Jenna :)
  • -----Original Message-----
    From: jenny
    Sent: Monday, September 13, 2004 10:23 AM
    To: Mr.X (e-mail)
    photos you asked
    jenny
  • -----Original Message-----
    From: jenna (e-mail)
    Sent: Monday, September 13, 2004 11:38 AM
    To: ma kittie
    my photos zipped ))
    kiss, jenna

Footer : (appended to the end of the email. Varies, such as)

  • Norton AntiVirus - www.symantec.de
  • F-Secure AntiVirus - www.f-secure.com
  • Norman AntiVirus - www.norman.com
  • Panda AntiVirus - www.pandasoftware.com
  • Kaspersky AntiVirus - www.kaspersky.com
  • MC-Afee AntiVirus - www.mcafee.com
  • Bitdefender AntiVirus - www.bitdefender.com
  • MessageLabs AntiVirus - www.messagelabs.com

Attachment: (Varies - often arrives in a ZIP archive, for example)

  • myfoto.exe
  • photos.selfextracting.exe
  • photoarchive.exe
  • photofile.exe
  • arc.exe
  • my_foto.exe
  • fotos.exe
  • foto.exe
  • photos.exe.safe
  • photo_se.exe
  • new_photos.exe
  • newphotos.exe
  • myphotos_arc.exe
  • my_photos.exe
  • photos_arc.exe
  • myfoto.cpl
  • photoarchive.cpl
  • photofile.cpl
  • arc.cpl
  • my_foto.cpl
  • fotos.cpl
  • foto.cpl
  • photo_se.cpl
  • new_photos.cpl
  • newphotos.cpl
  • my_photos.cpl
  • photos_arc.cpl
  • arhive.zip
  • new_pic.zip
  • pic.zip
  • new_photos.zip
  • images.zip
  • fotos.zip
  • my_photos.zip
  • myphotos.zip
  • photos.zip
  • my_photo.jpg .pif
  • flowers.jpg .pif
  • document.jpg .pif
  • pic.jpg .pif
  • photo.jpg .pif
  • black.gif .pif
  • DCP_0002.JPG .pif
  • me_01.jpg .pif
  • 2004042301.jpg .pif
  • with_flowers.jpg .pif
  • sunny.jpg .pif
  • photo08.jpg .pif
  • nude_.jpg .pif
  • marie_dancing.jpg .pif
  • julia038.jpg .pif

In the case of two file extensions, multiple spaces may be inserted as well, for example:

  • julia038.jpg                                          .pif

When this file is run (manually), it copies itself to the Windows System directory as services.exe .

  •  %WINDIR%\services.exe

(Where  %WINDIR% is the Windows directory, for example C:\WINNT)
It creates the following registry entries to hook Windows startup:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
    \Services\NetBios Ext "ImagePath" = C:\WINNT\services.exe serv
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
    \Services\NetBios Ext "ImagePath" = C:\WINNT\services.exe serv

Peer To Peer Propagation

The worm spreads through peer-to-peer  networks such as ICQ, where it arrives as a message session with a a link to the worm for download. The contents of the messages may be as follows (the full link has been modified):

  • funn https://64.40.98.XXX/icon/game.exe :-):-):-)
  • https://64.40.98.XXX//icon/game.exe :-):-)
  • https://64.40.98.XXX/icon/game.exe funny :-);-)
  • https://65.110.51.XXX/icon/game.exe ;-);-);-);-)
  • best game https://65.110.51.XXX/icon/game.exe ;-);-);-)
  • https://65.110.51.XXX/icon/game.exe LOL!! ;-);-);-)
  • https://www.XXX.unibo.it/claroline142/photo.exe i cried :-)
  • https://www.XXX.unibo.it/claroline142/photo.exe lol :-):-)
  • my photos (archived)https://www.XXX.unibo.it/claroline142/photo.exe
  • i now play in game https://www.scionicmusic.com/XXX/game.exe :-):-)
  • funy game https://www.scionicmusic.com/XXX/game.exe ;-);-);-)
  • fun game https://www.scionicmusic.com/XXX/game.exe :-):-):-)

The following filenames may be used:

  • 1.exe
  • antibush.scr
  • childporno.pif
  • coolgame.zip .exe
  • crazzygirls.scr
  • dap53 crack.exe
  • dap53.exe
  • dap71.exe
  • dvdplayer.exe
  • eroticgirls2.0.exe
  • fantasy.scr
  • hello.pif
  • icq2004-final.exe
  • icqcrack.exe
  • icqlite.exe
  • icqpro2003b crack.exe
  • icqpro2003b.exe
  • iMeshV4 crack.exe
  • iMeshV4.exe
  • kmd.exe
  • LimeWireWin.exe
  • matrix.scr
  • Morpheus.exe
  • mult.exe
  • myfack.pif
  • mylove.pif
  • mymusic.pif
  • mynewphoto.zip .exe
  • newvirus.exe
  • nicegirlsshowv12.scr
  • opera7.7.exe
  • opera7.x crack.exe
  • pinguin5.exe
  • rulezzz.scr
  • trillian 2.0 crack.exe
  • trillian-v2.74h.exe
  • tropicallagoonss.scr
  • winamp5.exe
  • winamp6.exe
  • WinZip 9.0 crack.exe
  • WinZip 9.0.exe
  • wrar330 crack.exe
  • wrar330.exe
  • you the best.scr
  • zlsSetup_45_538_001.exe

Remote Access Component

This worm tries to download BackDoor-CEB.e from the following sites (URLs have been modified).

  • https://www.masteratwork.com/XXX/wassup/00000008.cgi
  • https://www.professionals-active.com/XXX/click.dat
  • https://www.il-XXXX.it/forumBB/postmsg.gif
  • https://www.mercyships.de/html/content/XXX/data/data2.dat
  • https://www.XXX.unibo.it/claroline142/claroline/index.gif
  • https://www.scionicmusic.com/XXX/cover_v3.jpg
  • https://64.40.98.XXX/manual/images/apache.gif
   

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95