This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Indication of Infection
- Outgoing messages matching the description below
- Registry keys and file system changes matching the details below
The worm drops a copies of itself within the Windows system (%SysDir%) directory:
System startup is hooked via addition of the following Registry key:
\Run "_svchost.con" = %SysDir%\svchost.com
The worm creates the following Registry key, within which various data is stored (for example, filepaths of the local files created that contain harvested email addresses):
Methods of Infection
The worm contains its own SMTP engine for constructing outgoing messages. Target email addresses are harvested from the victim machine, from files with the following extensions:
Harvested email addresses are stored in "SVCHOST.COn"
files within %SysDir% (where n is digit). These files are referenced within the data key described above.
The worm does not send emails to addresses containing any of the following strings:
Outgoing messages are constructed with multiple subject lines, message bodies and attachment filenames.
The worm makes multiple copies of itself using the filename "DOOM33 KEYGEN.EXE" in local directories containing the following strings:
- c:\Program Files\Common Files\Microsoft Shared\doom3 keygen.exe
- c:\WINNT\Downloaded Program Files\doom3 keygen.exe
Process termination payload
In an attempt to thwart manual identification and cleaning of an infected machine, the worm will attempt to terminate processes containing any of the following strings:
Denial of Service payload
This variant also delivers a DoS attack (HTTP) on three remote sites: