Virus Information

This threat comes by e-mail. It is written in Visual Basic, and is compiled in p-code.It spreads via e-mail as a mass mailer using its own SMTP engine and also through network shares.Has a dangerous payload, as on the 3rd of each month, 30 minutes after the system has been started,searches for files with the following extension.dmp .doc .mdb .mde .pdf .pps .ppt .psd .rar .xls .zip on all available drives, and replaces their content with"DATA Error [47 0F 94 93 F4 K5]"The e-mail format is as follows:Subject: (may be one of the following)*Hot Movie*A Great Video eBook.pdf Fw:Fw: DSC-00465.jpg Fw: Funny :) Fw: Picturs Fw: Real showFw: SeX.mpg Fw: SexyFwd: Crazy illegal Sex! Fwd: image.jpg Fwd: Photo give me a kiss Miss Lebanon 2006 Note: for instance, the (composed) body may be : hello, i send the details Attachment(may be an executable or a MIME-encoded executable)007.pif 04.pif 677.pif Arab sex DSC-00465.jpg document.pif DSC-00465.Pif DSC-00465.pIf eBook.PIF image04.pif New_Document_file.pif photo.pif School.pif If the file is MIME-encoded, the attachment may be:3.92315089702606E02.UUEAttachments[001].B64Attachments00.HQXAttachments001.BHXeBook.UuSeX.mimSex.mimVideo_part.mimWinZip.BHXWord_Document.hqxWord_Document.uuIn MIME-encoded form, the attachment may also be composed from a predefined list of strings,so filename may be:392315089702606E-02 Clipe Miss Sweet_09 and extension may be any of:.b64 .BHx .HQX .mim .uu .UUE The the executable within MIME-encoded file may be:392315089702606E-02,UUE .scR Adults_9,zip .sCR ATT01.zip .sCR Atta[001],zip .SCR Attachments,zip .SCR Attachments[001],B64 .sCr Clipe,zip .sCr New Video,zip .sCr Photos,zip .sCR SeX,zip .scR WinZip,zip .scR WinZip.zip .sCR Word XP.zip .sCR Word.zip .sCR Once the executable is run (attachment from e-mail or other way), the virus will dothe following:1. Copies itself as one or more of the following files:(also see symptoms above)%WINDOWS%\Rundll16.exe%SYSTEM%\scanregw.exe%SYSTEM%\Update.exe%SYSTEM%\Winzip.exe2. Creates autorun registry entry:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]"ScanRegistry" = "%SYSTEM%\scanregw.exe /scan"]3. Modifies/sets the registry keys:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]"WebView" = 0"ShowSuperHidden" = 0[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState]"FullPath" = 14. Harvests e-mail addresses from files with extension:.DBX .EML .HTM .IMH .MBX .MSF .MSG .NWS .OFT .TXT .VCFalso scans inside files whose filenames match the strings "CONTENT." or "TEMPORARY"for e-mail addresses, but avoids e-mail addresses that contain:@HOTMAIL@HOTPOP@YAHOOGROUPSANTIAVGCA.COMCILLINEEYEGROUPS.MSNKASPERMCAFEEMICROSOFTNOMAIL.YAHOO.COMNORTONPANDASCRIBESECURSPAMSYMANTECTRENDTRUSTVIRUSThe virus will send itself to the harvested e-mail addresses in the format described earlier.5. Network shares scan and propagation.Enumerates available shares, and also checks "Personal" and "Recent" entries in[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]The virus may replace randomly one of the files from the found folders, with a copy of itself, barring .exe extension.Attempts to copy itself to network shares as:New WinZip File.exe Zipped Files.exe movies.exe WINZIP_TMP.exeAlso asC$\Documents a

For disinfection, download and run our free eScan Anti-Virus Toolkit. The utility checks your computer, system registry, and running processes for malicious programs, illegal dialers, and sniffer tools. Note: This tool does not protect your PC in real time.

You can download the eScan Anti-Virus Toolkit utility from the MicroWorld Web site.

Alternatively, you can install MicroWorld’s Internet Security Suite which has real time detection capabilities.
You can download and install the product from our eScan download page.