Latest Virus Info Details from www.symantec.com W32.HLLW.BenfGame.B This is written in the Delphi programming language. It has a password-stealing component and a worm component. W32.HLLW.BenfGame.B spreads to all the mapped and network-shared drives under an assortment of randomly generated filenames. The password-stealing component of W32.HLLW.BenfGame.B only applies when Chinese ICQ (OICQ) is installed. The Trojan sends the passwords to its creator via OICQ. The sent information for the password stealer is stored in the file, Msread.dt. The worm component is independent of the Trojan component. When the worm is run, it does the following: 1. Creates shares for the local and network drives. 2. Copies itself to randomly selected folders on all the mapped and shared drives. 3. Copies itself with filenames, composed of random letters, such as Xwsqz.exe. 4. Creates the file, C:\Filedebug, with a list of the filenames that the worm created. 5. Randomly registers some of the dropped files as processes. 6. Makes the following modifications to these registry keys: HKEY_CLASSES_ROOT\txtfile\shell\open\command Replaces the reference to notepad.exe with one of the random filenames that the worm created. HKEY_CLASSES_ROOT\chm.file\shell\open\command Replaces the references to hh.exe with one of the random filenames that the worm created. HKEY_CLASSES_ROOT\scrfile\shell\open\command Changes the key to include one of the random filenames that the worm created, so that the key is %1". HKEY_CLASSES_ROOT\regfile\shell\open\command Replaces the reference to regedit.exe with one of the random filenames that the worm created. HKEY_CLASSES_ROOT\inifile\shell\open\command Replaces the reference to any application with one of the random filenames that the worm created. HKEY_CLASSES_ROOT\exefile\shell\open\command Changes the key to include one of the random filenames that the worm created, so that the key is "%1" %*". 7. Adds a value, which refers to the worm, to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windo ws\CurrentVersion\Run The value has a randomly chosen name, and the Value data is not always the same. For example, the file Qwoes.exe might have a Value data of "C:\program files\Apflsw.exe." 8. Adds the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\win70\workfile with a random Value. 9. Tries to disable the following NT processes: ? kav9x.exe ? kavsvc9x.exe ? kavsvcui.exe ? kav32.exe ? smenu.exe ? ravmon.exe ? passwordguard.exe ? vpc32.exe ? watcher.exe 10. Creates the file, called Autorun.inf, in the root of all the drives, except the C: drive. This file contains the text: [autorun] OPEN= W32.Bugbear.B@mm Due to the number of submissions received from customers, Symantec Security Response has upgraded this threat to a Category 4 from a Category 3 threat. W32.Bugbear.B@mm worm is: ? A variant of http://securityresponse.symantec.com/avcenter/venc/data /w32.bugbear@mm.html. ? A mass-mailing worm that also spreads through network shares. ? Polymorphic and also infects a select list of executable files. ? Possesses keystroke-logging and Backdoor capabilities. ? Attempts to terminate the processes of various antivirus and firewall programs. The worm uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to cause unpatched systems to auto-execute the worm when reading or previewing an infected message. In addition, the worm contains routines that specifically affect financial institutions. This functionality will cause the worm to send sensitive data to one of ten hard-coded public Internet e- mail addresses. The information sent includes cached passwords and key-logging data. Because the worm does not properly handle the network resource types, it may flood shared printer resources, which causes them to print garbage or disrupt their normal functionality. When W32.Bugbear.B@mm runs, it copies itself to the \Startup folder as a filename, which is composed of a few characters, such as ????.exe, where the question mark symbol (?) represents the letters that the worm chooses. For example, the worm may copy itself as: ? C:\Windows\Start Menu\Programs\Startup\Cyye.exe when it runs on a Windows 95/98/Me-based system. ? C:\Documents and Settings\\Start Menu\Programs\Startup\Cti.exe when it runs on a Windows NT/2000/XP-based system. Mass-mailing routine When the mass-mailing routine runs, it does the following: 1. Searches for the email addresses in the current Inbox, as well as in the files with the following extensions: ? .mmf ? .nch ? .mbx ? .eml ? .tbb ? .dbx ? .ocs 2. Retrieves the current user's email address and SMTP server from the registry key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager\Accounts 3. Uses its own SMTP engine to send itself to all the email addresses it finds. As part of the routine, the worm spoofs the From: address. The worm can reply or forward an existing message or create a new message with one of the following subject lines: ? Hello! ? update ? hmm.. ? Payment notices ? Just a reminder ? Correction of errors ? history screen ? Announcement ? various ? Introduction ? Interesting... ? I need help about script!!! ? Stats ? Please Help... ? Report ? Membership Confirmation ? Get a FREE gift! ? Today Only ? New Contests ? Lost & Found ? bad news ? wow! ? fantastic ? click on this! ? Market Update Report ? empty account ? My eBay ads ? Cows ? 25 merchants and rising ? CALL FOR INFORMATION! ? new reading ? Sponsors needed ? SCAM alert!!! ? Warning! ? its easy ? free shipping! ? News ? Daily Email Reminder ? Tools For Your Online Business ? New bonus in your cash account ? Your Gift ? Re: ? $150 FREE Bonus! ? Your News Alert ? Hi! ? Get 8 FREE issues - no risk! ? Greets! For the attachment filename, the worm uses filenames in the My Documents folder location, which have one of the following extensions: ? .reg ? .ini ? .bat ? .diz ? .txt ? .cpp ? .html ? .htm ? .jpeg ? .jpg ? .gif ? .cpl ? .dll ? .vxd ? .sys ? .com ? .exe ? .bmp Then, the filename is concatenated with one of the following extensions: ? .scr ? .pif ? .exe In addition, the filename can consist of one of the following words: ? readme ? Setup ? Card ? Docs ? news ? image ? images ? pics ? resume ? photo ? video ? music ? song ? data The content type of the message is matched to the file type, and can be one of the following: ? text/html ? text/plain ? application/octet-stream ? image/jpeg ? image/gif Finally, the email message may be composed with or without the use of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to automatically execute on a vulnerable system. Local and network file infection The worm will also infect the files on the local and network shares, which match the following filenames. The worm appends itself and is polymorphic. ? scandskw.exe ? regedit.exe ? mplayer.exe ? hh.exe ? notepad.exe ? winhelp.exe ? Internet Explorer\iexplore.exe ? adobe\acrobat 5.0\reader\acrord32.exe ? WinRAR\WinRAR.exe ? Windows Media Player\mplayer2.exe ? Real\RealPlayer\realplay.exe ? Outlook Express\msimn.exe ? Far\Far.exe ? CuteFTP\cutftp32.exe ? Adobe\Acrobat 4.0\Reader\AcroRd32.exe ? ACDSee32\ACDSee32.exe ? MSN Messenger\msnmsgr.exe ? WS_FTP\WS_FTP95.exe ? QuickTime\QuickTimePlayer.exe ? StreamCast\Morpheus\Morpheus.exe ? Zone Labs\ZoneAlarm\ZoneAlarm.exe ? Trillian\Trillian.exe ? Lavasoft\Ad-aware 6\Ad-aware.exe ? AIM95\aim.exe ? Winamp\winamp.exe ? DAP\DAP.exe ? ICQ\Icq.exe ? kazaa\kazaa.exe ? winzip\winzip32.exe Network share infection The worm enumerates all the network shares and computers and attempts to copy itself to those shares. Also, the worm attempts to copy itself to the Windows Startup folder located on remote systems. The worm does not differentiate between computers and printers. Thus, the worm will inadvertently attempt to queue itself as a print job on network-shared printers. Keylogger The worm drops a keylogger as a randomly named DLL in the \Windows\System folder. The file is 5,632 bytes in size and is detected as PWS.Hooker.Trojan. The worm creates additional encrypted files in the Windows and \Windows\System folders with randomly named filenames, with the extensions .dll or .dat. These files store configuration information and encrypted keystrokes that the keylogger records. In addition, the worm will log the text of the foreground window and data stored on the clipboard. These data files are not malicious and may be deleted. This key logger data file will be sent to one of the following email addresses every 2 hours or when the log file is greater than 25,000 bytes: ? WXUudeba@mail.com.fr ? bernhardca@111.com ? glucarini@email.it ? sohailam@brain.com.pk ? tiharco@mail.gr ? tjtoll@arabia.com ? lilmoore2@lycos.com ? oktemh@excite.com ? tdawn@hawaiicity.com ? raytje167@freemail.nl ? ernstdor@online.ie ? mbednar@emailpinoy.com ? marko.aid.001@mail.ee ? ellekot@freemail.lt ? bleon@personal.ro ? jackk@biwemail.com ? newhot@mail.az ? ioterj@katamail.com ? ektsr@ureach.com ? wejzc@student.be ? rfewr@afreeinternet.com ? wqsgh@asheville.com ? john3784@catholic.org ? iyut@dcemail.com ? asgsa@thedoghousemail.com When sending the key log file, the worm first disables auto- dialing through the registry. The worm does this to avoid arousing suspicion if you are currently not connected. Once the worm has completed sending the key log file, the worm restores the original setting. Bank domains W32.Bugbear.B@mm has functionality that specifically targets financial institutions. The worm contains a large list (over one thousand) of targeted bank domain names from around the world. If W32.Bugbear.B@mm determines that the default e-mail address for the local system belongs to a banking company, in addition to sending the key log file above, the worm also sends cached dial-up networking passwords to the virus author. This information is sent to one of the following email addresses every 2 hours or when the log file is greater than 25,000 bytes: ? ifrbr@canada.com ? sdorad@juno.com ? fbnfgh@email.ro ? eruir@hotpop.com ? ersdes@truthmail.com ? eofb2@blazemail.com ? ioter5@yook.de ? iuery@myrealbox.com ? jkfhw@wildemail.com ? ds2iahf@kukamail.com Therefore, banking institutions may be considered to be at greater risk. W32.HLLW.Lovgate.K@mm This is a variant of http://securityresponse.symantec.com/avcenter/venc/data/w32.h llw.lovgate.i@mm.html. It has been repacked to make it difficult for existing antivirus software to detect. W32.HLLW.Lovgate.K@mm is also a mass-mailing worm that attempts to email itself to all the email addresses it finds in the files whose extensions start with "ht." The subject and attachment of the incoming email are chosen from a predetermined list. W32.HLLW.Lovgate.K@mm attempts to copy itself to all the computers on a local network, and then infect those computers. The worm also has Backdoor Trojan capabilities. By default, the Trojan component listens on port 10168. If the infected computer runs Windows NT, 2000, or XP, the worm will attempt to disguise itself as the normal Windows process, "LSASS.EXE." This threat is written in the C++ programming language and is compressed several times with ASPack. W32.Supova.C.Worm This is a worm that attempts to spread through the KaZaA file- sharing network. This threat is written in the Microsoft Visual Basic (VB) programming language and is compressed with Petite. The VB run-time libraries are required to execute W32.Supova.C@mm. NOTE: Due to the bugs in the code, W32.Supova.C may not properly work. When Supova.C.Worm runs, it may perform some of the following actions: 1. Displays the following fake message: Application attempted to read memory at 0xFFFFFFFFh Terminateing application 2. Copies itself to the %Windir% folder as one of the following: ? Desktop-shooting.exe ? Hello-Kitty.exe ? BigMac.exe ? Hellokitty.exe ? Cheese-Burger.exe ? .exe NOTE: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location. 3. Copies itself to the %Windir%\Media folder as: ? Battle.net key generator (WORKS!!).exe ? Britney spears nude.exe ? DivX codec.exe ? DivX optimizer.exe ? DivX.exe ? GTA3 crack.exe ? Half-life WON key generator.exe ? KaZaA media desktop v2.0 UNOFFICIAL.exe ? Key generator for all windows XP versions.exe ? Macromedia key generator (all products).exe ? Microsoft key generator, works for ALL microsoft products!!.exe ? Microsoft Windows XP crackpack.exe ? Nuke program.exe ? Star wars episode 2 downloader.exe ? Warcraft 3 battle.net serial generator.exe ? Warcraft 3 ONLINE key generator.exe ? Windows XP key generator.exe ? Windows XP serial generator.exe ? Winrar + crack.exe ? Winzip 8.0 + serial.exe 4. Inserts the file, ".txt," to the %Windir% folder. This file contains the following text: W32.Supernova --------------------------------------------------- 'Patch the leaks or the ship will sink' --------------------------------------------------- 5. Adds the value: "Supernova"="" to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run 6. If the worm finds KaZaA, it adds the values: "Dir0"="012345:%Windir%\Media\" "DisableSharing"="0" to the registry key: HKEY_CURRENT_USER\Software\Kazaa\LocalContent 7. Displays the message: Title: Just checkin' the walls... Message: Patch the leaks or the ship will sink 8. Sends the following message to the MSN Messenger contacts: Hehe, check this out :-) Funny, check it out (h) LOL!! See this :D LOL!! Check this out :) - o -