Virus Summary Virus Name Risk Assessment W32/[EMAIL PROTECTED] Corporate User : Low Home User : Low
Virus Information Discovery Date: 01/17/2006 Origin: Unknown Length: Varies Type: Virus SubType: E-mail Minimum DAT: 4642 (12/02/2005) Updated DAT: 4679 (12/02/2005) Minimum Engine: 4.4.00 Description Added: 01/17/2006 Description Updated: 01/17/2006 5:11 PM (PT) Virus Characteristics This worm is proactively detected by 4642 and higher DATs as W32/Generic.worm!p2p. 4677 and higher DATs will detect this specifically as W32/[EMAIL PROTECTED] This is a mass-mailing worm that bears the following characteristics: contains its own SMTP engine to construct outgoing messages spreads through open network shares tries to lower security settings and disable security software E-mail Component: The virus arrives in an email message as follows: From: (Spoofed email sender) Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case. Subject: (Varies, such as) Photos My photos School girl fantasies gone bad Part 1 of 6 Video clipe *Hot Movie* Re: Fw: Picturs Fw: Funny :) Fwd: Photo Fwd: image.jpg Fw: Sexy Fw: Fwd: Crazy illegal Sex! Fw: Real show Fw: SeX.mpg Fw: DSC-00465.jpg Re: Sex Video Word file the file eBook.pdf Miss Lebanon 2006 A Great Video give me a kiss Body: (Varies, such as) Note: forwarded message attached. You Must View This Videoclip! >> forwarded message i just any one see my photos. forwarded message attached. Please see the file. ----- forwarded message ----- The Best Videoclip Ever Hot XXX Yahoo Groups F***in Kama Sutra pics ready to be F***ED ;) VIDEOS! FREE! (US$ 0,00) It's Free :) hello, i send the file. bye hi i send the details i attached the details. how are you? What? Thank you i send the details. OK ? (N.B. *** replaces content for filtering purposes) Attachment: The files attached to the email may either be the executable itself or a MIME encoded file which contains the executable. The executable filename is chosen from the following list: 04.pif 007.pif School.pif photo.pif DSC-00465.Pif Arab sex DSC-00465.jpg image04.pif 677.pif DSC-00465.pIf New_Document_file.pif eBook.PIF document.pif The MIME encoded files' name is chosen from the following list: SeX.mim Sex.mim WinZip.BHX 3.92315089702606E02.UUE Attachments[001].B64 eBook.Uu Word_Document.hqx Word_Document.uu Attachments00.HQX Attachments001.BHX Video_part.mim It may also be chosen from the following list of prefaces: 392315089702606E-02 Clipe Miss Sweet_09 with the following file extensions: .mim .HQX .BHx .b64 .uu .UUE The filename within the MIME encoded file is chosen from the following list: Attachments[001],B64 .sCr 392315089702606E-02,UUE .scR SeX,zip .scR WinZip.zip .sCR ATT01.zip .sCR Word.zip .sCR Word XP.zip .sCR New Video,zip .sCr Atta[001],zip .SCR Attachments,zip .SCR Clipe,zip .sCr WinZip,zip .scR Adults_9,zip .sCR Photos,zip .sCR When this file is run, it copies itself to the Windows System directory as one or more of the following filenames. %SysDir% \Winzip.exe %SysDir% \Update.exe %SysDir% \scanregw.exe %WinDir% \Rundll16.exe %WinDir% \winzip_tmp.exe c:\winzip_tmp.exe %Temp% \word.zip .exe (Where %Sysdir% is the Windows System directory - for example C:\WINDOWS\SYSTEM - %WinDir% is the Windows Directory, and %Temp% is the Temp Directory) It creates the following registry entry to hook Windows startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows \CurrentVersion\Run\ScanRegistry=="scanregw.exe /scan" Network Share Component: The worm will attempt to copy itself to the following shares, using the current user's authentication: C$\documents and settings\all users\start menu\programs\startup\winzip quick pick.exe Admin$\winzip_tmp.exe C$\winzip_tmp.exe Symptoms Security Settings Modification: The following registry keys are modified to lower security settings: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\NotifyDownloadComplete=="7562617" HKEY_CURRENT_USER\Software\Microsoft\Windows \CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet=="1" HKEY_CURRENT_USER\Software\Microsoft\Windows \CurrentVersion\Internet Settings\ZoneMap\ProxyBypass=="1" HKEY_CURRENT_USER\Software\Microsoft\Windows \CurrentVersion\Internet Settings\ZoneMap\IntranetName=="1" HKEY_CURRENT_USER\Software\Microsoft\Windows \Currentversion\Explorer\Advanced\WebView=="0" HKEY_CURRENT_USER\Software\Microsoft\Windows \Currentversion\Explorer\Advanced\ShowSuperHidden=="0" HKEY_CURRENT_USER\Software\Microsoft\Windows \CurrentVersion\Explorer\CabinetState\FullPath=="0" Registry entries under the following key are modified to disable security software: SOFTWARE\Classes\Licenses .EXE or .PPL Files found within the folders listed for the following registry entries are deleted: HKEY_LOCAL_MACHINE\Software\INTEL\LANDesk \VirusProtect6\CurrentVersion HKEY_LOCAL_MACHINE\Software\Symantec\InstalledApps HKEY_LOCAL_MACHINE\Software\KasperskyLab\Components \101 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows \CurrentVersion\Uninstall\Panda Antivirus 6.0 Platinum HKEY_LOCAL_MACHINE\Software\KasperskyLab \InstalledProducts\Kaspersky Anti-Virus Personal HKEY_LOCAL_MACHINE\Software\Microsoft\Windows \CurrentVersion\App Paths\Iface.exe The worm attempts to delete the following files: %ProgramFiles% \DAP\*.dll %ProgramFiles% \BearShare\*.dll %ProgramFiles% \Symantec\LiveUpdate\*.* %ProgramFiles% \Symantec\Common Files\Symantec Shared\*.* %ProgramFiles% \Norton AntiVirus\*.exe %ProgramFiles% \Alwil Software\Avast4\*.exe %ProgramFiles% \McAfee.com\VSO\*.exe %ProgramFiles% \McAfee.com\Agent\*.* %ProgramFiles% \McAfee.com\shared\*.* %ProgramFiles% \Trend Micro\PC-cillin 2002\*.exe %ProgramFiles% \Trend Micro\PC-cillin 2003\*.exe %ProgramFiles% \Trend Micro\Internet Security\*.exe %ProgramFiles% \NavNT\*.exe %ProgramFiles% \Morpheus\*.dll %ProgramFiles% \Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl %ProgramFiles% \Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe %ProgramFiles% \Grisoft\AVG7\*.dll %ProgramFiles% \TREND MICRO\OfficeScan\*.dll %ProgramFiles% \Trend Micro\OfficeScan Client\*.exe %ProgramFiles% \LimeWire\LimeWire 4.2.6\LimeWire.jar It also tries to delete files from the following locations on network shares: \C$\Program Files\Norton AntiVirus \C$\Program Files\Common Files\symantec shared \C$\Program Files\Symantec\LiveUpdate \C$\Program Files\McAfee.com\VSO \C$\Program Files\McAfee.com\Agent \C$\Program Files\McAfee.com\shared \C$\Program Files\Trend Micro\PC-cillin 2002 \C$\Program Files\Trend Micro\PC-cillin 2003 \C$\Program Files\Trend Micro\Internet Security \C$\Program Files\NavNT \C$\Program Files\Panda Software\Panda Antivirus Platinum \C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal \C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro \C$\Program Files\Panda Software\Panda Antivirus 6.0 \C$\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus It monitors the internet browser for the following strings: YAHOO! MAIL - @YAHOOGROUPS BLOCKSENDER SCRIBE YAHOOGROUPS TREND PANDA SECUR SPAM ANTI CILLIN CA.COM AVG GROUPS.MSN NOMAIL.YAHOO.COM EEYE MICROSOFT HOTMAIL MSN MYWAY GMAIL.COM @HOTMAIL @HOTPOP The worm will close applications whose title contains one of the following strings: SYMANTEC SCAN KASPERSKY VIRUS MCAFEE TREND MICRO NORTON REMOVAL FIX The values in the list below are deleted from Registry Run and Runservices keys, to prevent them from being restarted: PCCIOMON.exe pccguide.exe Pop3trap.exe PccPfw tmproxy McAfeeVirusScanService NAV Agent PCCClient.exe SSDPSRV rtvscn95 defwatch vptray ScanInicio APVXDWIN KAVPersonal50 kaspersky TM Outbreak Agent AVG7_Run AVG_CC Avgserv9.exe AVGW AVG7_CC AVG7_EMC Vet Alert VetTray OfficeScanNT Monitor avast! DownloadAccelerator BearShare Method Of Infection This worm tries to spread via email and by copying itself to local shares. The mailing component harvests address from the local system. Files with the following strings are targeted: .HTM .DBX .EML .MSG .OFT .NWS .VCF .MBX .IMH .TXT .MSF CONTENT. TEMPORARY Removal Instructions All Users : Use current engine and DAT files for detection and removal. Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). Additional Windows ME/XP removal considerations Variants Name Type Sub Type Differences no known variants Aliases Name [EMAIL PROTECTED] (NAV) W32/Grew.A!wm (Fortinet) W32/[EMAIL PROTECTED] (F-Prot) W32/Nyxem-D (Sophos) W32/Tearec.A.worm (Panda) Win32/Blackmal.F (Vet) WORM_GREW.A (Trend) Guys, Yahoo group's received 6000000 virus mails on 17th and 18th January. If you post any mail to the group it will bounce back to you. At present mails are released from the pending section .However once these are finished All Yahoo group may go on temporary vacation. Virus that is involved is mainly Virus Profile: W32/[EMAIL PROTECTED] (alias [EMAIL PROTECTED] (NAV), W32/Grew.A!wm (Fortinet), W32/[EMAIL PROTECTED](F-Prot), W32/Nyxem-D (Sophos), W32/Tearec.A.worm (Panda), Win32/Blackmal.F (Vet), WORM_GREW.A (Trend) You can search in Google for this virus .Of course there are some others too. Main problem with modern viruses is that they spoof the mail addresses.It means that virus mail coming from a particular ID is actually not coming from his computer but from another infected computer . Virus spoofs any mail addresses or alias it finds in infected computer and send itself to all email addresses found in it . Above virus has files with following extensions UUE,UU , B64 , BHX , HQX , XXE ,MIM etc. Virus file typically has a size of 130 K and virus mail size is 179 to 181 K . Virus mails has some pictures which are not shown plus 130 K file. Just as it spoof's sender's address similarly it also spoofs or feigns the subject .So the subject line may consist of Re followed by subject of a mail actually posted in the group. Other common subjects are Hot Movie* A Great Video Fw: Fw: DSC-00465.jpg Fw: Funny [image: smile.gif] Fw: Picturs Fw: Real show Fw: SeX.mpg Fw: Sexy Fwd: Crazy illegal Sex! Fwd: image.jpg Fwd: Photo give me a kiss Miss Lebanon 2006 My photos Part 1 of 6 Video clipe Photos Re: School girl fantasies gone bad 007.pif 392315089702606E-02,.scR 677.pif Adults_9,zip.sCR Arab sex DSC-00465.jpg ATT01.zip.sCR Attachments[001],B64.sCr Clipe,zip.sCr document.pif DSC-00465.Pif DSC-00465.pIf eBook.pdf eBook.PIF image04.pif New Video,zip New_Document_file.pif photo.pif Photos,zip.sCR School.pif SeX,zip.scR Sex.mim Video_part.mim WinZip,zip.scR WinZip.BHX WinZip.zip.sCR Word XP.zip.sCR Word.zip.sCR 04.pif DSC-00465.Pif DSC-00465.pIf image04.pif [image: smile.gif] The attachment may be an executable file or a MIME file that contains an executable file. Those attachments that are MIME files may have the following file names: 3.92315089702606E02.UUE Attachments[001].B64 Attachments00.HQX Attachments001.BHX eBook.Uu Original Message.B64 Sex.mim SeX.mim Video_part.mim WinZip.BHX Word_Document.hqx Word_Document.uu -- www.gaybombay.info Group Site: http://www.gaybombay.info ========================== This message was posted to the gay_bombay Yahoo! Group. Responses to messages (by clicking "Reply") will also be posted on the eGroup and sent to all members. If you'd like to respond privately to the author of any message then please compose and send a new email message to the author's email address. Post:- gay_bombay@yahoogroups.com Subscribe:- [EMAIL PROTECTED] Digest Mode:- [EMAIL PROTECTED] No Mail Mode:- [EMAIL PROTECTED] Individual Mail Mode:- [EMAIL PROTECTED] Contact Us:- [EMAIL PROTECTED] Archives are at http://www.mail-archive.com/gay_bombay%40yahoogroups.com/maillist.html Classifieds for personal advertisements are back on www.gaybombay.info site. Please exercise restraint in the language of your personal advertisement. Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/gay_bombay/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/