Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

When executed, the worm copies itself in the %windir% folder using the following filename:

csrss.exe

In order to be executed on every system start, the worm sets the following Registry entry:

[SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Application" = "%windir%\csrss.exe"

The following Registry entry is set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
"Debugger" = "%windir%\csrss.exe"

The following entries are deleted form the Registry:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager\BootExecute
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager\PendingFileRenameOperations

 

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.dhtml
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.mra
.msg
.nch
.ods
.oft
.php
.pl
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml

 

Addresses containing the following strings are avoided:

---
-0
..
.0
.00
.1
.2
.3
.4
.5
.6
.7
.8
.9
.gif
.qmail
@.
@avp.
@example.
@foo
@iana
@messagelab
@microsoft
@subscribe
0000
2003
2004
2005
2006
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
f-secur
feste
free-av
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
Mailer-Daemon@
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
spm111@
support
torvalds@
unix
update
winrar
winzip

 

Subject of the message is one of the following:

He, where are you?
Hi! I'm waiting you online today!
Hi! Please write to me urgently!
Hi!!! How's the mood?
Hi, drop me a line!!!
Hi, what's up?
Re: Call me!
Re: How's the mood?
Re: When you're gonna answer me?
Re: Where are you?
Re: Where have you been?
Re: write to me!
When you're gonna answer me?
Will you be online today?

 

Body of the message is one of the following:

Hi!!!!! You haven't been writing for a long time. I began to worry) Where have you been? You remember, you've asked a progy from me? I've finally found it, so here it is. Check it out if this is what you've been looking for... bye

Hi, what's up? Will you show up online today?

Drop me a line in ICQ, ok? Btw, I'm sending you the docs you've been looking for, find them attached. Check them out, ok?

I'm coming to you tomorrow, ok? When you are going to be home?

You remember, you've asked some docs. Please find them attached. Check and see what's inside. That's it. Bye, till tomorrow...

You disappeared again. If you come online, drop me a line, ok?

Btw, I sent you those docs that you've been looking for. Check them out. Bye!

Hi, give me a call just when you got the message! I'm tired of waiting. Btw, I'm sending that program that you've been looking for. Check it out. Appears to be that one. Bye!

Hi, what's up? If you have time tomorrow, please come over. After midday. By the way, don't forget to check the enclosed documents. Bye. See you tomorrow.

Hi, I got a free day tomorrow, and I'm waiting for you. Please come after midday. By the way, I'm sending you the documents that you've been asking for. Read them out... Bye!

Hi, how are you? What are your plans today? If you have time, please come over, and don't forget to check the program attached. Bye!

Hi, what's you gonna do today? I'll come over tonight! By the way, don't give anyone this funny program I'm sending. Check it out. Bye!

Hi, I found that program you asked for. Find it attached. Bye.

Hi, I saw you around today, but you didn't noticed me ( If you're gonna be at home, give a call, ok? By the way, check this file I'm sending. A very interesting program...

What's up! You haven't been writing for a long time
I got news. I've finally that program you needed
I'm sending it out. Use it. Bye!

Hi, drop me a line today, ok? And see the program I'm sending. Bye!

Hi, drop me a line if you can. Btw, I have a new ICQ. Please don't forget to check the attached documents. Bye.

Hi! How are you? Drop me a line if you can. I found your documents and I'm emailing them to you. Bye.

 

The attachment is an executable of the worm. Its filename is one of the following:

Archive
backup
confidential
COOL
Document
File
Fotos
images
Important
Message
New
Passwords
private
README
Readme
secret
your_documents

 

If an e-mail is being composed in Outlook Express, the worm can attach a copy of itself to the message. A HTA dropper script is used.

 

Spreading via shared folders

The worm searches for various shared folders. A name matches if it contains one of the following strigns:

bear
donkey
download
ftp
htdocs
http
icq
kazaa
lime
morpheus
mule
pub
shar
source
upload

 

These include folders shared by various instant messengers and P2P programs. Worm executables are copied there using the following filenames:

1
1001 Sex and more.rtf
3D Studio Max 6 3dsmax
ACDSee 10 full
Adobe Photoshop 10 full
Adobe Premiere 10
Ahead Nero 8
Altkins Diet.doc
American Idol.doc
anthrax.doc
Arnold Schwarzenegger.jpg
Best Matrix Screensaver new
Britney sex xxx.jpg
Britney Spears and Eminem porn.jpg
Britney Spears blowjob.jpg
Britney Spears cumshot.jpg
Britney Spears fuck.jpg
Britney Spears full album.mp3
Britney Spears porn.jpg
Britney Spears Sexy archive.doc
Britney Spears Song text archive.doc
Britney Spears.jpg
Britney Spears.mp3
Clone DVD 6
Cloning.doc
Cracks & Warez Archiv
Dark Angels new
Dictionary English 2004 - France.doc
DivX 8.0 final
Doom 3 release 2
E-Book Archive2.rtf
Eminem blowjob.jpg
Eminem full album.mp3
Eminem Poster.jpg
Eminem sex xxx.jpg
Eminem Sexy archive.doc
Eminem Spears porn.jpg
Eminem.mp3
Full album all.mp3
Gimp 1.8 Full with Key
Harry Potter 1-6 book.txt
Harry Potter 5.mpg
Harry Potter all e.book.doc
Harry Potter and the Sorcerer
Harry Potter e book.doc
Harry Potter game
Harry Potter.doc
How to hack new.doc
Internet Explorer 9 setup
Kazaa Lite 4.0 new
Kazaa new
Keygen 4 all new
Learn Programming 2004.doc
Lightwave 9 Update
Magix Video Deluxe 5 beta
Matrix 3 .mpg
Microsoft Office 2003 Crack best
Microsoft WinXP Crack full
MS Service Pack 6
Norton Antivirus 2005 beta
Nostradamus.doc
Opera 11 free
Osama Bin Laden.jpg
Osama bin Laden.mpg
Partitionsmagic 10 beta
Porno Screensaver britney
RFC compilation.doc
Ringtones.doc
Ringtones.mp3
Saddam Hussein.jpg
Screensaver2
Serials edition.txt
Smashing the stack full.rtf
source code
Star Office 9
Taliban
Teen Porn 15.jpg
The Sims 4 beta
Ulead Keygen 2004
Vista review.doc
Visual Studio Net Crack all
WinAmp 13 full with sources
Windows 2003 crack
Windows Vista Sourcecode.doc
Windows XP crack
WinXP eBook newest.doc
World Trade Center last video.mpeg
XXX hardcore pics.jpg
Yellow Pages

NOD32 detected Win32/Scano.AQ using advanced heuristics.