Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Surnova.D

W32.Supova.Worm, W32.Kitty.Worm, Worm.P2P.Surnova

Win32/Surnova.D is a worm spreading in the environment of the P2P (peer-to-peer) Kazaa network and MSN Instant Messenger.  Kazaa is a file exchange system enabling file sharing via the Internet.  The worm is an executable file in the PE format having a size of 49152 bytes.  It is written in Visual Basic, and requires for its operation the library MSVBVM60.DLL.  The worm lures a Kazaa or MSN Instant Messenger users into downloading and running its copy due to an attractive name of the file containing worm.  The code of this worm has been derived from that of Win32/Surnova.A.

When running the downloaded file a copy of the worm is placed into the directory C:/Windows/Media using a randomly chosen file name from the following list:

Windows XP key generator.exe
Windows XP serial generator.exe
Key generator for all windows XP versions.exe
Warcraft 3 ONLINE key generator.exe
Half-life ONLINE key generator.exe
Quake 4 BETA.exe
Grand theft auto 3 CD1 crack.exe
GTA3 crack.exe
Battle.net key generator (WORKS!!).exe
Warcraft 3 battle.net serial generator.exe
Half-life WON key generator.exe
Star wars episode 2 downloader.exe
Winzip 8.0 + serial.exe
Winrar + crack.exe
Britney spears nude.exe
Macromedia MX key generator (all products).exe
KaZaA media desktop v2.0 UNOFFICIAL.exe
Microsoft key generator, works for ALL microsoft products!!.exe
Microsoft Windows XP crack pack.exe
Hack into any computer!!.exe
DivX codec v6.0.exe
DivX newest version.exe
DivX.exe
DivX pro key generator.exe
Key generator for over 1,000 applications (really!).exe
DivX patch - Increases quality.exe
KaZaA spyware remover.exe
Age of empires 2 crack.exe
Norton antivirus 2002.exe
Macromedia Dreamweaver MX Key Generator.exe
Macromedia Flash MX Key Generator.exe
Microsoft Office XP (english) key generator.exe
Microsoft Office XP.iso.exe
CloneCD + crack.exe
CloneCD all-versions key generator.exe
XBOX emulator (WORKS!!).exe
Gamecube Emulator (WORKS!!).exe
Xbox.info.exe
Neverwinter nights crack.exe
Grand Prix 4 crack.exe
Nokia simlock remover (includes new models).exe
Britney spears hard porn (REAL!).exe
Christina Aguilera fuck (REAL!).exe
Kiddy child incest porn.exe
Doom 3 preview!!.exe
Crazy taxi crack.exe
Copy protection remover.exe
Sex.exe
A.exe
Jedi Knight 2 crack.exe
Warcraft 3 trainer.exe
Cable modem uncapper.exe
Grand theft auto 3 trainer.exe
KaZaA hack.exe
KaZaA lite.exe
Dragonball Z.exe
Dragonball Z COMPLETE episode guide.exe
Dragonball Z shootout.exe
Dragonball Z episode 1.exe
J-LO Nude (REAL!!).exe
Doom 3 screenshots.exe
Resident Evil [DivX].exe
Shrek.exe
Starcraft 2 preview!.exe
Starcraft battle.net key generator.exe
Starcraft ONLINE crack.exe

Simultaneously, the worm enables access to this directory for all users of the Kazaa network.  Then Win32/Surnova.D copies itself  into the directory C:/Windows using the following names:

Alles-ist-vorbei.exe
Desktop-shooting.exe
Hello-Kitty.exe
BigMac.exe
Cheese-Burger.exe
Blaargh.exe

It creates the item Supernova in the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run with the value "C:\WINDOWS\BLAARGH.exe".  The worm also displays a fake error message:

 

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.