Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
The worm sends links to Yahoo! Messenger users. If the link is clicked a copy of the worm is retrieved from the Internet. The file is run-time compressed using MEW .
Installation
When executed the worm copies itself in the following locations:
  • %windir%\Java.exe
  • %system%\Cexplorer.exe
  • C:\Documents and Settings\All Users\Start Menu\Programs\
    Startup\Dap32.exe
  • D:\Documents and Settings\All Users\Start Menu\Programs\
    Startup\Winrar.exe
  • E:\Documents and Settings\All Users\Start Menu\Programs\
    Startup\User.cmd
The worm creates the following folders:
  • c:\amircivil1
  • c:\amircivil2
  • c:\amircivil3
  • c:\amircivil4
  • c:\amircivil5
  • c:\amircivil6
In order to be executed on every system start, the worm sets the following Registry entries:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run]
    "Windows Update" = "%windir%\Java.exe"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run]
    "Win32Usr" = "%system%\Cexplorer.exe"
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    SharedAccess]
    "Start" = 4
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
    "EnableDCOM" = "N"
Spreading via IM networks
The worm sends links to Yahoo! Messenger users.

The messages may contain any of the following texts:
  • :x :x Yahoo Tedy: http://h1.ripway.com/tedy2007/Folder[%removed%]
    :x
If the link is clicked a copy of the worm is retrieved from the Internet.
Other information
The worm terminates processes with any of the following strings in the name:
  • 02D30.exe
  • ACKWIN32.exe
  • ADAWARE.exe
  • ADVXDWIN.exe
  • AGENTSVR.exe
The worm launches the following processes:
  • makecab C:\Setup.exe C:\Update.zip
  • makecab D:\Scree.scr D:\New.zip
  • makecab E:\Winamp.pif E:\Winamp2007.zip
  • makecab F:\sex.html.cmd F:\TutorialSex.zip
  • makecab I:\OfficeSetup.pif I:\Office2007.zip
The worm may delete the following Registry entries:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run]
    "Explorer" = "%filepath%"
    "system" = "%filepath%"
    "msgsvr32" = "%filepath%"
    "winupd.exe" = "%filepath%"