Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

When executed, the worm copies itself in the %system% folder using the following filename:

wservice.exe

Another executable with a random name is dropped. Size of the file is 5707 B.

 

In order to be executed on every system start, the worm sets the following Registry entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"UpdateService" = "%system%\wservice.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"UpdateService" = "%system%\wservice.exe"

 

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

.hta
.htm
.txt
.wab

Addresses containing the following strings are avoided:

.gov
.mil
microsoft

Some of the following strings may be used to form the sender address:

Aldora
Alysia
Amorita
Anita
April
Aretina
Barbra
Becky
Bella
Bettina
Blenda
Briana
Bridget
Caitlin
Camille
Cara
Carla
Carmen
Clarissa
Damita
Danielle
Daria
Diana
Donna
Dora
Doris
Ebony
Eden
Eliza
Emily
Erika
Evelyn
Faith
Gale
Gilda
Gloria
Haley
Helga
Holly
Chelsea
Idona
Iris
Isabel
Ivana
Ivory
Janet
Jewel
Joanna
Julie
Juliet
Kacey
Kali
Kara
Kassia
Katrina
Kyle
Lara
Laura
Linda
Lisa
Lolita
Lynn
Maia
Mary
Melody
Mimi
Myra
Nadia
Naomi
Natalie
Nicole
Nina
Nora
Nova
Olga
Olivia
Pamela
Peggy
Queen
Rachel
Rita
Rosa
Ruby
Sharon
Silver
Valda
Valora
Vanessa
Vicky
Violet
Vivian
Wendy
Willa
Xandra
Xenia
Xylia
Zenia
Zilya

Subject of the message is one of the following:

White house news!
ATTN TO EVERYBODY!
READ AND RESEND ASAP!
Incredible news!
NEWS!
ATTN
URGENT NEWS!

Body of the message is one of the following:

3rd Glogal War Just Started!!! Read more in file!


GLOBAL NUCLEAR WAR JUST STARTED! News in file.


Nuclear War in Russia! Read news in file!


Nuclear WAR in USA! Read attached file!


President Bush DEAD! Read attached file!


President Putin dead! Read more in attached file!


Putin and Bush starts NUCLEAR WAR! Check the file!


The attachment is an executable of the worm. Its filename is one of the following:

open.exe
truth.exe
war.exe
last.exe
about me.exe
a.exe
never.exe
latest news.exe
read me.exe

Executable files infection

The worm searches for executables having one of the following extensions:

.exe
.scr

Several other criteria are applied when choosing a file to infect. When infecting a file, the worm creates a copy of its executable file. Its name is random. The host file is modified in a way that causes the worm to be executed prior to running the original code. Size of the code inserted is 155 B. Total length of the files is unchanged.

 

Other information

The following programs are terminated:

anti
blackice
f-pro
firewall
hijack
lockdown
mcafee
msconfig
nod32
reged
spybot
taskmgr
troja
viru
vsmon
zonea

The worm tries to download a file from the Internet. The file is then executed.