Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

When executed, the worm copies itself in the %windir%\PoolData folder using the following filenames:

csrss.exe
services.exe
smss.exe

The following files may be dropped in the same folder:

runnor.ssy
spxttx1.xnt
spxttx2.xnt
spxttx3.xnt
WinD.osa
xpsys.ddr

The worm attempts to modify the following files:

%system%\dllcache\tcpip.sys
%system%\drivers\tcpip.sys
%windir%\ServicePackFiles\i386\tcpip.sys

In order to be executed on every system start, the worm sets the following Registry entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
" WinData" = "%windir%\PoolData\services.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"_WinData" = "%windir%\PoolData\services.exe"

 

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\Auto Update]
"AUOptions" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Start" = 4

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 4

 

The worm displays a window titled "WinZip Self-Extractor" that contains the following text:

WinZip Header is missing!

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

.abc
.abd
.abx
.adb
.ade
.adp
.adr
.asp
.bak
.bas
.cfg
.cgi
.cls
.cms
.csv
.ctl
.dbx
.dhtm
.doc
.dsp
.dsw
.eml
.fdb
.frm
.hlp
.imb
.imh
.imh
.imm
.inbox
.ini
.jsp
.ldb
.ldif
.log
.mbx
.mda
.mdb
.mde
.mdw
.mdx
.mht
.mmf
.msg
.nab
.nch
.nfo
.nsf
.nws
.ods
.oft
.php
.phtm
.pl
.pmr
.pp
.ppt
.pst
.rtf
.shtml
.slk
.sln
.stm
.tbb
.txt
.uin
.vap
.vbs
.vcf
.wab
.wsh
.xhtml
.xls
.xml

The data is saved in the following files:

spxttx1.xnt
spxttx2.xnt
spxttx3.xnt

Addresses containing the following strings are avoided:

.dial.
.kundenserver.
.ppp.
.qmail@
.sul.t-
@
@arin
@avp
@ca.
@example.
@foo.
@from.
@gmetref
@iana
@ika
@kaspers
@messagelab
@nai.
@panda
@smtp.
@sophos
@www
abuse
america.hm
announce
antivir
anyon
anywhere
arcor.de
asia
australiamail
Avast
bellcore.
bitdefender
bluewin.ch
cia.gov
clock
detection
domain.
e
e-mail.dk
emsisoft
ewido.
F-Secure
free-av
freeav
ftp.
gmail
gold-certs
google
google
heise.de
host.
iana-
iana@
icqmail
icrosoft.
ipt.aol
law2
linux
lycos
mailer-daemon
mozilla
mustermann@
newyork
nlpmail01.
noreply
nothing
ntp-
p-
reciver@
rus.
secure
smt
somebody
someone
sophos
spybot
sql.
subscribe
support
swissinfo.org
t-dialin
t-ipconnect
test@
time
trendMicro
user@
variabel
verizon.
viren
virus
webmails
whatever@
whoever@
winrar
winzip
you@
yourname
zonnet.nl

Subject of the message may be one of the following:

Error in your eMail
Fehlerhafte Mailzustellung
Ihr Account wurde eingerichtet!
Ihr Passwort wurde geaendert!
Your Updated Password!

The worm can produce a variety of message bodies. Some examples follow.

Ihr Passwort wurde erfolgreich geaendert.
Ihre neuen Account-Daten und Passwort befinden sich gesichert im Anhang!

**-** Web: http://www.%variable%
**-** E-Mail: %variable%


Diese Nachricht wurde Automatisch generiert.

- Ihre EMail konnte nicht empfangen oder gesendet werden.
- Mail-Text sowie Mail-Header befinden sich im Anhang.

*** auto mailerdaemon XPath 7
*** (c) by %variable%


Danke das Sie sich fuer uns entschieden haben.
Um ihren neuen Account zu aktivieren, folgen sie der kurzen Anleitung im Anhang. Es sind nur 2 Schritte noetig!

***** Web: http://www.%variable%
***** E-Mail: %variable%


You notified us that you have forgotten your password.
We have changed your password to a random sequence of letters and digits!

For more detailed information, see the attached password file ...

**** Web: http://www.%variable%
**** eMail: %variable%


Your eMail has occurred an unknown error on our Server.
Please read your mail and check the text.

The full email is attached!

*** auto mailerdaemon X.Path 4.2
*** (c) by %variable%

The attachment is a ZIP archive, containing an executable of the worm. Name of the attachment is one of the following:

Anleitung
Mail_Data
Passw_Data

Name of the executable inside is the following:

Winzipped_Data-Files.exe

Strings from the following lists may be used to form the sender address:

Admin
Hostmaster
Postmaster
Webmaster


aol.de
gmx.de
hotmail.com
microsoft.com
web.de

Other information

The following programs are terminated:

asw*.tmp
aswclnr
avwin
brfix
fxsbr
gcas
gcip
giantanti
guardgui.
hijack
inetupd
killb
microsoftanti
mrt.exe
nod32
nod32kui
sober
stinger
stng

The worm displays a window titled "Anti-Virus" that contains the following text:

No Viruses, Trojans or Spyware found!
Status: OK