Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

When executed, the worm copies itself in the %windir% folder using the following filename:

t2serv.exe

The following files are dropped in the same folder:

t2serv.dll
t2serv.wax
t2serv.z
t2serv.s

The following files are dropped in the %system% folder:

dminspxc.exe
e1.dll
insehype.dll
rdchtool.dll

In order to be executed on every system start, the worm sets the following Registry entry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"t2serv" = "%windir%\t2serv.exe"

The following Registry entry is set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "rdchtool.dll e1.dll"

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

adb
asp
cfg
cgi
dbx
dhtm
eml
htm
html
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xml

Addresses containing the following strings are avoided:

.edu
.gov
.mil
@avp
@foo
admin
anyone@
apache
berkeley
bugs@
cafee
certific
contact
contract@
example
fido
gold-certs
google
help
help@
ibm.com
icrosoft
info@
kasp
kernel
linux
local
master
mozilla
mydomai
news
nobody
noone
noreply
panda
privacy
rating
rfc-ed
ripe.
root@
samples
secure
sendmail
service
somebody
someone
spam
support
unix
update
usenet
winrar
winzip
your

Subject of the message is one of the following:

Error
Good day
hello
Mail Delivery System
Mail server report.
Mail Transaction Failed
picture
Server Report
Status
test

Body of the message is one of the following:

Mail transaction failed. Partial message is available.



Mail server report.

Our firewall determined the e-mails containing worm copies are being sent from your computer.

Nowadays it happens from many computers, because this is a new virus type (Network Worms).

Using the new bug in the Windows, these viruses infect the computer unnoticeably.
After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
addresses

Please install updates for worm elimination and your computer restoring.

Best regards,
Customers support service



The message contains Unicode characters and has been sent
as a binary attachment.



The message cannot be represented in 7-bit ASCII encoding
and has been sent as a binary attachment

The attachment is either an executable of the worm, or a ZIP archive containing it. Its filename is one of the following:

body
doc
file
message
readme
test
Update-KB1203-x86
Update-KB1375-x86
Update-KB1656-x86
Update-KB1781-x86
Update-KB1968-x86
Update-KB2875-x86
Update-KB2937-x86
Update-KB6843-x86
Update-KB7578-x86
Update-KB7687-x86
Update-KB8203-x86
Update-KB9093-x86
Update-KB9171-x86
Update-KB9765-x86
Update-KB9812-x86

If an archive is attached, the name has the following extension:

.zip

If an executable is attached, a double extension may be used. The first one is one of the following:

.dat
.elm
.log
.txt

The second one is one of the following:

.bat
.exe
.pif
.scr