(I-Worm.Xiv.a (KAV), WORM_BOOSTAP.A (Trend))
- Presence of appboost.exe in %windir% Attention! This file is hidden, and it may not be seen using default settings in Explorer.
- Presence of appbsvc.exe in %windir%
- Presence of registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Mails\\%number% containing a binary sequence
- Infected executable files have changed icons with the one shown here:
BitDefender virus researcher
It spreads using several different methods. It may come as an infected mail attachment, in which case it uses an IE vulnerability which allows the execution of the attached file without permission, so it is enough to view/preview the email to get infected.
Once the code is executed the virus copies itself as %windir%\\appboost.exe with hidden attribute set and as %windir%\\appbsvc.exe with regular attributes. After this it registers appbsvc.exe as a system process - cannot be killed using task manager under WinNT/2k/Xp - and appboost.exe as default shell open command for .BAT, .CMD, .COM, .EXE, .PIF and .SCR files.
Executables enumerated above are infected only if they are opened using shell open command (e.g. using Explorer).
The virus also searches memory processes\' names and if they contain predefined antivirus/preferential strings they are terminated.
Messages sent by the worm may have as subject a combination of: \"A nice Screensaver of\", \"Ein netter Screensaver von\", \"New Version of\", \"Eine neue Version von\", \"Important!:\", \"Wichtig!:\" and \"Angelina Jolie\", \"Anna Kournikova\", \"Porn Screensaver\", \"Sex Screensave\", \"TvTool\", \"Flashget\", \"WarezBoardAccess\", \"Undelivarable EMail\", \"Brute Force Tool\". Attached files may have one of the following names: \"PamAnderson.scr\", \"Jolie.scr\", \"AnnaKournikova.scr\", \"XXX.scr\", \"FreeSex..exe\", \"TvTool.exe\", \"FlashGet.exe\", \"WarezBoardAccess.exe\", \"Undelivarableemail.exe\", \"BestTool.exe\", \"vertag.exe\".
Due to some bugs existing in this version of the worm it will crush on several systems with error reports (e.g. \"appboot.exe has generated errors and will be closed\") and may not run at all on Win98 systems.
It infects php3 files (.php, .php3 and .phtml) by appending php code which scans and ifects all the phps it finds on the system, then adds a user to apache server (if the server exists) to allow remote attacks and manipulates some mirc scrips.
File shares for KaZaa are created with virus executables with names composed of a combination of words found on victim\'s system and some built in words (e.g. \"Crack\", \"Extra Pack - Key Gen\", \"Performance Fix\", etc) with different executable extensions (.bat, .cmd, .exe, .pif, etc).
Because of the method of infection specific for high-level language viruses and because of the presence of some major bugs in the virus code the infected system becomes unstable relatively quick and has high probability of failure in booting the system.