My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.MSNWorm.Rodok.A

LOW
LOW
53248 bytes
(Worm.Win32.Fleming (Kaspersky))

Symptoms

- a process called "BR2002" running (it can be seen by right-clicking the taskbar and launching Task Manager).

Removal instructions:

Manual Removal:
Invoke Task Manager, select the process called "BR2002" and click "End Task". You should also delete the file "br2002.exe" that contains the worm.
Automatic Removal:
Let BitDefender delete/disinfect files found infected.

Analyzed By

Bogdan Dragu BitDefender Virus Researcher

Technical Description:

This worm spreads by by maliciously inviting the user's MSN Messenger contacts to download it; it was written in Visual Basic.
The virus is disguised as a CD-key generator for the great Half-Life/CounterStrike games; when run, it invites the user to click the "Generate" button, but the resulting "keys" are just random digits:


The virus actually steals the user's CD-keys for Half-Life and CounterStrike. The keys are read from the following registry keys:
- HKCU\Software\Valve\CounterStrike\Settings\Key
- HKCU\Software\Valve\Half-Life\Settings\Key
and sent to styggefolk@hotmail.com; the sent message looks like this:
I have loaded the ur CDKEY Generator 1.3! CS: HL: In order to spread, the worm sends instant messages to the user's contacts, inviting them to download and run a program (actually a copy of the virus) from a website:


The virus then attempts to download an executable file from the location http://home.no.net/downl0ad/CS-Keygen.exe and save it as C:\hehe2397824.exe. If the user receives a message from styggefolk@hotmail.com, it will take a specific action depending on the contents of that message:
- if the message reads "hey", the virus will send the CounterStrike/Half-Life CD keys again;
- if the message reads "hello", the virus will download a file (probably containing an updated version of the virus) from the location http://home.no.net/downl0ad/Update.exe and save it as C:\update35784.exe; a message will be sent back to styggefolk@hotmail.com, containing the text "Updating...";
- if the message reads "hi", the virus will reply with "Spamming..." and send virus download invitations again to the user's contacts.
The worm runs the downloaded executable files (C:\hehe2397824.exe, C:\update35784.exe), if they are found; it will remain resident, waiting for messages from styggefolk@hotmail.com.