BitDefender Antivirus
My BitDefender
Go

Win32.MSNWorm.Rodok.A

( Worm.Win32.Fleming (Kaspersky) )
Spreading: low
Damage: low
Size: 53248 bytes
Discovered: 2002 Oct 09

SYMPTOMS:

- a process called \"BR2002\" running (it can be seen by right-clicking the taskbar and launching Task Manager).

TECHNICAL DESCRIPTION:

This worm spreads by by maliciously inviting the user\'s MSN Messenger contacts to download it; it was written in Visual Basic.
The virus is disguised as a CD-key generator for the great Half-Life/CounterStrike games; when run, it invites the user to click the \"Generate\" button, but the resulting \"keys\" are just random digits:


The virus actually steals the user\'s CD-keys for Half-Life and CounterStrike. The keys are read from the following registry keys:
- HKCU\\Software\\Valve\\CounterStrike\\Settings\\Key
- HKCU\\Software\\Valve\\Half-Life\\Settings\\Key
and sent to styggefolk@hotmail.com; the sent message looks like this:
I have loaded the ur CDKEY Generator 1.3! CS: HL: In order to spread, the worm sends instant messages to the user\'s contacts, inviting them to download and run a program (actually a copy of the virus) from a website:


The virus then attempts to download an executable file from the location http://home.no.net/downl0ad/CS-Keygen.exe and save it as C:\\hehe2397824.exe. If the user receives a message from styggefolk@hotmail.com, it will take a specific action depending on the contents of that message:
- if the message reads \"hey\", the virus will send the CounterStrike/Half-Life CD keys again;
- if the message reads \"hello\", the virus will download a file (probably containing an updated version of the virus) from the location http://home.no.net/downl0ad/Update.exe and save it as C:\\update35784.exe; a message will be sent back to styggefolk@hotmail.com, containing the text \"Updating...\";
- if the message reads \"hi\", the virus will reply with \"Spamming...\" and send virus download invitations again to the user\'s contacts.
The worm runs the downloaded executable files (C:\\hehe2397824.exe, C:\\update35784.exe), if they are found; it will remain resident, waiting for messages from styggefolk@hotmail.com.

Removal instructions:

Manual Removal:
Invoke Task Manager, select the process called \"BR2002\" and click \"End Task\". You should also delete the file \"br2002.exe\" that contains the worm.
Automatic Removal:
Let BitDefender delete/disinfect files found infected.

ANALYZED BY:

Bogdan Dragu
BitDefender Virus Researcher
Quick Links » New Game Safe » Renew License » Self Service » Free Online Scanner » Press Center
©   2012 BITDEFENDER SiteMap | Legal Terms | Site Feedback | Contact Us | Global Sites | Privacy Policy