Win32.Cult.B@mm( W32.HLLW.Cult.B@mm, W32/Lanet@mm )
SYMPTOMS: TECHNICAL DESCRIPTION: When the worm is executed it copies itself in %WINSYS% folder under the name wuauqmr.exe.It adds the following registry key: NvCpTDaemon with value %WINSYS%\\wuauqmr.exe under HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce and HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run to assure that it will be executed at every restart. It adds the following registry keyL Dir0 with value 012345:%SYSDIR%\\ jdfghtrg\\ under HKCU\\SOFTWARE\\KAZAA\\LocalContent In order to set that location as a Kazaa shared folder. After that it copies itself under %SYSDIR%\\ jdfghtrg\\ under the following names, in this way it tries to spread using Kazaa network: zoneallarm_pro_crack.exe AVP_Crack.exe SMS_sender.exe DivX 5.03 Codecs.exe Download accelarator.exe PaintShop Pro 7 Crack_By_Force.exe ZoneAlarm Pro KeyGen.exe porn.exe hotgirls.exe SM.exe Battlefield1942_bloodpatch.exe Unreal2_bloodpatch.exe UT2003_bloodpatch.exe AquaNox2 Crack.exe NBA2003_crack.exe FIFA2003 crack.exe C&C Generals_crack.exe UT2003_keygen.exe UT2003_no cd (crack).exe Age of Empires 2 crack.exe Anno 1503_crack.exe C&C Renegade_crack.exe Diablo 2 Crack.exe Gothic 2 licence.exe GTA 3 Crack.exe GTA 3 patch (no cd).exe Hitman_2_no_cd_crack.exe Mafia_crack.exe Neverwinter_Nights_licence.exe NHL 2003 crack.exe WarCraft_3_crack.exe Splinter_Cell_Crack.exe Battlefield1942_keygen.exe Winamp 3.8.exe MediaPlayer Update.exe UT2003_patch.exe ACDSee 5.5.exe DivX Video Bundle 6.5.exe Global DiVX Player 3.0.exe QuickTime_Pro_Crack.exe KaZaA Lite (New).exe iMesh 3.7b (beta).exe iMesh 3.6.exe KaZaA Hack 2.5.0.exe DirectDVD 5.0.exe Flash MX crack (trial).exe Ad-aware 6.5.exe WinZip 9.0b.exe SmartFTP 2.0.0.exe ICQ Lite (new).exe ICQ Pro 2003b (new beta).exe ICQ Pro 2003a.exe AOL Instant Messenger.exe Download Accelerator Plus 6.1.exe Trillian 0.85 (free).exe MSN Messenger 5.2.exe Network Cable e ADSL Speed 2.0.5.exe mIRC 6.40.exe GetRight 5.0a.exe Pop-Up Stopper 3.5.exe Yahoo Messenger 6.0.exe KaZaA Speedup 3.6.exe Nero Burning ROM crack.exe WindowBlinds 4.0.exe Animated Screen 7.0b.exe Living Waterfalls 1.3.exe Matrix Screensaver 1.5.src Popup Defender 6.5.exe Space Invaders 1978.exe SmartRipper v2.7.exe TweakAll 3.8.exe DVD Copy Plus v5.0.exe Serials 2003 v.8.0 Full.exe Zelda Classic 2.00.exe Need 4 Speed crack.exe Links 2003 Golf game (crack).exe Netfast 1.8.exe Guitar Chords Library 5.5.exe DVD Region-Free 2.3.exe Cool Edit Pro v2.55.exe Coffee Cup Free HTML 7.0b.exe Clone CD 5.0.0.3.exe Clone CD 5.0.0.3 (crack).exe Nimo CodecPack (new) 8.0.exe Business Card Designer Plus 7.9.exe Steinberg_WaveLab_5_crack.exe Hot Babes XXX Screen Saver.exe FreeRAM XP Pro 1.9.exe IrfanView 4.5.exe Audiograbber 2.05.exe WinOnCD 4 PE_crack.exe Final Fantasy VII XP Patch 1.5.exe BabeFest 2003 ScreenSaver 1.5.exe PalTalk 5.01b.exe DirectX Buster (all versions).exe DirectX InfoTool.exe Unreal2_crack.exe FlashGet 1.5.exe Babylon 3.50b reg_crack.exe mp3Trim PRO 2.5.exe play station emulator crack.exe play station emulator.exe warcraft 3 serials.pif warcraft 3 crack.exe 100 free essays school.scr aol password cracker.exe aim password cracker aol cracker.exe aim cracker.exe steal usernames.exe how to hack.exe divx pro.exe how to use a shell.pif Virtua Girl (Full).exe worldbook.exe GTA 3 Serial.exe GTA 3 Crack.exe gta3.exe driver.exe virtua girl - adriana.pif virtua girl -bailey short skirt.pif Crack McAfee 7.exe Crack Norton 3000.exe Borland KeyGens.exe MP3 encoder_decoderV1.8.exe HackNTTools.zip .exe SophosCrackAllVersion.exe BitDefender.KeyGen.exe Nod32Crack.exe PANDA.lusers.exe PANDA.AVers.lusers.exe The worm also creates the file awqewqed.dll under the %SYSDIR%. The worm uses that file to store its code encoded for sending trough email. It creates a thread for checking the registry keys from above. In case that somebody removes them it will add them back. After that the worm tries to send itself to randomly generated e-mail addresses. Those addresses are generated by the following rule: %rndstring%@%rndserver% %rndserver% is chosen from the following list: chello.nl, chello.pl, otenet.gr, earthlink.net, hotmail.com, adelphia.net, planet.nl, wanadoo.nl, wanadoo.fr, sympatico.ca, Gmx.net, Gmx.de, Btinternet.com, Verizon.net, BellAtlantic.net, Email.com %rndstring% is a random generated string. The worm sends itself trough e-mail under the following format: From %name% %name@%rndserver% %name% is a string randomly chosen from the following list: Ellen, John, Sandra, Kaylee, Sandy, Morgan, Peter, Michel, Marco, Margret, Horny Subject: Hi, I sent you an eCard from BlueMountain.com Body: To view your eCard, open the attachment If you have any comments or questions, please visit http://www.bluemountain.com/customer/index.pd Thanks for using BlueMountain.com. Attachment: BlueMountaineCard.pif The worm uses the following hard coded SMTP servers: smtp.chello.pl mailsrv.otenet.gr mx06.earthlink.net mx4.hotmail.com mail.adelphia.net smtp01.wxs.nl mx-1.wanadoo.nl smtp.wanadoo.fr smtp29.sympatico.ca mx0.gmx.net mx0.gmx.de moongate.btinternet.com relay.verizon.net relay.bellatlantic.net 205.158.62.23 mx1.hotmail.com mx2.hotmail.com The worm tries to do DOS attack at an address randomly chosen between www.chat-planet.nl with a probability of 33% and chat.planet.nl witch a probability of 66% Removal instructions: ANALYZED BY: Sorin Victor DudeaBitDefender Virus Researcher |