BitDefender Antivirus
My BitDefender
Go

Win32.Antiman.C@mm

( Email-Worm.Win32.Antiman.c, W32.Antiman.A@mm, W32/Antiman-D, Win32.HLLW.Antimanele )
Spreading: high
Damage: medium
Size: 43,5 K
Discovered: 2005 May 06

SYMPTOMS:

The presence of
     the file startwin.exe in the startup folder and
     the file funny.scr in the Windows directory.

TECHNICAL DESCRIPTION:

The worm copies itself to the startup folder of the current user as startwin.exe and sets the
HKU\Control Panel\Desktop\SCRNSAVE.EXE key to another copy of itself, C:\Windows\Funny.scr.

It also makes other copies of itself on the disk, in all folders with the name containing the following substrings:
shar
download
upload
dc++
kazza
kituri
xxx
filme
de pe net
under one of the next names related to "manele" music, music and movie repair tools, pornography:
Nicolae Guta - ultimul album ( DD.MM.YYYY )._mp3.exe
Adrian Copilul Minune - ultimul album ( DD.MM.YYYY )._zip.exe
Chef de chef - cele mai noi manele noi ( DD.MM.YYYY ).exe
Manele Collection ( YYYY ).exe
Utilitar de cautare manele noi pe net.exe
Manele - texte din toate manelele._txt.exe
Program pentru vazut filme incomplet copiate.exe
Program pentru ascultat melodii incomplet copiate.exe
Pamela Anderson (filmul complet, 19 minute).exe
Fetele de la Asia dezbracate.avii.exe
Carmen la 16 ani - best blowjob sex xxx._avi_divx_.scr
Porno la scoala._avi_divx_.scr

Besides copying itself to possible shared folders, it uses a smtp engine to spread itself as email attachment. It harvests email-addresses from the computer, searching in the Outlook Inbox .dbx, Deleted items.dbx and Outbox.dbx files and in Yahoo files.

The emails sent may be found under the following forms:
1) Subject: Poza de la mare...
Body: Ti-am trimis ultima poza de la mare. Asta e?
Attachment: scan_picture_0001._JPG.exe

2) Subject: Antivirus
Body: Asta e ultimul antivirus. Ar trebui sa rezolve toate problemele.
Attachment: antivirus.exe

3) Subject: Sex in camin
Body: Ioana, sex in grup in camin. Cred ca o stii si tu ;)
Attachment: ioana_divx._AVI.exe

4)Subject: Faza cu camila
Body: :)))))))
Attachment: camila.exe

5) Subject: De ce mor mai repede curiosii...
Body: Nu deschide acest mesaj! E numai pentru persoanele prea curioase!
Attachment: curiosii.exe

6) Subject: Antimanele
Body:
Daca nu mai suportati manelele la servici, tramvai, taxi, metrou, etc., trimiteti acest mesaj la toti prietenii dvs. !

Va multumesc (din suflet).
Attachment: antimanele.exe

7)Subject: Votati astazi!
Body: Credeti ca ar fi mai bine ca Romania sa-si retraga trupele din Irak anul acesta?
Deschideti programul Vot, alegeti votul dvs. si vedeti rezultatele.
Parerea dvs. conteaza!
Attachment: vot.exe

8)Subject: Cu sau fara Manele ?
Body:
Credeti ca ar fi mai bine ca manelele sa fie interzise in Romania?
Deschideti programul de votare, alegeti votul dvs. si vedeti rezultatele.
Parerea dvs. conteaza!
Attachment: vot_manele_DD.MM.YYYY.exe

9)Subject: Pentru Ionel
Body:
Draga Ionel
Scuza-ma ca nu ti-am mai scris de mult timp, dar am avut ceva probleme cu calculatorul
Ti-am promis ultima data pe chat o poza cu mine dezbracata... m-am gandit mult la asta si cred ca pana la urma cel mai bine e sa-ti trimit o poza.
Sper sa-ti placa. Daca nu o sa-mi mai scrii dupa mesajul asta, o sa te inteleg...

Roxana,
Attachment: poza_roxana._JPG.exe

10)Subject: Cum a murit Papa?
Body:
Film cu moartea papei. Toate drepturile rezervate. Este interzisa modificarea continutului. Poate fi redistribuit.
Asociatia Catolicilor Anonimi din Romania.
Attachment: film_papa._avi._divx_.exe

11)Subject: Delivery Status (Failure)
Body:
This is an automatically generated Delivery Status Notification.
Delivery to last recipient failed.
Email returned as attachment text file.
Attachment: failed message.txt.scr

12)Subject: Poza cu tine pe net???
Body:
Salut,
Am vazut poza asta cu tine pe un site. Chiar tu esti?
Sau s-ar putea sa semene doar cu tine...
Attachment: Scan_.scr

The malware is intended to delete all the "manele" music on the infected computer, so it has a list of
* singers (Liviu Guta, Liviu_Guta, Nicolae Guta, Nicolae_Guta, Copilul de aur, Copilul_de_aur, adi de la valcea, adi_de_la_valcea, adi de vito, ady de vito, florin salam, florin_salam, adrian & camy, stana isbasa, adrian cm, adrian copilul minune, adrian_copilul_minune, alina si costi, copilul de aur, dani de la deva, gabi din buzau, gabi de la giulesti, liviu pustiu, guta jr, guta & sorina, printesa ionela, don genove, jean de la craiova, cristian gusatu, ovidiu mititelu, sorinel pustiu, lucian seres, mihaela minune, minodora, n. guta, nico cu carbon, ....)
* words commonly used for song titles (as da zile de la mine, sunt seful vostru pana mor, chefdechef, chef de chef, dusmanii mei, plange sufletul, " jumatate tu, jumatate eu", ce le-nnebuneste pe femei, sa cante manelele, manele)
Any .mp3 file containing one of the above strings will be deleted.

A m.txt log file is created in the root directory, of the form:

DD.MM.YYYY, HH:MM:SS PORNIT.
DD.MM.YYYY, HH:MM:SS HDD...
DD.MM.YYYY, HH:MM:SS HDD OK.
DD.MM.YYYY, HH:MM:SS OUTLOOK...
DD.MM.YYYY, HH:MM:SS OUTLOOK OK.
DD.MM.YYYY, HH:MM:SS YAHOO...
DD.MM.YYYY, HH:MM:SS YAHOO OK.

DD.MM.YYYY, HH:MM:SS ADRESE @ GASITE: <number of e-mail addresses harvested from computer>

DD.MM.YYYY, HH:MM:SS SEND MAIL...
DD.MM.YYYY, HH:MM:SS SMTP TRY la <destination e-mail address> prin <server> ....
DD.MM.YYYY, HH:MM:SS SMTP OK la <destination e-mail address>prin <server>
DD.MM.YYYY, HH:MM:SS trimis la  <destination e-mail address>prin <server>, (<email-subject>)
DD.MM.YYYY, HH:MM:SS trimis la  <destination e-mail address>prin <server>, (<email-subject>)
DD.MM.YYYY, HH:MM:SS SEND MAIL OK. Finished.

Removal instructions:

Please let BitDefender delete your infected files.

ANALYZED BY:

Boeriu Laura, virus researcher
Quick Links » New Game Safe » Renew License » Self Service » Free Online Scanner » Press Center
©   2012 BITDEFENDER SiteMap | Legal Terms | Site Feedback | Contact Us | Global Sites | Privacy Policy