My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Moe.A@mm

LOW
LOW
38958 bytes
(Win32.Desos.A@mm)

Symptoms

- Graphic symptoms presented below …
- File in Windows directory with
a name random generated from string: leginolasoPeyeguiEsmtpeglAdklityghbcxskalBxvqe
(ex: uiEsm.exe).

Removal instructions:

  1. If you don't have BitDefender installed click here to download an evaluation version;

  2. Make sure that you have the latest updates using BitDefender Live!;

  3. Make the following changes in the windows registry:

    Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

    1. Select Run... from Start, then type regedit and press Enter;

    2. Go to the following key:
      HKLM\Software\Microsoft\Windows\CurrentVersion\Run
      and delete from the right pane the value:
      C:\%Windir%\%filename%

  4. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Moe.A@mm.

  5. Restore the affected files from backups.

Analyzed By

Sorin Victor Dudea <br /> BitDefender Virus Researcher

Technical Description:

It comes in the following
format:

From:
A random name generated from these texts:
First Name:
Mario, Enzo, Nadia, Gabriel, Federico,
Andrea, Laura, Patricia, Osvaldo, Sofia, Sandra, Javier, Cristina, Pablo, Cecilia,
Ariel, Silvia, Emilio, Flavia, Jorge.

Middle Name:
E., M., O., R., T., A., H., P., L.

Last Name:
Macchi, Rizzo, Rodrigue, Narvaez, Mosquera,
Montagna, Miranda, Armitano, Kohan, Lewin, Machado, Miller, Ibarra, Gutierre,
Castro, Godoy, Ferreira, Ferrer, Chiappe, Chiesa

Followed by a random e-mail address selected from the following addresses:
aldu5n_02@yahoo.com, mor8l_88@netscape.c,
lime@illusive.org, lemax7@compuserve.com, xnto_678@hotmail.com, lecs2462@yahoo.com,
4588bell@netscape.com, vvgro55@illusive.org, 4653_trey@compuserve.com, wer937@hotmail.com

Subject:
Randomly selected from the following list:
Subject: Seduccion
Subject: Humano
Subject: Musica
Subject: Mujer
Subject: Hombre
Subject: Confesion
Subject: Infidelidad
Subject: Belleza
Subject: Relaciones casuales
Subject: Tus deseos
Subject: Mi secreto
Subject: La clave
Subject: Enojo
Subject: Perdon
Subject: Responde!
Subject: Cita
Subject: Papelon
Subject: Renuncio
Subject: Monstruo
Subject: Joven


Body:
Randomly selected from the following list:
Cap.3 El arte de provocar.
El Ser Humano que pudiste ser.
Esta es la musica que te prometi.
La mujer mas bella...
Un hombre entero.
Ya sabes que fui yo?.
Las imagenes de tu infidelidad.
No estas conforme con tu apariencia?
Esta es la lista para esta semana.
Si te conforman, puedo enviar mas.
Recorda tu promesa!
No la vuelvas a perder, no abuses.
Cuando veas esto, se te pasa.
Crei que ya lo habia enviado.
Nunca respondiste. No seas cruel.
Me gusto lo que enviaste. Si te gusta, arreglamos.
Te dije que es demasiado gorda. Mira!
No puedo mejorarlo, ya es perfecto.
Ahora te creo. Pobre mujer!
Disculpa, sos demasiado joven para mi.


Attachment:
Randomly selected from the following list:
s_CAP3.EXE
HUMANO.EXE
MUSIC.EXE
MUJER.EXE
HOMBRE.EXE,
CONFESION.EXE
INFIEL.EXE
BELLEZA.EXE
LISTArc.EXE
DESEOS.EXE
SECRETO.EXE
CLAVE.EXE
YO.EXE
FEOS.EXE
PASION.EXE
CITA2.EXE
GORDA.EXE
CUERPO.EXE
MONSTRUO.EXE
JOVEN.EXE


Ex:



This worm contains two parts: a file infector and an I-Worm
When the user opens the attachment the file infector part is searching in Windows
directory for a file with a name randomly generated from the following string:
leginolasoPeyeguiEsmtpeglAdklityghbcxskalBxvqe

ex:
legin.exe
egino.exe
uiEsm.exe
, etc
If it founds it executes that file.
After that it searches in Windows
and Windows\System directories
after .exe and .scr
files and infects 3 files in each directory. The virus is infecting files by
increasing the last section and appending itself to the end of file.
If the date is 28 of March, June, September
or December
(depending of the initial status of virus) and is past 11:00
AM
the payload routine is executed.



Payload:



It displays the following message box and the screen flashes until the computer
is restarted and the date is changed:




After the infection process finish the I-worm part is executed:

The worm verifies if it
already exist in Windows directory
and if not it will copies itself with a randomly generated name from the following
string:
leginolasoPeyeguiEsmtpeglAdklityghbcxskalBxvqe


Ex: Peyeg.exe
Esmtp.exe
LAdkl.exe

And creates the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
C:\%Windir%\%filename% with value C:\%Windir%\%filename%
where %Windir% is Windows
directory
and %filename% is the generated
name from above


If the worm was not executed
from windows directory it will display the following message box:





The worm is gathering SMTP settings from registry and it searches for e-mail addresses
in *.ht* files from temporary directory.
If it find any it will send itself to those addresses in the same format it arrives.

The worm part will not try to send e-mails if there is no Internet connection
available. At each execution the worm sends maximum 12 e-mails
Also there is another registry key the worm creates in

HKEY_LOCAL_MACHINE\Software
and it is using it for marking the moments when sends e-mails.