My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


18200 or 18432 bytes, packed


Presence of files Documents and Settings\Administrator\Start Menu \Programs\Startup\rx32hh00.exe and %SYSTEM%\winspf32.exe.
Presence of a file tmp*.tmp with a size of 234496 bytes.

Presence of registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinSPF = %SYSTEM%\winspf32.exe.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Version = FrankenShteiN
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Version = FrankenShteiN

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent

Removal instructions:

Delete the infected files and the registry keys.

Analyzed By

Alexandru Carp Bitdefender Virus Researcher

Technical Description:

This is a mass-mailer that also drops a backdoor. The file is downloaded from one the following urls:

and is downloaded to a temporary file ( with a temporary name ). This file's size is 234496 bytes.

It seems that there are more versions of this worm, which are just recompilations of the same source.

The worm creates a mutex called 'qwedefacedRDE'. It uses threads for searching for e-mail addreses
in the following file types: wab,xls,vbs,uin,txt,tbb,stm,sht,php,msg,mht,jsp,htm,eml,dht,dbx,cgi,cfg,asp.

It sends mail using it's own SMTP engine. The mails it uses to spread have the following characteristics:

From: spoofed address ( usually from

"Notice again"
"Private document"
"Re: Hello"
"Re: Hi"
"Re: Message"
"Re: Proof of concept"
"Re: Question"
"Re: Status"
"Re: Your document"
"read it immediately"
"Thank you!"
"You win!"

"Can you confirm it?"
"For further details see the attachment."...
"For more details see the attachment."
"Monthly news report."
"Please answer quickly!"
"Please confirm!"
"Please read the attached file!"
"Please read the document."
"Please see the attached file for detail"...
"Waiting for a Response. Please read the"...
"Your archive is attached."
"Your requested mail has been attached."
"I have attached document."
"Please confirm the document."
"Please read the attached file."
"Please read the important document."
"See attached file for details."
"See the file."

The body may also contain a string stating that the mail was found clean ("Attachment: No Virus found")
folowed by one of :
"Norton AntiVirus -"
"F-Secure AntiVirus -"
"Norman AntiVirus -"
"Panda AntiVirus -"
"Kaspersky AntiVirus -"
"MC-Afee AntiVirus -"
"Bitdefender AntiVirus -"
"MessageLabs AntiVirus -"

"document.doc .pif"
"doc.doc .pif"
"mesg.doc .pif"
"report.doc .pif"
"review.doc .pif"
"bill.doc .pif"
"doc.rtf .pif"
"mesg.rtf .pif"
"report.rtf .pif"
"review.rtf .pif"
"bill.rtf .pif"
"doc.txt .pif"
"mesg.txt .pif"
"report.txt .pif"
"review.txt .pif"
"bill.txt .pif"
"rep.txt .pif"
"Message.html .pif"