Symptoms

Removal instructions:

Analyzed By

Technical Description:

This is an Internet Worm pretending to be a demo for Quake 4, and contains a payload which destroys executables and documents. This worm is coming through e-mail as an attached file. The e-mail looks like this:

From:

Subject: one of the following:
Something very special
I know you will like this
Yes, something I can share with you
Wait till you see this!
A brand new game! I hope you enjoy it

Body: contains:
This is something you have to see!
Till next time
Is Internet that safe?
Hey you, take a look at the attached file.
You won't believe your eyes when you open it!
You like games like Quake? You will enjoy this one.
Did you see the pictures of me and my battery operated boyfriend?
My best friend.
Check it out

Attachment: one of these names:
quake4demo.exe
setup.exe
honey.exe

An example of such an e-mail is this:

When is executed the virus displays the following image:

In the mean time it copies itself in the Windows directory and creates the folder C:\Eiram where it copies the file quake4demo.exe. This is probably a bug because this copying will work only if the attachment is quake4demo.exe. If c:\Eiram already exists it tries to copy in the root of drive F:.

After copying it writes the following keys to be restarted at every Windows session:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Q4
with the value c:\eiram\quake4demo.exe
HKLM\ Software\Microsoft\Windows\CurrentVersion\Run\Quake
with the value f:\quake4demo.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Quake
with the value f:\quake4demo.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Q4
with the value c:\eiram\quake4demo.exe

It also overwrites randomly some files from the current directory (first time it is the Temp directory) and the System directory with the extensions: exe, ocx, xls, doc, htm, html, mdb with the text:

You've didn't protected your files well enough
Let this be a lesson! Never trust someone else

eiram 1999-2001