Malware type: Worm
Alias:
W32.Blackmal.E@mm, Kama Sutra, W32/MyWife.d@MM, Email-Worm.Win32.Nyxem.e, JS/Blackmal.F, W32.Blackmal.E@mm, W32/Kapser.A@mm, W32/MyWife
Additional Aliases:
Email-Worm.Win32.Nyxem.e, Email-Worm.Win32.VB.bi, I-Worm.VB.bi, Kama Sutra, Nyxem.E, Small.KI@mm, W32/Grew.A!wm, W32/Kapser.A@mm, W32/MyWife.d@MM!M24, W32/Nyxem-D, W32/Small.KI, W32/Tearec.A.worm, W32/Tearec.A.worm!CME-24, Win32.Blackmal.e, Win32.Nyxem.F@mm, Win32.VB.bi, Win32/Blackmal.F!Worm, Win32/Blackmal.F, Win32/VB.NEI worm, Win32:VB-CD [Wrm], Worm.P2P.VB.CIL!CME-24, Worm.VB-8, Worm.VB.bi, Worm/KillAV.GR
Also Known As:
CME-24, Win32.Blackmal.F [Computer Associates], Email-Worm.Win32.Nyxem.e [F-Secure], Email-Worm.Win32.Nyxem.e [Kaspersky], W32/MyWife.d@MM [McAfee], W32/MyWife.d@MM!M24 [McAfee], Win32/Mywife.E@mm [Microsoft], W32/Small.KI@mm [Norman], Tearec.A [Panda Software], W32/Nyxem-D [Sophos], WORM_GREW.{A, B} [Trend Micro]
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Size: 95744
Tuesday, July 25, 2006
Thursday, July 20, 2006
Worm/Levona.A
File size: 43.008 Bytes
Aliases:
• Mcafee: W32/Avon@MM
• Kaspersky: Email-Worm.Win32.Levona.a
• TrendMicro: WORM_LEVONA.A
• VirusBuster: iworm I-Worm.Levona.A
• Eset: Win32/Levona.A worm
• Bitdefender: Win32.Worm.Levona.A
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
effects:
• Disable security applications
• Lowers security settings
• Registry modification
It copies itself to the following locations:
• %SYSDIR%\Emma.exe
• %SYSDIR%\Nova.exe
• %SYSDIR%\Alisa.exe
• %WINDIR%\Mstry.exe
• C:\Program Files\Common Files\Renova.exe
• D:\Program Files\Common Files\Renova.exe
• E:\Program Files\Common Files\Renova.exe
• F:\Program Files\Common Files\Renova.exe
• G:\Program Files\Common Files\Renova.exe
• c:\\winnt\regedit.exe
• c:\windows\regedit.exe
• c:\winnt\system32\regedit.exe
• c:\windows\system32\regedit.exe
• D:\winnt\regedit.exe
• D:\windows\regedit.exe
• D:\winnt\system32\regedit.exe
• D:\windows\system32\regedit.exe
• E:\winnt\regedit.exe
• E:\windows\regedit.exe
• E:\winnt\system32\regedit.exe
• E:\WINDOWS\system32\regedit.exe
• F:\WINNT\regedit.exe
• F:\WINDOWS\regedit.exe
• F:\WINNT\system32\regedit.exe
• F:\WINDOWS\system32\regedit.exe
• G:\WINNT\regedit.exe
• G:\WINDOWS\regedit.exe
• G:\WINNT\system32\regedit.exe
• G:\WINDOWS\system32\regedit.exe
• c:\windows\System\msconfig.exe
• c:\windows\system32\msconfig.exe
• c:\winnt\system32\msconfig.exe
It tries to executes the following files:
– Filenames:
• %SYSDIR%\Emma.exe
• %SYSDIR%\Alisa.exe
The following registry keys are added in order to run the processes after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• Renova = Nova.exe
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• Shell = %PROGRAM FILES%\Common Files \Renova.exe
The following registry keys are added:
– [HKCU\Software\Policies\Microsoft\Windows\System]
• DisableCMD = 0
– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
• DisableConfig = 1
• DisableSR = 1
The following registry keys are changed:
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
Old value:
• ProductName = %user defined settings%
• RegisteredOrganization = %user defined settings%
• RegisteredOwner = %user defined settings%
• ProductId = %user defined settings%
New value:
• ProductName = RENOVA
• RegisteredOrganization = XENOVA
• RegisteredOwner = RENOVA
• ProductId = RENOVA
– [HKCU\Software\Microsoft\Windows\CurrentVersion]
Old value:
• RegisteredOrganization = %user defined settings%
• RegisteredOwner = %user defined settings%
• ProductId = %user defined settings%
• ProductName = %user defined settings%
New value:
• RegisteredOrganization = XENOVA
• RegisteredOwner = RENOVA
• ProductId = RENOVA
• ProductName = RENOVA
– [HKCU\Control Panel\Desktop]
Old value:
• AutoEndTasks = 0
New value:
• AutoEndTasks = 1
– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
Old value:
• AlternateShell = cmd.exe
New value:
• AlternateShell = %PROGRAM FILES%\Common Files\Renova.exe
– [HKLM\SYSTEM\ControlSet%number%\Control \SafeBoot]
Old value:
• AlternateShell = cmd.exe
New value:
• AlternateShell = %PROGRAM FILES%\Common Files\Renova.exe
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Old value:
• Shell = explorer.exe
• Userinit = explorer.exe
New value:
• Shell = explorer.exe %PROGRAM FILES%\Common Files\Renova.exe
• Userinit = explorer.exe %PROGRAM FILES%\Common Files\Renova.exe
Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
New value:
• DisableRegistryTools = 1
• DisabletaskMgr = 1
– [HKCU\Software\Microsoft\Windows\CurrentVersionGroup Policy Objects\LocalUser\Software\Microsoft\ WindowsCurrentVersion\Policies\System]
New value:
• DisableRegistryTools = 1
Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ AdvancedFolder\HideFileExt]
Old value:
• Type = checked
New value:
• Type =
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ Folder\Hidden\NOHIDDEN]
Old value:
• CheckedValue = %user defined settings%
• DefaultValue = %user defined settings%
New value:
• CheckedValue = 2
• DefaultValue = 2
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ AdvancedFolder\Hidden\SHOWALL]
Old value:
• CheckedValue = %user defined settings%
• DefaultValue = %user defined settings%
New value:
• CheckedValue = 1
• DefaultValue = 2
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ AdvancedFolder\HideFileExt]
Old value:
• CheckedValue = %user defined settings%
• DefaultValue = %user defined settings%
New value:
• CheckedValue = 1
• DefaultValue = 1
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explore\Advanced]
Old value:
• Hidden = %user defined settings%
• HideFileExt = %user defined settings%
New value:
• Hidden = 2
• HideFileExt = 1
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
New value:
• NoDriveTypeAutoRun = 91
• NoSaveSettings = 0
• NoFolderOptions = 0
• NoFind = 1
• NoRun = 0
• NoControlPanel = 0
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
New value:
• NoFolderOptions = 0
• NoControlPanel = 0
• NoFind = 1
• NoRun = 0
It uses the Messaging Application Programming Interface (MAPI) in order to send a reply to emails stored in the inbox. The characteristics are further described:
From:
The sender address is the user's Outlook account.
Email design:
To: %original sender%
Subject: Re: %original subject%
Body:
• Sorry, Saya lupa nih :)
Attachment:
• Nova.scr
The attachment is a copy of the malware itself.
The email looks like the following:
Aliases:
• Mcafee: W32/Avon@MM
• Kaspersky: Email-Worm.Win32.Levona.a
• TrendMicro: WORM_LEVONA.A
• VirusBuster: iworm I-Worm.Levona.A
• Eset: Win32/Levona.A worm
• Bitdefender: Win32.Worm.Levona.A
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
effects:
• Disable security applications
• Lowers security settings
• Registry modification
It copies itself to the following locations:
• %SYSDIR%\Emma.exe
• %SYSDIR%\Nova.exe
• %SYSDIR%\Alisa.exe
• %WINDIR%\Mstry.exe
• C:\Program Files\Common Files\Renova.exe
• D:\Program Files\Common Files\Renova.exe
• E:\Program Files\Common Files\Renova.exe
• F:\Program Files\Common Files\Renova.exe
• G:\Program Files\Common Files\Renova.exe
• c:\\winnt\regedit.exe
• c:\windows\regedit.exe
• c:\winnt\system32\regedit.exe
• c:\windows\system32\regedit.exe
• D:\winnt\regedit.exe
• D:\windows\regedit.exe
• D:\winnt\system32\regedit.exe
• D:\windows\system32\regedit.exe
• E:\winnt\regedit.exe
• E:\windows\regedit.exe
• E:\winnt\system32\regedit.exe
• E:\WINDOWS\system32\regedit.exe
• F:\WINNT\regedit.exe
• F:\WINDOWS\regedit.exe
• F:\WINNT\system32\regedit.exe
• F:\WINDOWS\system32\regedit.exe
• G:\WINNT\regedit.exe
• G:\WINDOWS\regedit.exe
• G:\WINNT\system32\regedit.exe
• G:\WINDOWS\system32\regedit.exe
• c:\windows\System\msconfig.exe
• c:\windows\system32\msconfig.exe
• c:\winnt\system32\msconfig.exe
It tries to executes the following files:
– Filenames:
• %SYSDIR%\Emma.exe
• %SYSDIR%\Alisa.exe
The following registry keys are added in order to run the processes after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• Renova = Nova.exe
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• Shell = %PROGRAM FILES%\Common Files \Renova.exe
The following registry keys are added:
– [HKCU\Software\Policies\Microsoft\Windows\System]
• DisableCMD = 0
– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
• DisableConfig = 1
• DisableSR = 1
The following registry keys are changed:
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
Old value:
• ProductName = %user defined settings%
• RegisteredOrganization = %user defined settings%
• RegisteredOwner = %user defined settings%
• ProductId = %user defined settings%
New value:
• ProductName = RENOVA
• RegisteredOrganization = XENOVA
• RegisteredOwner = RENOVA
• ProductId = RENOVA
– [HKCU\Software\Microsoft\Windows\CurrentVersion]
Old value:
• RegisteredOrganization = %user defined settings%
• RegisteredOwner = %user defined settings%
• ProductId = %user defined settings%
• ProductName = %user defined settings%
New value:
• RegisteredOrganization = XENOVA
• RegisteredOwner = RENOVA
• ProductId = RENOVA
• ProductName = RENOVA
– [HKCU\Control Panel\Desktop]
Old value:
• AutoEndTasks = 0
New value:
• AutoEndTasks = 1
– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
Old value:
• AlternateShell = cmd.exe
New value:
• AlternateShell = %PROGRAM FILES%\Common Files\Renova.exe
– [HKLM\SYSTEM\ControlSet%number%\Control \SafeBoot]
Old value:
• AlternateShell = cmd.exe
New value:
• AlternateShell = %PROGRAM FILES%\Common Files\Renova.exe
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Old value:
• Shell = explorer.exe
• Userinit = explorer.exe
New value:
• Shell = explorer.exe %PROGRAM FILES%\Common Files\Renova.exe
• Userinit = explorer.exe %PROGRAM FILES%\Common Files\Renova.exe
Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
New value:
• DisableRegistryTools = 1
• DisabletaskMgr = 1
– [HKCU\Software\Microsoft\Windows\CurrentVersionGroup Policy Objects\LocalUser\Software\Microsoft\ WindowsCurrentVersion\Policies\System]
New value:
• DisableRegistryTools = 1
Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ AdvancedFolder\HideFileExt]
Old value:
• Type = checked
New value:
• Type =
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ Folder\Hidden\NOHIDDEN]
Old value:
• CheckedValue = %user defined settings%
• DefaultValue = %user defined settings%
New value:
• CheckedValue = 2
• DefaultValue = 2
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ AdvancedFolder\Hidden\SHOWALL]
Old value:
• CheckedValue = %user defined settings%
• DefaultValue = %user defined settings%
New value:
• CheckedValue = 1
• DefaultValue = 2
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ AdvancedFolder\HideFileExt]
Old value:
• CheckedValue = %user defined settings%
• DefaultValue = %user defined settings%
New value:
• CheckedValue = 1
• DefaultValue = 1
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explore\Advanced]
Old value:
• Hidden = %user defined settings%
• HideFileExt = %user defined settings%
New value:
• Hidden = 2
• HideFileExt = 1
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
New value:
• NoDriveTypeAutoRun = 91
• NoSaveSettings = 0
• NoFolderOptions = 0
• NoFind = 1
• NoRun = 0
• NoControlPanel = 0
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
New value:
• NoFolderOptions = 0
• NoControlPanel = 0
• NoFind = 1
• NoRun = 0
It uses the Messaging Application Programming Interface (MAPI) in order to send a reply to emails stored in the inbox. The characteristics are further described:
From:
The sender address is the user's Outlook account.
Email design:
To: %original sender%
Subject: Re: %original subject%
Body:
• Sorry, Saya lupa nih :)
Attachment:
• Nova.scr
The attachment is a copy of the malware itself.
The email looks like the following:
In order to infect other systems in the Peer to Peer network community the following action is performed: It retrieves the shared folder by querying the following registry key:
• \Software\Kazaa\Transfer\DlDir0
List of processes that are terminated:
• GUNBLADE.EXE
• CAV.EXE
Processes with one of the following strings are terminated:
RABIAH; RABI'AH; MANTIK; PLATO; KINDI; IMAMAH; MATURID; HARUN NAS; IZUTSU; TEOLOGI; SUFI; PARTAI; HASAN ALBANA; IKHWANUL MUSLIMIN; TAHRIR; ARISTOTELES; GIBRAN; GHAZALI; IHYA; GENDER; PLURALISME; SYIAH; SYI'AH; DEMOCRA; DEMOKRA; LIBERAL; TASAWUF; SAMIR; YUNAN; QUTH; EMANSIP; PHILOSOP; MUTAZILAH; MU'TAZILAH; FILOSOF; FILSAFAT; REALPLAYER; CLEANER; MOVZX; REMOVER; ZANDA; MACHINE; CILLIN; CILIN; AVAST; GRISOFT; PROCEXP; NORTON; EARTHLINK PROTECTION; WASHER; ERTANTO; COMPACTBYTEAV; ADVANCED REGISTRY TRACER; KILL; CASTLECOPS; SOPHOS; F-SECURE; REGISTRYFIX; PANDA; SECUNIA; TREND; SYMANTEC; KASPERSKY; AVG; MCAFEE; NVC; NORMAN; VAKSIN; HACKER; COMMAND PROMPT; PROCESS EXPLORER - SYSINTERNALS; SYSTEM32; PCMAV; HIJACK; KILLBOX; FOLDER OPTION; CMD; WORM; TROJAN; VIRUS; ANTI; COMMAND BRO!!!; COMMAND BRO !!!; JOWOBOT; FAJAR; SATRIO; KANTUK; KANGEN; CUEX; EVANTA; BORAX; TITTA; CODE-X; MONTELLA; MONTELA; FERDINAND; CAMPBEL; CRUZ; ADRIANO; KAHN; RECOBA; FIGO; RAUL; GONZALES; CISSE; GERRAD; LAMPARD; TERRY; RIVALDO; GATUSO; GATTUSO; VAN DE; SHEARER; AIMAR; CLAUDIO; LOPEZ; TOLDO; CANNAVARO; NESTA; UMIT; HAKAN; LARSON; LARSSON; ETO O; ETO'O; MOVIC; MIDO; FABREGAS; HENRY; BARTHEZ; MANCINI; GILARD; BATIGOL; BATISTUA; TOTTI; COLE; OWEN; DIDA; RONALDINHO; TREZEG; ROBINHO; CARLOS; ROBERTO; RONALDO; MARADONA; PELE; VIDUKA; SALAS; KEWEL; PERUZZI; HOWARD; ZANETI; ZANETTI; GIGGS; ROONEY; BUFFON; VIERI; PIRLO; KAKA; ZLATAN; DECO; SHEVA; SHEVCHENKO; INZAGHI; PIERO; BECKHAM; BOCA J; BORDEUX; MONACO; MUNICH; MUNCHEN; DORTMUND; LEVERKUSEN; SEVILLA; VALENCIA; BARCA; BARCEL; MADRID; PARMA; LAZIO; ROMA; INTER; MILAN; JUVE; NEWCASTLE; LIVERPOOL; ARSENAL; CHELSEA; MANCHESTER; CUMBU; KISS; CIUM; RAYU; JULIET; ROMEO; VALENTINE; HENTAI; MANGA; ANIM; SUCK; FUCK; NAKE; NUDE; TEEN; GIRL; PORN; SEKS; SEX; THOMAS; JEREM; MAYANG S; NIA R; ZAYANT; DEWI; ANJASMARA; DIAN S; DIAN N; SOPIA; SOPHIA; MAYANG SARI; CUT KEKE; FEBIOLA; FEBY; JIHAN; CUT TARI; RIKE DIAH; WIBOWO; SARAH; AZAHRI; AZHARI; RIRIN; RATNASARI; TAMARA; ZUBIR; PRIMUS; REVALDO; ENNO LERIAN; ENO LERIAN; DIAH; KADIR; DOYOK; ULFA; KOMENG; JENIFER; JENNIFER; DICAPRIO; KRISTIN; ANGELLI; LEONARDO; KATE WIN; EMMA WATSON; HARY POTTER; HARRY POTTER; GOSSIP; GOSIP; SASTRA; SENI; ARTIS; BOLYWOOD; HOLYWOOD; SINETRON; VAGANZA; CELEBRI; SELEB; TSUBASA; SLAM DUNK; SAMURAI-X; SAMURAI X; HATTORI; HATORI; KABUTO; SHIZUKA; DORAEMON; NOBITA; INUYASHA; KENSHIN HIMURA; KOTARO MINAMI; KYOKO; EMIKO SHIRATORI; FAYE WONG; UEMATSU; NUOBUO; NOUBUO; NOBUO; NUBUO; MADONNA; MADONA; BENNINGTON; BENINGTON; GUN AND ROSE; GUN N ROSE; BLUR; SAMMY; PEARL; NAZARE; FRENTE; CRANBER; RADIOHEAD; RADIO HEAD; STING; SAYBIA; KEANE; GROBAN; ALTER; STEFAN; GWEN; MAROON; ANTHEM; GROOVE COVARAGE; PRODIGY; AGUILERA; BEDING; METALLICA; GUN N'ROSES; ALICIA KEYS; TATA YOUNG; BOY ZONE; MICHEL; MICHAEL; MICHEAL; MLTR; MARTYN; MARTIN; SCORPION; LINKIN PARK; LINKINPARK; GREEN DAY; GREENDAY; HOOBASTANK; PETER; WEST; SPICE; BRITNEY; DEDI DOR; NIA DANIAT; DAHLIA; NIKE ARD; BAGASKARA; KATON; NAFF; TITIK PUSPA; TITIEK PUSPA; DELON; SNADA; JOSHUA; SHERINA; SERIEUS; SERIUES; SEURIUS; 10 2 5; TENTOFIVE; TEN2FIVE; 10 TO 5; TEN TO FIVE; TEN 2 FIVE; CHRISYE; SO7; SHEILA; GLENN; AURIL; AVRIL; OPICK; AGNES; ANANG; NUGIE; HADAD; HADDAD; AB THREE; REZA; CAFEIN; CAFFEIN; RATU; RADJA; LALUNA; THE RAIN; UTOPIA; SPARK; BASEJAM; ENDANK; JAVA JIVE; MARCEL; BUNGLON; ANDRE HEHANU; FLANELA; BAIM; CANDIL; KOES P; MINORU; NUNO; YOVI; AUDY; TERE; WAYANG; BASE JAM; JIKUSTIK; SAMSON; PAS BAND; BOOMERANG; NAIF; COKELAT; KAPTEN BAND; TIC BAND; JAMRUD; KOTAK BAND; AMERICAN IDOL; INDONESIAN IDOL; TEAM LO; BUNGA; TIPE-X; TIPE X; ELEMENT; EMINEM; RAIHAN; RAYHAN; MELY; MELLY; UNGU; STINGKY; SLANK; INUL; PADI; IWAN FAL; ADABAND; ADA BAND; ROSA; KRISDAYANTI; NURHALIZA; DEWA; ARY LASO; ARY LASSO; ARI LASO; ARI LASSO; GIGI; THE 0THERS; CHEER; DANCE; SING; SONG; MP 3; MP3; MARAWIS; NASYID; DANGDUT; MELODI; MELODY; SENANDUNG; IRAMA; GITAR; GUITAR; NYANYI; LAGU; WINAMP; MUSIK; MUSIC; DANIAT; PHILOSO; FUNNY; MALAS; SOUND; JPG; JPEG; RAGNAROK; FANTASY; IKHWANUL; ARISTO; PLURAL; GAME; DEMOC; DEMOK; FAKE; NORWE; REMOVE; PROTECT; COMPACT; REGISTRY; CASTLE; SOPH; SECUR; MCAFE; DEEP; HIJA; VIR; CRACK; HACK; ACT; BECK; GAMB; FOTO; PHOTO; KASIH; TUNANG; PACAR; CINTA; LOVE; JULIE; ROME; VALENT; LEONARD; KATE W; EMMA WAT; HARY; POTTER; HARRY; ART; BOLY; HOLY; SINE; EMIKO; WONG; FAYE; UEMA; NUO; NOB; NUB; MADO; BENING; BENNING; ROSE; GUN; ZONE; BOY; MICH; MART; SCORP; LINKIN; GREEN; HOOB; RIF; DEDI D; NIKE; PUSPA; JOSH; SHERIN; TEN TO; TEN 2; CHRIS; POTRET; NUGI; AUDI; AMERICA; ELEMEN; DANG
The active processes memory is searched for the following strings. If successful the processes become terminated.:
XMPLAYER.EXE; REALPLAY.EXE; ACDSEE.EXE; ALOGSERV.EXE; CM GRDIAN.EXE; CMGRDIAN.EXE; RULAUNCH.EXE; VSMAIN.EXE; AVPCC.EXE; AVPM.EXE; AVP32.EXE; AVWUPSRV.EXE; AVGNT.EXE; AVWIN.EXE; AVGEMC.EXE; AVGWB.DAT; AVGCC.EXE; TROJAN GUARDER.EXE; ASHSIMPL.EXE; ASHQUICK.EXE; OPERA.EXE; FIREFOX.EXE; IEXPLORE.EXE; TASKMGR.EXE; EMUSICCLIENT.EXE; ART.EXE; NAVW32.EXE; CCLAW.EXE; NVCOD.EXE; WINAMP.EXE
Processes containing one of the following window titles are terminated:
CompactbyteAV; Advanced Registry Tracer; Setup - iKnowPS; iKnowPS; RamCleaner; System Cleaner; TuneUp RegistryCleaner; Antivirus Scanner; Zanda's little helper; Norman Generic Fix; NVC v5.81 Setup; Norman Virus Control - InstallShield Wizard; Process Explorer - Sysinternals: www.sysinternals.com; Pocket Killbox; RegCleaner 4.1 by Jouni Vuorio; Security Task Manager Versi shareware tanpa registrasi; Security Task Manager; Installation; EULA; PowerDVD; Windows Media Player; Microsoft Configuration Utility; System Restore; System Configuration Utility; Restrictions; Registry Editor; Close Programs; Close Program; Task Manager; Windows Script Host; HijackThis; HijackThis - v1.99.1; Getting Started with Windows 2000; Folder Options
Mutex:
It creates the following Mutexes:
• Renova Aliciana
• Renova Emira
Programming language:
The malware program was written in MS Visual C++.
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX
• \Software\Kazaa\Transfer\DlDir0
List of processes that are terminated:
• GUNBLADE.EXE
• CAV.EXE
Processes with one of the following strings are terminated:
RABIAH; RABI'AH; MANTIK; PLATO; KINDI; IMAMAH; MATURID; HARUN NAS; IZUTSU; TEOLOGI; SUFI; PARTAI; HASAN ALBANA; IKHWANUL MUSLIMIN; TAHRIR; ARISTOTELES; GIBRAN; GHAZALI; IHYA; GENDER; PLURALISME; SYIAH; SYI'AH; DEMOCRA; DEMOKRA; LIBERAL; TASAWUF; SAMIR; YUNAN; QUTH; EMANSIP; PHILOSOP; MUTAZILAH; MU'TAZILAH; FILOSOF; FILSAFAT; REALPLAYER; CLEANER; MOVZX; REMOVER; ZANDA; MACHINE; CILLIN; CILIN; AVAST; GRISOFT; PROCEXP; NORTON; EARTHLINK PROTECTION; WASHER; ERTANTO; COMPACTBYTEAV; ADVANCED REGISTRY TRACER; KILL; CASTLECOPS; SOPHOS; F-SECURE; REGISTRYFIX; PANDA; SECUNIA; TREND; SYMANTEC; KASPERSKY; AVG; MCAFEE; NVC; NORMAN; VAKSIN; HACKER; COMMAND PROMPT; PROCESS EXPLORER - SYSINTERNALS; SYSTEM32; PCMAV; HIJACK; KILLBOX; FOLDER OPTION; CMD; WORM; TROJAN; VIRUS; ANTI; COMMAND BRO!!!; COMMAND BRO !!!; JOWOBOT; FAJAR; SATRIO; KANTUK; KANGEN; CUEX; EVANTA; BORAX; TITTA; CODE-X; MONTELLA; MONTELA; FERDINAND; CAMPBEL; CRUZ; ADRIANO; KAHN; RECOBA; FIGO; RAUL; GONZALES; CISSE; GERRAD; LAMPARD; TERRY; RIVALDO; GATUSO; GATTUSO; VAN DE; SHEARER; AIMAR; CLAUDIO; LOPEZ; TOLDO; CANNAVARO; NESTA; UMIT; HAKAN; LARSON; LARSSON; ETO O; ETO'O; MOVIC; MIDO; FABREGAS; HENRY; BARTHEZ; MANCINI; GILARD; BATIGOL; BATISTUA; TOTTI; COLE; OWEN; DIDA; RONALDINHO; TREZEG; ROBINHO; CARLOS; ROBERTO; RONALDO; MARADONA; PELE; VIDUKA; SALAS; KEWEL; PERUZZI; HOWARD; ZANETI; ZANETTI; GIGGS; ROONEY; BUFFON; VIERI; PIRLO; KAKA; ZLATAN; DECO; SHEVA; SHEVCHENKO; INZAGHI; PIERO; BECKHAM; BOCA J; BORDEUX; MONACO; MUNICH; MUNCHEN; DORTMUND; LEVERKUSEN; SEVILLA; VALENCIA; BARCA; BARCEL; MADRID; PARMA; LAZIO; ROMA; INTER; MILAN; JUVE; NEWCASTLE; LIVERPOOL; ARSENAL; CHELSEA; MANCHESTER; CUMBU; KISS; CIUM; RAYU; JULIET; ROMEO; VALENTINE; HENTAI; MANGA; ANIM; SUCK; FUCK; NAKE; NUDE; TEEN; GIRL; PORN; SEKS; SEX; THOMAS; JEREM; MAYANG S; NIA R; ZAYANT; DEWI; ANJASMARA; DIAN S; DIAN N; SOPIA; SOPHIA; MAYANG SARI; CUT KEKE; FEBIOLA; FEBY; JIHAN; CUT TARI; RIKE DIAH; WIBOWO; SARAH; AZAHRI; AZHARI; RIRIN; RATNASARI; TAMARA; ZUBIR; PRIMUS; REVALDO; ENNO LERIAN; ENO LERIAN; DIAH; KADIR; DOYOK; ULFA; KOMENG; JENIFER; JENNIFER; DICAPRIO; KRISTIN; ANGELLI; LEONARDO; KATE WIN; EMMA WATSON; HARY POTTER; HARRY POTTER; GOSSIP; GOSIP; SASTRA; SENI; ARTIS; BOLYWOOD; HOLYWOOD; SINETRON; VAGANZA; CELEBRI; SELEB; TSUBASA; SLAM DUNK; SAMURAI-X; SAMURAI X; HATTORI; HATORI; KABUTO; SHIZUKA; DORAEMON; NOBITA; INUYASHA; KENSHIN HIMURA; KOTARO MINAMI; KYOKO; EMIKO SHIRATORI; FAYE WONG; UEMATSU; NUOBUO; NOUBUO; NOBUO; NUBUO; MADONNA; MADONA; BENNINGTON; BENINGTON; GUN AND ROSE; GUN N ROSE; BLUR; SAMMY; PEARL; NAZARE; FRENTE; CRANBER; RADIOHEAD; RADIO HEAD; STING; SAYBIA; KEANE; GROBAN; ALTER; STEFAN; GWEN; MAROON; ANTHEM; GROOVE COVARAGE; PRODIGY; AGUILERA; BEDING; METALLICA; GUN N'ROSES; ALICIA KEYS; TATA YOUNG; BOY ZONE; MICHEL; MICHAEL; MICHEAL; MLTR; MARTYN; MARTIN; SCORPION; LINKIN PARK; LINKINPARK; GREEN DAY; GREENDAY; HOOBASTANK; PETER; WEST; SPICE; BRITNEY; DEDI DOR; NIA DANIAT; DAHLIA; NIKE ARD; BAGASKARA; KATON; NAFF; TITIK PUSPA; TITIEK PUSPA; DELON; SNADA; JOSHUA; SHERINA; SERIEUS; SERIUES; SEURIUS; 10 2 5; TENTOFIVE; TEN2FIVE; 10 TO 5; TEN TO FIVE; TEN 2 FIVE; CHRISYE; SO7; SHEILA; GLENN; AURIL; AVRIL; OPICK; AGNES; ANANG; NUGIE; HADAD; HADDAD; AB THREE; REZA; CAFEIN; CAFFEIN; RATU; RADJA; LALUNA; THE RAIN; UTOPIA; SPARK; BASEJAM; ENDANK; JAVA JIVE; MARCEL; BUNGLON; ANDRE HEHANU; FLANELA; BAIM; CANDIL; KOES P; MINORU; NUNO; YOVI; AUDY; TERE; WAYANG; BASE JAM; JIKUSTIK; SAMSON; PAS BAND; BOOMERANG; NAIF; COKELAT; KAPTEN BAND; TIC BAND; JAMRUD; KOTAK BAND; AMERICAN IDOL; INDONESIAN IDOL; TEAM LO; BUNGA; TIPE-X; TIPE X; ELEMENT; EMINEM; RAIHAN; RAYHAN; MELY; MELLY; UNGU; STINGKY; SLANK; INUL; PADI; IWAN FAL; ADABAND; ADA BAND; ROSA; KRISDAYANTI; NURHALIZA; DEWA; ARY LASO; ARY LASSO; ARI LASO; ARI LASSO; GIGI; THE 0THERS; CHEER; DANCE; SING; SONG; MP 3; MP3; MARAWIS; NASYID; DANGDUT; MELODI; MELODY; SENANDUNG; IRAMA; GITAR; GUITAR; NYANYI; LAGU; WINAMP; MUSIK; MUSIC; DANIAT; PHILOSO; FUNNY; MALAS; SOUND; JPG; JPEG; RAGNAROK; FANTASY; IKHWANUL; ARISTO; PLURAL; GAME; DEMOC; DEMOK; FAKE; NORWE; REMOVE; PROTECT; COMPACT; REGISTRY; CASTLE; SOPH; SECUR; MCAFE; DEEP; HIJA; VIR; CRACK; HACK; ACT; BECK; GAMB; FOTO; PHOTO; KASIH; TUNANG; PACAR; CINTA; LOVE; JULIE; ROME; VALENT; LEONARD; KATE W; EMMA WAT; HARY; POTTER; HARRY; ART; BOLY; HOLY; SINE; EMIKO; WONG; FAYE; UEMA; NUO; NOB; NUB; MADO; BENING; BENNING; ROSE; GUN; ZONE; BOY; MICH; MART; SCORP; LINKIN; GREEN; HOOB; RIF; DEDI D; NIKE; PUSPA; JOSH; SHERIN; TEN TO; TEN 2; CHRIS; POTRET; NUGI; AUDI; AMERICA; ELEMEN; DANG
The active processes memory is searched for the following strings. If successful the processes become terminated.:
XMPLAYER.EXE; REALPLAY.EXE; ACDSEE.EXE; ALOGSERV.EXE; CM GRDIAN.EXE; CMGRDIAN.EXE; RULAUNCH.EXE; VSMAIN.EXE; AVPCC.EXE; AVPM.EXE; AVP32.EXE; AVWUPSRV.EXE; AVGNT.EXE; AVWIN.EXE; AVGEMC.EXE; AVGWB.DAT; AVGCC.EXE; TROJAN GUARDER.EXE; ASHSIMPL.EXE; ASHQUICK.EXE; OPERA.EXE; FIREFOX.EXE; IEXPLORE.EXE; TASKMGR.EXE; EMUSICCLIENT.EXE; ART.EXE; NAVW32.EXE; CCLAW.EXE; NVCOD.EXE; WINAMP.EXE
Processes containing one of the following window titles are terminated:
CompactbyteAV; Advanced Registry Tracer; Setup - iKnowPS; iKnowPS; RamCleaner; System Cleaner; TuneUp RegistryCleaner; Antivirus Scanner; Zanda's little helper; Norman Generic Fix; NVC v5.81 Setup; Norman Virus Control - InstallShield Wizard; Process Explorer - Sysinternals: www.sysinternals.com; Pocket Killbox; RegCleaner 4.1 by Jouni Vuorio; Security Task Manager Versi shareware tanpa registrasi; Security Task Manager; Installation; EULA; PowerDVD; Windows Media Player; Microsoft Configuration Utility; System Restore; System Configuration Utility; Restrictions; Registry Editor; Close Programs; Close Program; Task Manager; Windows Script Host; HijackThis; HijackThis - v1.99.1; Getting Started with Windows 2000; Folder Options
Mutex:
It creates the following Mutexes:
• Renova Aliciana
• Renova Emira
Programming language:
The malware program was written in MS Visual C++.
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX
Thursday, July 13, 2006
List of Virus 2005 - 2006
Bagle.CP, Bagle-CP.msg, BACKDOOR, w32/Brontok-1, w32.Brontok-3, Brontok-4, Brontok-5.A, Brontok-5.B, Brontok-10.A, Brontok-10.B, Brontok-12.A, Brontok-12.B, Brontok-12.C, Brontok-14.A, Brontok-14.B, Brontok-14.C, Brontok-15, Brontok-16.A, Brontok-16.B, Brontok-16.C, Brontok-17.A, Brontok-17.B, Brontok-17.C, Brontok-17.D, Brontok-17.E, Brontok-18R.A, Brontok-18R.B, Brontok-22.MyBro, Brontok-22.MyBro.msg, Brontok.Downloader, Brontok-Sensasi.A, Brontok-Sensasi.B, Brontok-Sensasi.C, Brontok-Laknats, brontok.z BlueFantasy, BlueFantasy-msg, brontok.gn/rontokbro.gn, brontok.go/rontokbro.go, Borax, Win32/Bagle.EH, Win32/Bagle.EF, Win32/Bagle.EG, Win32.Mydoom.N, Win32.Netsky.P, Cendrawasih, Decoil.A, Decoil.A-2, Decoil.A-3, w32/Detnat.a, w32.Detnat.b, Detnat.c, Detnat.d, Detnat.e, Detnat.f, Detnat.g, Diary, Dodol, Dodol.msg-A, Dodol.msg-B, Dodol.msg-C, Dodol.msg-D, Dodol.msg-E, Dian sastro, W32.Ecup, W32.Ecup!p2p, FunLove, Hopelessly, Infostealer.Orcu, Jeefo, KamaSutra, KamaSutra.htt, Kantuk, Komodo, W32/Kraze.a, LiveForever, MyTob.AL, MyTob.V, mywife, NeverShow, Patient, Pctattletale, Pinfi.a, Qhosts.B, RomanticDevil, RomanticDevil.pic, RomanticDevil.msg, RomanticDevil.htm, RomanticDevil.vbs, Riani jangkaru, W32.Serwab@mm, Shuriken, SomeFool.P, SomeFool.Z, stenit, Tomero, Tomero.doc, worm/vb.cj, w32/vb.cj, Wukill, W32.Icogon, Trojan.Hlinic.B, W97M.Kukudro.A, Kukudro.A, WM97/Kukudro-A, Backdoor.Beasty.J, Trojan.Exobre, BAT.Antir, W32.Kidala.E@mm, Trojan.Hlinic, Downloader.Booli.B, Perl.Lekbot.B, Backdoor.Pahador, Trojan.Kuserv, Backdoor.Rajump, SymbOS.Commdropper.F, Commdropper.C [F-Secure], W32.Amirecivel.E@mm, SymbOS.Commwarrior.N, Commwarrior.H [F-Secure], SymbOS.Commwarrior.M, Commwarrior.N [F-Secure], SymbOS.Commdropper.G, Commdropper.H [F-Secure], SymbOS.Dropper.A, Trojan.Flemex, W32.Kraze, W32.Beagle.FG@mm, W32/Bagle.fb!pwdzip [McAfee], SymbOS.Romride.H, Romride.H [F-Secure], SymbOS.Romride.G, Romride.G [F-Secure], SymbOS.Romride.F, Romride.F [F-Secure], W32.Beagle.FF@mm, W32/Bagle.fb@MM [McAfee], W32/Bagle-KL [Sophos], W32/Bagle-KM [Sophos], Trojan.Rootserv, Hacktool.Rootkit, Infostealer.Nailmews, Downloader.Centim, Infostealer.Orcu, MSIL.Kolilo, PE_IKOL.A [Trend] W32.Sixem.A@mm,W32/Sixem-A [Sophos], W32/Deza.A [F-Secure], Trojan.Haradong, Infostealer.Wowcraft.D, Trojan.Slapew.C, Trojan.Slapew.B, Trojan.Tooso.R, W32.Beagle.KF [Sophos], W32.Beagle.FD@mm, Backdoor.Ripgof.B, W32.Looked.J, Trojan.Lodear.J, W32.Revolnam, Infostealer.Gamania, W32.Sality.R, Backdoor.Naninf.E, BKDR_BREPBOT.A [Trend], Infostealer.Yohokie, Trojan.Slapew, Backdoor.Haxdoor.M, Infostealer.Sealoln, Downloader.Booli.A, Trojan.Mdropper.J, Trojan.Dropper, Bloodhound.Exploit.74, Bloodhound.Exploit.73, Backdoor.Eterok.C, Bloodhound.Exploit.72, Backdoor.Daserf, JS.Yamanner@m, JS/Yamanner@MM [McAfee], JS_YAMANER.A [Trend Micro], Yamanner.A [F-Secure], JS/Yamann-A [Sophos], Downloader.Swif.B, Trojan.Skowr, TROJ_SKOWR.A [Trend], W32.Detnat.G, Downloader.Bancos, W32.Detnat.F, W32.Nopir.D, W32.Serwab@mm, W32.Timeserv@mm, W32.Fijjy, Downloader.Bancos!gen, Bloodhound.NsAnti, W32.Detnat.E, Trojan.Silm, Backdoor.Ginwui.C, Trojan.Mdropper.I, Bloodhound.Exploit.71, Perl.Lekbot, SB.Starbugs, W97M.Tored.A, W2KM_TORED.A[Trend Micro], Backdoor.Haxdoor.L, Trojan.Emcodec.D, SymbOS.Commdropper.E, Infostealer.Bancos.AB, SymbOS.Commwarrior.J, Commwarrior.K [F-Secure], W32.Beagle.FC, SymbOS.Romride.E, Romride.E [F-Secure], SymbOS.Romride.D, Romride.D [F-Secure], SymbOS.Commdropper.D, Commdropper.F [F-Secure], SymbOS.Romride.C, Romride.C [F-Secure], SymbOS.Commwarrior.L, Commwarrior.M [F-Secure], SymbOS.Commwarrior.K, Commwarrior.L [F-Secure], Trojan.Looksky, SymbOS.Romride.B, Romride.B [F-Secure], SymbOS.Romride.A, Romride.A [F-Secure], Bloodhound.Tibs, Backdoor.Rustock.A, W32.Lecna.A, OSX.Exploit.MetaData, Exploit.OSX.Safari.a [Kaspersky], OSX/Exploit-ZipShell [McAfee], SB.Stardust.A!int, XML_DUSTAR.A [Trend Micro], W32.Wamgin, Trojan.Emcodec.C, Backdoor.Sdbot.AT, W32.Pahatia.A, W32.Looked.I, Trojan.Gobrena, W32.Gaobot.EUX, Trojan.Agentdoc.B, W32.Sejese, BlackAngel.A [Panda], W32.Jesse, W32.Ecup, W32.Ecup!p2p, W32.Banwarum@mm, W97M.Lunedo.B, SymbOS.Commwarrior.I, SymbOS.RommWar.D, RommWar.A [F-Secure], SymbOS.RommWar.C, RommWar.C [F-Secure], SymbOS.RommWar.B, Rommwar.B [F-Secure], Backdoor.Darkmoon.C, SymbOS.Doomboot.T, Doomboot.M [F-Secure], Worm/Kelvir, W97M/Kukudro, Backdoor.Bifrose.F, W32.Dozic, Backdoor.Haxdoor.N, Trojan.PPDropper.B, W32.Looked.P, W32.Looked.O, Infostealer.Corepias, Trojan.Dachri, Trojan.Mdropper.K, Backdoor.Sdbot.AU, Backdoor.Pcclient.B, VBS.Birhip, SymbOS.Mabir.B, W32.Jalabed.B@mm, SymbOS.Doomboot.X, SymbOS.Commdropper.H, W32.Banwarum.G@mm, W32.Yawmo, Bloodhound.Exploit.75, Trojan.Nakani, SymbOS.Cabir.X, SymbOS.Ruhag.E, SymbOS.Ruhag.D, Infostealer.Svcstor, Backdoor.Rustock.B, Trojan.Lodeight.C, Trojan.Hongmosa, W32.Esbot.E, SymbOS.Doomboot.W, SymbOS.Doomboot.V, W32.Audio, W32.Sixem.C@mm, W32.Amirecivel.F@mm, W32.Gatt, SymbOS.Cdropper.Q, Trojan.Deoplive , Trojan.Emcodec.E, SymbOS.Cdropper.S, SymbOS.Cdropper.R, SymbOS.Dampig.D, SymbOS.Cdropper.O , W32.Areses.P@mm, Trojan.Zlob.L, OSX.Exploit.Launchd, Trojan.Clagger, Backdoor.Graybird.S, W32.Sality.T, SymbOS.Cdropper.J, W32.Resik.A, Trojan.Bookmarker.K, SymbOS.Cdropper.K, SymbOS.Cdropper.I, SymbOS.Cdropper.G, SymbOS.Cdropper.F, W32.Sality.S, Infostealer.Jianghu, W32.Banleed.B, W32.Icogon, Trojan.Hlinic.B, W97M.Kukudro.A, Backdoor.Beasty.J, Trojan.Exobre , BAT.Antir, Trojan.Gared, Backdoor.Hacarmy.G, Infostealer.Panobu, Downloader.Browsilla, W32/Gatt, W32/Donak.dr, W32/Donak.worm, Racgen, W97M/Kukudro, W32/Kraze.dr, Downloader-AWX.dr, W32/Bagle.fd@MM, Downloader-AXD, W32/Sdbot.worm!605becc1, W32/Sdbot.worm!b37e4475, W32/Bagle.fc@MM, BackDoor-DIP, Downloader-AXA, Del-507, W32/Bagle.fb!pwdzip, W32/Kraze.a, W32/Bagle.fb@MM,MultiDropper-QU, W32/Sdbot.worm.dr!8aa30865, Exploit-MSExcel.b.gen, W32/Sixem.a@MM, Downloader-AWV.dr, BackDoor-CKB.dr!adeb69f7, BackDoor-CKB!f8984a14, Exploit-MSExcel.gen, Downloader-AWX, Downloader-AWW, Exploit-PPT, Downloader-AWV,W32.Stong.A, Trojan.Gobrena.B, Trojan.Clagger.B, Trojan.Riler.F, Trojan.PPDropper.C, ACTS.Spaceflash, Trojan.Frozzie
Subscribe to:
Posts (Atom)
