BitDefender Antivirus
My BitDefender | My Shopping Cart Cart
Go

Win32.MSNWorm.Rodok.A

( Worm.Win32.Fleming (Kaspersky) )
Spreading: low
Damage: low
Size: 53248 bytes
Discovered: 2002 Oct 09

SYMPTOMS:

- a process called "BR2002" running (it can be seen by right-clicking the taskbar and launching Task Manager).

TECHNICAL DESCRIPTION:

This worm spreads by by maliciously inviting the user's MSN Messenger contacts to download it; it was written in Visual Basic.
The virus is disguised as a CD-key generator for the great Half-Life/CounterStrike games; when run, it invites the user to click the "Generate" button, but the resulting "keys" are just random digits:


The virus actually steals the user's CD-keys for Half-Life and CounterStrike. The keys are read from the following registry keys:
- HKCU\Software\Valve\CounterStrike\Settings\Key
- HKCU\Software\Valve\Half-Life\Settings\Key
and sent to styggefolk@hotmail.com; the sent message looks like this:
I have loaded the ur CDKEY Generator 1.3! CS: HL: In order to spread, the worm sends instant messages to the user's contacts, inviting them to download and run a program (actually a copy of the virus) from a website:


The virus then attempts to download an executable file from the location http://home.no.net/downl0ad/CS-Keygen.exe and save it as C:\hehe2397824.exe. If the user receives a message from styggefolk@hotmail.com, it will take a specific action depending on the contents of that message:
- if the message reads "hey", the virus will send the CounterStrike/Half-Life CD keys again;
- if the message reads "hello", the virus will download a file (probably containing an updated version of the virus) from the location http://home.no.net/downl0ad/Update.exe and save it as C:\update35784.exe; a message will be sent back to styggefolk@hotmail.com, containing the text "Updating...";
- if the message reads "hi", the virus will reply with "Spamming..." and send virus download invitations again to the user's contacts.
The worm runs the downloaded executable files (C:\hehe2397824.exe, C:\update35784.exe), if they are found; it will remain resident, waiting for messages from styggefolk@hotmail.com.

Removal instructions:

Manual Removal:
Invoke Task Manager, select the process called "BR2002" and click "End Task". You should also delete the file "br2002.exe" that contains the worm.
Automatic Removal:
Let BitDefender delete/disinfect files found infected.

ANALYZED BY:

Bogdan Dragu BitDefender Virus Researcher
Quick Links » New Game Safe » Renew License » Free Customer Support » Free Online Scanner » Press Center
©   2009 BITDEFENDER SiteMap | Legal Terms | Site Feedback | Contact Us | Global Sites | Privacy Policy | Forum