Cart
Win32.Worm.Mexer.E
SYMPTOMS: - Presence of the folder C:\sysnet- Presence of next file in C:\sysnet folder: Ruby31.exe (30,720 bytes) - Presence of many copies of Ruby31.exe (30,720 bytes) in C:\sysnet folder under various names - Presence of the next registry keys or entries: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Ruby13"="c:\sysnet\Ruby13.exe" where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems. TECHNICAL DESCRIPTION: The virus spreads through e-mail and also Kazaa and Imesh networks.It usually arrives via e-mail. The mail format is as follows: From: (spoofed) To: (harvested addresss) Subject: EBAY Information Body: EBAY Installer... Attachment: EBAY.exe Subject: VISA Information Body: Security Tool... Attachment: VISA.EXE Subject: Provider Information Body: New account data... Attachment: PROVIDER.EXE Subject: Your Crack Body: Here is your crack! Attachment: (one of the copies of the virus) Subject: Internet Information Body: New account data... Attachment: INTERNET.EXE When the virus is run, it does the following: 1. Display the following message: Ruby V1.3 Serial: %random% File crack... Note: %random% is a random number (eg: Serial: 41365345) 2. Creates C:\sysnet folder where it creates copies of itself as: A+ Certification Test.exe Borland KeyGens.exe BurnDvds.exe Cisco Certification Test.exe Counter-Strike, Condition Zero - Activation Key.exe Counterstrike aim hack.exe Counterstrike hacks.exe Crack McAfee 7.exe Crack Norton 3000.exe Diablo 2 map hack.exe Diablo 2 no-cd hack.exe Dvd Ripper.exe Dvd To Vcd.exe Easy Dvd Ripper.exe EZ Dvd Ripper.exe icqbomber.exe Information.exe MP3 encoder decoder V1.8.exe MSCE Certification Test.exe Nero Burning ROM v6.3 Ultra - Enterprise edition key.exe Nimo Codec Pack Updater.exe PANDA.AVers.lusers.exe PANDA.lusers.exe s Diablo 2 hero editor.exe SophosCrackAllVersion.exe Starcraft + Broodwar 1.10 map hack.exe Starcraft + Broodwar 1.10 no-cd hack.exe The Frozen Throne map hack.exe Warcraft 3 Frozen Throne cd-cd hack.exe Warcraft 3 Frozen Throne map hack.exe Warcraft 3 map hack.exe Warcraft 3 no-cd hack.exe Warcraft 3 stat hack.exe Windows Nt Certification Test.exe XBOX X-Fer Ripper and Transfer.exe Xvid Codec Installer.exe And also creates copies of itself by adding Keygen.exe Serial.exe NoCD.exe Crack.exe to the names: Adobe Photoshop CS and ImageReady CS 8.0 Airport Tycoon II - All Adobe Products All Macromedia Products All Microsoft Products American Conquest - Apache AH-64 Air Assault - Battlefield 1942 The Road to Rome - Battlefield Vietnam - BitDefender Bridge Baron 13 Command and Conquer Generals Deus Ex - Divx Pro 5.1 Doom 3 - Dvd Plus Dvd Wizard Pro Dvd Xcopy DvdCopyOne DvdToVcd Easy Dvd creator Eonix Realm Of Hepmia - Fetish Fighters - Forbidden Siren - Freelancer - Grom - Harry Potter and the Prisoner of Azkaban KeyGen and Harry Potter und der Gefangene von Askaban I Was An Atomic Mutant - IGI-2 Covert Strike - Impossible Creatures - Ipswich Town Official Management Game - Jamella Kazaa all Microsoft Windows XP Professional Nascar Racing 2003 Season Nero Burning Rom Nod32 Norton AntiVirus 2004 Pro Activation Key & Norton AntiVirus 2005 Norton Internet Security 2004 Keygen & Norton Internet Security 2004 Pro Norton Internet Security 2005 Pro Office XP Universal Private Nurse - Robot Arena Design And Destroy - Serious Sam - Gold Edition - Shadow of Memories - Shrek 2 Sim City 4 - Slot City 3 Spellforce - Breath of Winter Spider-Man 2 Symantec Antivirus 2005 Symantec Internet Secutiy 2005 Test Drive - The Campaigns of La Grande Armee - The Emperors Mahjong - Tom Clancys Splinter Cell - Tombstone 1882 - Unreal II The Awakening - WinACE Windows Server 2003 WinRAR 3 WinZIP 9 World Of Outlaws Sprint Car Racing 2002 - Zone Alarm 5.0 pro (example: Zone Alarm 5.0 pro Crack.exe, BitDefender Keygen.exe) 3. Sets the default Kazaa and Imesh download/shared folder to c:\\sysnet 4. Creates the registry entry [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Ruby13"="c:\sysnet\Ruby13.exe" in order to run at startup. 5. Starts to harvest e-mail addresses in files matching: *.wab *.dbx *.htm *.sht *.txt *.doc *.rtf but avoiding e-mail addresses containing: supp webm viru newv kasp micr root admi host And send itself to each e-mail address found in the e-mail format described above using it's own smtp engine. 6. May display a message: Ruby V1.3, (c)BI 16.08.2004 Fight against MICROSOFT and make a virus! Removal instructions: - use the free removal tool from BitDefender- automatic removal: let BitDefender delete/disinfect files found infected. ANALYZED BY: Patrik Vicol BitDefender Virus Researcher |