W32.Falsu.A is a worm that spreads through file sharing networks and mIRC.
When W32.Falsu.A is executed, it performs the following actions:
1. Creates the following copies of itself:
* %Windir%\WinExec.exe
* %Windir%\shared\lesbians_fucking.mpg.exe
* %Windir%\shared\porn_password_collection.exe
* %Windir%\shared\aim_hack.exe
* %Windir%\shared\msn_crack.exe
* %Windir%\shared\icq_hack.exe
* %Windir%\shared\WarDialer.exe
* %Windir%\shared\porn_video.mpg.exe
* %Windir%\shared\pedo_brazilian_kids.mpeg.exe
* %Windir%\shared\Delphi_7_Crack.exe
* %Windir%\shared\gta3_trainer.exe
* %Windir%\shared\blue_beep.exe
* %Windir%\shared\ftp_crack.exe
* %Windir%\shared\XP_keygen.exe
* %Windir%\shared\PS2_emulator_bleem.exe
* %Windir%\shared\win2k_pass_decryptor.exe
* %Windir%\shared\Delphi_9_Keygen.exe
* %Windir%\shared\brazil_blond_XXX.exe
* %Windir%\shared\warcraft3_invisible_trainer.ex
* %Windir%\shared\invisible_IP.exe
* %Windir%\shared\Delphi_2005_Keygen.exe
* %Windir%\commad.pif
* %Windir%\srvwin.scr
* %System%\WinUpdate.exe
* %System%\Winsys.exe
* C:\commando.exe
* C:\comand.scr
Note:
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
2. Adds the value:
"WinExec" = "%Windir%\WinExec.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts.
3. Adds the values:
"DisableSharing" = "0"
"dir0" = "012345:%Windir%\shared"
"dir1" = "012345:%Windir%\shared"
"dir2" = "012345:%Windir%\shared"
"dir3" = "012345:%Windir%\shared"
"dir4" = "012345:%Windir%\shared"
"dir5" = "012345:C:\"
to the registry subkey:
HKEY_CURRENT_USER\Software\Kazaa\LocalContent
to spread through the Kazaa file sharing network.
4. Adds the values:
"virus_filter" = "0"
"firewall_filter" = "0"
to the registry subkey:
HKEY_CURRENT_USER\Software\KAZAA\ResultsFilter
to spread through the Kazaa file sharing network.
5. Creates the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\mIRC
6. Creates the following mIRC configuration files:
* C:\incefalus.mrc
* C:\mirc.ini
7. Makes the mIRC client send the worm as the file mysister_fucking.exe with the following message:
"its a funny [movie]"
REMOVAL INSTRUCTIONSSee:
http://securityresponse.symantec.com/avcenter/venc/data/w32.falsu.a.html To delete the value from the registry 1. Click Start > Run.
2. Type regedit
3. Click OK.
4. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
5. In the right pane, delete the value:
"WinExec" = "%Windir%\WinExec.exe"
6. Navigate to the subkey:
HKEY_CURRENT_USER\Software\Kazaa\LocalContent
7. In the right pane, restore the values to their original value, if applicable:
"DisableSharing" = "0"
"dir0" = "012345:%Windir%\shared"
"dir1" = "012345:%Windir%\shared"
"dir2" = "012345:%Windir%\shared"
"dir3" = "012345:%Windir%\shared"
"dir4" = "012345:%Windir%\shared"
"dir5" = "012345:C:\"
8. Navigate to the subkey:
HKEY_CURRENT_USER\Software\KAZAA\ResultsFilter
9. In the right pane, restore the values to their original value, if applicable:
"virus_filter" = "0"
"firewall_filter" = "0"
10. Exit the Registry Editor.
AlphaOne Technology Support Forums
Author
Logged
