AlphaOne Technology Support Forums
Welcome, Guest. Please login or register.
December 03, 2008, 04:00:23 PM

Login with username, password and session length
Search:     Advanced search
1733 Posts in 827 Topics by 4764 Members
Latest Member: AAjeollabam
* Home Help Search Login Register
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: W32.Pexmor@mm 0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: W32.Pexmor@mm  (Read 756 times)
TJ
Tech Team
Hero Member
********
Offline Offline

Posts: 136



View Profile
W32.Pexmor@mm
« on: September 26, 2005, 12:38:19 PM »
W32.Pexmor@mm is a mass-mailing worm that sends a copy of itself as an email attachment using its own SMTP engine.

When W32.Pexmor@mm is executed, it performs the following actions:

   1. Copies itself as the following files:

          * %Temp%\MSMSGS.exe
          * %Temp%\SVCHOST.exe
          * %Temp%\Winword.exe
          * %Temp%\LSASS.exe
          * C:\WINDOWS\Drivers\SEXO.pif

            Note:
          * %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

   2. Creates the following files:

          * %Temp%\OfficeHost.vbs
          * %Temp%\bailando.vbe
          * %Temp%\folder.htt
          * %Temp%\folder.htm

            Note:
          * A copy of the worm is dropped as C:\[RANDOM].exe if the above files run.

   3. Creates the following batch file in the current folder in an attempt to share the C:\WINDOWS\Drivers folder:

      sen.bat

   4. Creates the following files:

          * %Temp%\desktop.ini
          * C:\rep.txt
          * C:\rep.ya

   5. Deletes all values under the following registry subkeys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

   6. Adds the value:

      "OfficeQuickAccess" = "%Temp%\OfficeHost.vbs"

      to the registry subkey:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

   7. Adds the value:

      "NortonAntivirus" = "%Temp%\LSASS.exe"

      to the registry subkeys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

      so that it runs every time Windows starts.

   8. Adds the values:

      "Compose Use Stationery" = "1"
      "Stationery Name" = "%Temp%\folder.htm"
      "Wide Stationery Name" = "%Temp%\folder.htm"

      to the registry subkey:

      HKEY_CURRENT_USER\Identities\[VARIABLE SUBKEY]\Software\Microsoft\
      Outlook Express\5.0\Mail

      so that it runs whenever the user composes an email.

   9. Adds the value:

      "NewStationery" = ""

      to the registry subkey:

      HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\MailSettings

  10. Adds the value:

      "001e0360" = "blank"

      to the registry subkey:

      HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\
      Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\
      0a0d020000000000c000000000000046

  11. Attempts to send itself as an email using its own SMTP engine.

      The email will have the following characteristics:

      From: Boletin Humor Granma humor@granma.inf.cu
      Subject: Curiosidades en la red
      Message Body: Esta ves le traemos algo bien curioso a nuestros lectores ....
      Attachment: bailando.vbe

  12. May copy the following files to the root folder on enumerated drives:

          * Fordel.htt
          * Desktop.ini
          * juego.vbs
          * video.vbs
          * musica.vbs
          * Profesias de Nostradamus.vbs
          * humor.vbs
          * comicos.vbs
          * Coca Cola del olvido.vbs
          * La Cerveza.vbs
          * Mujeres locas.vbs
          * Test de ignorancia.vbs
          * Cuentos.vbs
          * Por que se extinguieron los dinosaurios.vbs
          * EL Mamut.vbs
          * La cancion del condon.vbs
          * Apagones a la italiana.vbs
          * Record Guines de 2005.vbs
          * La ultima moda en las malvinas.vbs
          * Una gorda bien gorda.vbs
          * Por que los hombres no paren.vbs
          * La caperucita y la abuelita.vbs
          * La mejor amiga del hombre.vbs

REMOVAL INSTRUCTIONS
Manual Removal:

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

   1. Disable System Restore (Windows Me/XP).
   2. Update the virus definitions.
   3. Run a full system scan and delete all the files detected.
   4. Delete any values added to the registry.

For specific details on each of these steps, read the following instructions.

1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, for one of the following articles:

    * How to disable or enable Windows Me System Restore
    * How to turn off or turn on Windows XP System Restore


Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455).

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to the subkey:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

   5. In the right pane, delete the values:

      "OfficeQuickAccess" = "%Temp%\OfficeHost.vbs"
      "NortonAntivirus" = "%Temp%\LSASS.exe"

   6. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   7. In the right pane, delete the value:

      "NortonAntivirus" = "%Temp%\LSASS.exe"

   8. Navigate to the subkey:

      HKEY_CURRENT_USER\Identities\[VARIABLE SUBKEY]\Software\Microsoft\
      Outlook Express\5.0\Mail

   9. In the right pane, reset the values:

      "Compose Use Stationery" = "1"
      "Stationery Name" = "%Temp%\folder.htm"
      "Wide Stationery Name" = "%Temp%\folder.htm"

  10. Navigate to the subkey:

      HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\MailSettings

  11. In the right pane, delete the value:

      "NewStationery" = ""

  12. Navigate to the subkey:

      HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\
      Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings\
      0a0d020000000000c000000000000046

  13. In the right pane, delete the value:

      "001e0360" = "blank"

  14. Exit the Registry Editor.
Logged
Pages: [1] Go Up Print 
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: W32.Pexmor@mm « previous next »
Jump to:  

Powered by MySQL Powered by PHP AlphaOne Technology Support Forums | Powered by SMF 1.0.7.
© 2001-2005, Lewis Media. All Rights Reserved. 		Valid XHTML 1.0! Valid CSS!