AlphaOne Technology Support Forums
Welcome, Guest. Please login or register.
December 03, 2008, 03:21:17 PM

Login with username, password and session length
Search:     Advanced search
1733 Posts in 827 Topics by 4764 Members
Latest Member: AAjeollabam
* Home Help Search Login Register
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: W32.Erkez.F@mm 0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: W32.Erkez.F@mm  (Read 921 times)
TJ
Tech Team
Hero Member
********
Offline Offline

Posts: 136



View Profile
W32.Erkez.F@mm
« on: October 01, 2005, 12:44:19 PM »
W32.Erkez.F@mm is a mass-mailing worm that sends itself to email addresses gathered from the compromised computer. It attempts to disable antivirus and security processes.

Once executed,W32.Erkez.F@mm performs the following actions:

   1. Copies itself as the following files:

          * %System%\[ANTIVIRUS VENDOR NAME]_Update-[5 RANDOM DIGITS].exe
          * %System%\[11 RANDOM DIGITS]Z.dll

            Note: [ANTIVIRUS VENDOR NAME] is one of the following:

          * Kaspersky
          * McAfee
          * Panda
          * Sophos
          * Symantec
          * Trend

            Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

   2. Displays the following error message:

      Title: Windows Security
      Body: Windows has blocked access to this image.

   3. Creates the following mutex so that only one version of the worm is run on the infected computer at any one time:

      __ZF5

   4. Connects to the microsoft.com domain.

   5. Adds the value:

      "__ZF5" = "[PATH TO THE WORM FILE]"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

      so that it is executed every time Windows starts.

   6. Creates a registry entry in the following location, where it stores information about itself:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\__ZF5

   7. Prevents processes with the following strings in their name from running:

          * reged
          * msconfig
          * task

   8. Terminates the following processes relating to antivirus software and firewalls:

          * nmain.exe
          * Luall.exe
          * nod32.exe
          * gcasDtServ.exe
          * nod32krn.exe
          * nod32kui.exe
          * AVLTMAIN.EXE
          * MRT.exe
          * gcasServ.exe
          * avginet.exe
          * inetupd.exe
          * fpavupdm.exe
          * Updater.exe
          * pcclient.exe
          * F-StopW.exe
          * drwebupw.exe
          * QH32.EXE
          * QHM32.EXE
          * LIVEUP.exe
          * savmain.exe
          * savprogess.exe
          * nod32.exe
          * bdmcon.exe
          * bdlite.exe
          * McUpdate.exe
          * mcmnhdlr.exe
          * VBInstTmp.exe
          * vbcmserv.exe
          * vbcons.exe
          * fspex.exe

   9. Copies itself to folders in the C drive, which contain the strings "share", "upload", "music", and "startup", using the following file names:

          * Adobe Acrobat 8.0.exe
          * Divx Player 7.0.exe

  10. Gathers email addresses from the Windows Address Book and stores them in the following randomly named files:

      %System%\[11RANDOM DIGITS]Z.dll

  11. Searches for email addresses in all files with the following extensions:

          * htm
          * wab
          * txt
          * dbx
          * tbb
          * asp
          * php
          * sht
          * adb
          * mbx
          * eml
          * pmr
          * fpt
          * inb

            The worm avoids email addresses containing the following strings:

          * google
          * sale
          * service
          * info
          * help
          * admi
          * webm
          * micro
          * msn
          * hotm
          * suppor
          * soft.
          * zonela

  12. Uses its own SMTP engine to send itself to the email addresses that it has found. The email may be in many different languages, and may have the following characteristics:

      From:
      One of the following:

          * postcard@jedinet.com
          * Nagy Melinda
          * Claudia Enferma
          * Katerina Bersankova
          * Hana Bejlkova
          * Star Wars, e-kort
          * Beate Kohler
          * Suzanne Bolder
          * Claude Marie Sarden
          * Una Star Wars cartolina per te da regione.it,Cartolina Digitale
          * Star Wars Greeting,MSN Postcard

            Subject:
            One of the following:

          * e-udvozlet,megasztar
          * Has recibido una tarjeta en neptun.mx,e-tarjeta
          * Greeting from neptun.ru,MSN.RU Postcard
          * e-pohlednice,Elektronickou Star Wars
          * kort
          * e-postkarte,Star Wars
          * Electronisch Star Wars,E-kaartje
          * Une Star Wars carte pour vous,Confidental
          * cart
          * greeting
          * Buon Natale!

            Message:
            One of the following:

          * udvozlolap
            Kedves Felhaszn=E1l=F3
            % elektronikus =FCdv=F6zl=F5lapot k=FCld=F6tt =D6nnek!
            Megtekint=E9s=E9hez kattintson a mell=E9kelt k=E9p hivatkoz=E1s=E1ra, vagy m=E1solja be
            a b=F6ng=E9sz=F5 (Internet Explorer, Netscape Navigator, Mozilla, stb.) c=EDmsor=E1ba!
            A m=E1r k=E9zbes=EDtett lapokat 3 h=E9tig =F5rizz=FCk meg!
            [http://]www.tv2.hu/[REMOVED]
          * tarjeta
            ~=A1Hola
            Hay una tarjeta disponible en Neptun.mx de parte de %.
            Para verla, hacer click en el siguiente enlace:
            Te recordamos que si eres Gusuario Premium tu tarjeta estar=E1
            disponible
            en todo momento durante la vigencia de tu membres=EDa; si no lo eres,
            estar=E1 disponible dos semanas a partir de la fecha en que la env=EDes.
          * postcard
            [multi bytes message]
          * pohlednic
            Dobr=FD den
            Dost=E1v=E1te tento email, proto=9Ee V=E1m %,
            poslal(a) elektronickou `star wars` pohlednici. Va=9Ae pohlednice je ulo=9Eena na
            serveru centrum.cz a m=F9=9Eete si ji vyzvednout na adrese:
            Tuto pohlednici budeme archivovat po dobu 30-ti dn=F9. Douf=E1me, =9Ee se V=E1m
            bude l=EDbit. :-)
            Nejvetsi vyber plakatu na [http://]www.centrum.cz/[REMOVED]
            Anna Birketveit
          * Hello
            % har send eit kort til deg.
            Du kan henta kortet ditt p=E5
            og skriva inn kortnummer 214 og passord 5016.
            grusskarte
          * Hallo
            % hat Ihnen eine Star Wars Postkarte geschickt!
            Ihre Postkarte wurde am 10.09.2005 versendet und ist f=FCr 10 Tage gespeichert.
            Sie k=F6nnen Sie unter folgender URL ansehen:
            Mit freundlichen Gr=FC=DFen,
          * Free eCards - Grusskarte senden - send a free eCard
            Powered by [http://]www.deutschepost.de/[REMOVED]
          * carte
            Bonjour
            % a cr=E9e une 'star wars' carte specialement pour vous, et vous l'a envoy=E9e le 10/09/05.
            La carte sera sauvgard=E9e pendant 10 jours. Veuillez la recup=E9rer dans les 10 jours avant qu'elle expire.
            Cliquer sur ce lien pour voir votre e-carte:
            Alternativement vous pouvez lui envoyer une autre carte gratuitement sur [http://]www.smartweb.fr/[REMOVED]
            Veronica Morrentino
          * Ciao
            % ti ha inviato una cartolina digitale dal nostro sito.
            Per visualizzare la cartolina =E8 sufficiente cliccare questo link:
            Nel caso dovessi avere problemi nel visualizzare la tua cartolina, pu=F2
            essere che i giorni a disposizione siano scaduti, =E8 comunque possibile
            fare una prova a questo indirizzo: [http://]www.regione.it/[REMOVED]
            Monica Lembar
          * Hi there
            There's a star wars postcard waiting for you, from %.
            Just click the link below to pick up your personal message:
            (If you cannot view the image by clicking on the link, copy and paste
            the attachment picture into your browser).
            Best regards: [http://]www.jedinet.com/[REMOVED]

            Attachment:
            The attachments has a variable file name followed by one of the following extensions:

          * .cmd
          * .scr
          * .pif
          * .com
          * .zip

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/w32.erkez.f@mm.html

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   5. In the right pane, delete the value:

      "__ZF5" = "[PATH TO THE WORM FILE]"

   6. Navigate to and delete the following subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\__ZF5

   7. Exit the Registry Editor.
Logged
Pages: [1] Go Up Print 
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: W32.Erkez.F@mm « previous next »
Jump to:  

Powered by MySQL Powered by PHP AlphaOne Technology Support Forums | Powered by SMF 1.0.7.
© 2001-2005, Lewis Media. All Rights Reserved. 		Valid XHTML 1.0! Valid CSS!