Taken From:

Malware type: Worm
Aliases: W32.Sober.O@mm W32/Sober.p@MM W32/Sober-N Sober.P Email-Worm.Win32.Sober.p
In the wild: Yes
Destructive: No
Language: English
Platform: Windows 98, ME, NT, 2000, XP
Encrypted: No
Characteristics: Propagates via email

Description:

This worm spreads by mass-mailing copies of itself using its own SMTP (Simple Mail Transfer Protocol) engine. It gathers its target recipients from files with certain extensions names. Notably, it avoids sending messages to addresses that contain specific strings.

Using social engineering techniques, it sends out an email supposedly sent by the soccer organization FIFA, informing recipients that they won tickets for the upcoming FIFA World Cup 2006 in Germany. It also sends email messages in English or in German, depending on the country-level domains of the gathered addresses.

Social engineering, a propagation technique that is widely utilized by most worm programs, invests largely on computer users' instinctive tendency to open email messages, execute attachments that are enticing and apparently harmless, and download and unknowingly open attractively named files.

For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

Taken From http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.gen.html

Technical Details:

Common characteristics of the W32.Randex family include:

    * Spreading through network shares
    * Attacking randomly generated IP addresses
    * Using default credentials or weak username/password pairs to connect to a remote target system
    * Opening backdoor ports
    * Opening connections to predetermined IRC servers and waiting for commands from an attacker
    * Performing Denial of Service (DoS) attacks
    * Some recent variants exploit the Mydoom backdoor on TCP port 3127 to spread to remote systems


For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Taken From: http://www.2-spyware.com/file-winapa-exe.html

winapa.exe description:
File winapa.exe is related to trojan WootBot Trojan.

Files related to winapa.exe:
navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe

File winapa.exe removal:
WARNING!!! File winapa.exe is related to spyware. This is serious violation of your privacy, your system is under security threat.
We advice you to scan your computer and eliminate possible threats.

You can also visit ARNIT Online scanner to scan your computer for free!
http://www.arnit.net/security/tplarnit.php?page=vscan

Taken From: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.aladinz.g.html



Backdoor.IRC.Aladinz.G is a backdoor Trojan horse that uses malicious scripts in mIRC client software, allowing unauthorized remote access.

Also Known As: Worm.Win32.Randon.o [Kaspersky]
    
Type: Trojan Horse

Infection Length: varies
    
Systems Affected:     Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX

Technical Details:
When Backdoor.IRC.Aladinz.G is executed, it performs the following actions:

   1. Creates the folder %Program Files%\Common Files\OOBE\DivX Player 7.0, and drops the following files into the folder:
          * sample.bin (detected as Backdoor.Trojan)
          * DivXinstall.bat (detected as Trojan Horse)
          * DecodeDivX.exe (detected as Hacktool.DoS)
          * nacs.exe (detected as Hacktool)
          * DrDivXRegistration.exe (detected as Hacktool.HideWindow.)
          * Dr.DivX.exe (mIRC client software. It is detected as IRC.Backdoor.Trojan.)
          * DelDivX.exe (Process viewer. This utility is not viral by itself.)
          * Divx.exe (Remote execution utility. It is not viral by itself)
          * helptoo.txt (Text file that includes username.It is not malicious itself. )
          * helpuse.txt (Text file that includes username and password. It is not malicious itself. )
          * DivX.ini (Ini file that the Trojan uses to load other IRC scripts. It is not malicious itself. )

            Note: %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is C:\Program Files.
   2. Adds the value:

      "DivX MediaPlayer 7.0"="%Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe"

      to the registry key:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

      so that the Trojan starts when you start or restart Windows.

   3. Adds the values:
          * "DisplayName"="mIRC"
          * "UninstallString"=""%Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe" -uninstall"

            to the registry key:

            HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
            Uninstall\mIRC

            Note: If the mIRC subkey does not exist, the Trojan will create it.
   4. Adds the values:

      "(Default)" = "c:\program files\common files\oobe\divx player 7.0\dr.divx.exe"

      to the following registry keys:
          * HKEY_CLASSES_ROOT\ChatFile\DefaultIcon
          * HKEY_CLASSES_ROOT\ChatFile\Shell\open\command
          * HKEY_LOCAL_MACHINE\Software\Classes\irc\DefaultIcon
          * HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\command

            so that the IRC file that call c:\program files\common files\oobe\divx player 7.0\dr.divx.exe when chat files are opened.

   5. Creates the following subkeys:
          * HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec
          * HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\ddeexec

   6. Runs %Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe in the background.

   7. By default, the Trojan allows the hacker to perform any of the following actions:
          * Download and execute files.
          * Perform Denial of Service (DoS) attacks against predetermined targets.
          * Attempt to compromise other machines through open shares or weak passwords.

For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Taken From: http://www.sophos.com/virusinfo/analyses/w32forbotcl.html

Name
    * W32/Forbot-CL
Type

    * Worm

How it spreads     

    * Network shares

Affected operating systems

    * Windows

Side effects

    * Allows others to access the computer
    * Steals information
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

Aliases

    * Backdoor.Win32.Wootbot.gen
    * W32/Sdbot.worm.gen
    * WORM_WOOTBOT.CN

Detailed Description:
 W32/Forbot-CL is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.

W32/Forbot-CL copies itself to the Windows system folder as MQGUARD.EXE.

W32/Forbot-CL also creates its own service named "Win32" with display name "Windows Network Controller".

W32/Forbot-CL attempts to spread to network machines using various exploits including the LSASS vulnerability (see MS04-011). The worm may also spread via IRC channels.

W32/Forbot-CL may act as a proxy, delete network shares and steal keys for various software products.

For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Taken From: http://www.2-spyware.com/remove-wootbot-trojan.html

Full name: WootBot Trojan

Type: Trojans

Also known as: Trojan.WootBot, WootBot

Related files:
navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe

severity scale is 67 (67 / 100)

WootBot Trojan description:
This dangerous parasite is especially dangerous for PC gamers. WootBot tries to steal the CD-keys from various games and send these keys to the specified location. But not only this technique is a potential threat for the user of an infected machine; this parasite also tries to connect to the Internet and download various parasites from there. In case of success, even more problems may occur on the computer.

WootBot Trojan properties:
• Connects itself to the internet
• Hides from the user
• Stays resident in background

To Remove this trojan from your computer, you can SCAN your computer for FREE with ARNIT Online Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

Taken from http://www.2-spyware.com/file-mqguard-exe.html

mqguard.exe description:
File mqguard.exe is related to trojan WootBot Trojan.

Files related to mqguard.exe: navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe

File mqguard.exe removal: WARNING!!! File mqguard.exe is related to spyware. This is serious violation of your privacy, your system is under security threat.

For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Info taken from http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.pr.html

W32.Randex.PR is a network-aware worm that attempts to copy itself to computers with weak administrator passwords. The worm receives instructions from an IRC channel on a predetermined IRC server.

Also Known As:     W32/Spybot.worm.gen.a [McAfee]
Variants:         W32.Randex.gen
Type:                  Worm
Infection Length: 66,857 bytes
    
    
    
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Technical Details:
When W32.Randex.PR is executed, it does the following:

   1. Copies itself as %System%\symantec32.exe.

      Note: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
   2. Calculates a random IP address and attempts to authenticate itself to it.

   3. Attempts to copy itself to the following locations on computers with weak administrator passwords:
          * \c$\symantec32.exe
          * \c$\winnt\system32\symantec32.exe
          * \Admin$\system32\symantec32.exe

   4. Remotely schedules a task to run the worm on a newly infected computer.

   5. Adds the following value:
          * "Symantec Security"="symantec32.exe"
          * "Windows Loader" = "svchosts.exe"

            to the registry keys:
          * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
          * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
            RunServices
          * HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
          *

            so that the worm runs when you start Windows.

   6. Connects to an IRC channel on a predetermined IRC server to receive remote instructions, such as:
          * Ntscan: Scans for computers with weak administrator passwords, and then copies itself to these machines.
          * Syn: Performs a SYN flood attack with a data size of 55808 bytes.
          * Sysinfo: Retrieves the infected machine's information, such as CPU speed and the amount of memory.

   7. Steals the CD keys of the following games:
          * FIFA 2003
          * Need For Speed Hot Pursuit 2
          * Soldier of Fortune II
          * Rainbow Six III Ravenshield
          * Battlefield 1942 Road To Rome
          * Battlefield 1942
          * IGI 2
          * Counter-Strike
          * Unreal Tournament 2003
          * Half-Life
For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Taken from http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.aladinz.g.html

Description:
Backdoor.IRC.Aladinz.G is a backdoor Trojan horse that uses malicious scripts in mIRC client software, allowing unauthorized remote access.

Also Known As:     Worm.Win32.Randon.o [Kaspersky]
    
Type:     Trojan Horse

Infection Length:     varies
    
Systems Affected:     Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Systems Not Affected:     DOS, Linux, Macintosh, OS/2, UNIX

Technical Details:
When Backdoor.IRC.Aladinz.G is executed, it performs the following actions:

   1. Creates the folder %Program Files%\Common Files\OOBE\DivX Player 7.0, and drops the following files into the folder:
          * sample.bin (detected as Backdoor.Trojan)
          * DivXinstall.bat (detected as Trojan Horse)
          * DecodeDivX.exe (detected as Hacktool.DoS)
          * nacs.exe (detected as Hacktool)
          * DrDivXRegistration.exe (detected as Hacktool.HideWindow.)
          * Dr.DivX.exe (mIRC client software. It is detected as IRC.Backdoor.Trojan.)
          * DelDivX.exe (Process viewer. This utility is not viral by itself.)
          * Divx.exe (Remote execution utility. It is not viral by itself)
          * helptoo.txt (Text file that includes username.It is not malicious itself. )
          * helpuse.txt (Text file that includes username and password. It is not malicious itself. )
          * DivX.ini (Ini file that the Trojan uses to load other IRC scripts. It is not malicious itself. )

            Note: %ProgramFiles% is a variable that refers to the path to the program files folder. By default, this is C:\Program Files.
   2. Adds the value:

      "DivX MediaPlayer 7.0"="%Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe"

      to the registry key:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

      so that the Trojan starts when you start or restart Windows.

   3. Adds the values:
          * "DisplayName"="mIRC"
          * "UninstallString"=""%Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe" -uninstall"

            to the registry key:

            HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
            Uninstall\mIRC

            Note: If the mIRC subkey does not exist, the Trojan will create it.
   4. Adds the values:

      "(Default)" = "c:\program files\common files\oobe\divx player 7.0\dr.divx.exe"

      to the following registry keys:
          * HKEY_CLASSES_ROOT\ChatFile\DefaultIcon
          * HKEY_CLASSES_ROOT\ChatFile\Shell\open\command
          * HKEY_LOCAL_MACHINE\Software\Classes\irc\DefaultIcon
          * HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\command

            so that the IRC file that call c:\program files\common files\oobe\divx player 7.0\dr.divx.exe when chat files are opened.

   5. Creates the following subkeys:
          * HKEY_CLASSES_ROOT\ChatFile\Shell\open\ddeexec
          * HKEY_LOCAL_MACHINE\Software\Classes\irc\Shell\open\ddeexec

   6. Runs %Program Files%\Common Files\OOBE\DivX Player 7.0\Dr.DivX.exe in the background.

   7. By default, the Trojan allows the hacker to perform any of the following actions:
          * Download and execute files.
          * Perform Denial of Service (DoS) attacks against predetermined targets.
          * Attempt to compromise other machines through open shares or weak passwords.

For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Taken from: http://www.2-spyware.com/remove-wootbot-trojan.html

Full name: WootBot Trojan

Type: Trojans

Also known as: Trojan.WootBot, WootBot

Related files: navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe

Severity scale: (67 / 100)

WootBot Trojan description: This dangerous parasite is especially dangerous for PC gamers. WootBot tries to steal the CD-keys from various games and send these keys to the specified location. But not only this technique is a potential threat for the user of an infected machine; this parasite also tries to connect to the Internet and download various parasites from there. In case of success, even more problems may occur on the computer.

WootBot Trojan properties:
• Connects itself to the internet
• Hides from the user
• Stays resident in background

WootBot Trojan manual removal:
Kill processes:
navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe

Delete files:
navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, ctfnom.exe, symantec32.exe, syshelper.exe, mqguard.exe

For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Taken from: http://www.2-spyware.com/file-ctfnom-exe.html


ctfnom.exe description:
File ctfnom.exe is related to trojan WootBot Trojan.

Files related to ctfnom.exe: navsys32.exe, svcshost.exe, elite.exe, winssv.exe, lsass2.exe, pomedsrv.exe, winapa.exe, symantec32.exe, syshelper.exe, mqguard.exe

File ctfnom.exe removal: WARNING!!! File ctfnom.exe is related to spyware. This is serious violation of your privacy, your system is under security threat.

For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Taken from: http://www.sophos.com/virusinfo/analyses/w32rbotwx.html

Desciption:
W32/Rbot-WX is a network worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-WX spreads using a variety of techniques including exploiting weak passwords on computers and SQL servers, exploiting operating system vulnerabilities (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other worms or Trojans.

W32/Rbot-WX can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-WX can be instructed by a remote user to perform the following functions:


    * start an FTP server

    * start a Proxy server

    * start a web server

    * take part in distributed denial of service (DDoS) attacks

    * log keypresses

    * capture screen/webcam images

    * packet sniffing

    * port scanning

    * download/execute arbitrary files

    * start a remote shell (RLOGIN)


The worm copies itself to a file named lsassx.exe in the Windows system folder and creates the following registry entries:

HKCU\Software\Microsoft\OLE\
Windows Taskmanager=
"lsassx.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Taskmanager=
"lsassx.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Taskmanager=
"lsassx.exe"

Aliases: Backdoor.Win32.IRCBot.y

Affected operating systems: Microsoft Windows Operating Systems

Side effects::
    *  Allows others to access the computer
    * Reduces system security
    * Installs itself in the Registry
    * Exploits system or software vulnerabilities

To scan your computer for  W32/Rbot-WX, please check ARNIT Free Online Virus scanner at http://www.arnit.net/security/tplarnit.php?page=vscan

Info taken from http://www.trendmicro.com/vinfo/grayware/graywareDetails.asp?SNAME=SPYW_GATOR.D

Description:

This spyware program may be downloaded onto affected systems by other malware already installed on the said machines. It has the capability to download an updated copy of itself without the users' knowledge.

Programs of this type affects users' privacy by stealing confidential information and monitoring browsing behavior without consent.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure sets.

Running Trend Micro Antivirus

Download the latest spyware pattern file and scan your system. Then, delete all files detected as SPYW_GATOR.D.

Details:

This spyware program may be downloaded onto affected systems by other malware already installed on the said machines. It has the capability to download an updated copy of itself without the users' knowledge.

Programs of this type affects users' privacy by stealing confidential information and monitoring browsing behavior without consent.

This is Trend Micro's detection for Dynamic Link Library (DLL) used by the Gator spyware.

For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Taken From: http://www.sophos.com/virusinfo/analyses/trojlineaged.html

Description:
Troj/Lineage-D is a password-stealing Trojan for the Windows platform.

Troj/Lineage-D logs keystrokes for the game Lineage II and emails the author with the results.

Affected operating systems:

    * Windows

Side effects:

    * Steals information
    * Records keystrokes
    * Leaves non-infected files on computer

Technical Details:
Troj/Lineage-D is a password-stealing Trojan for the Windows platform.

Troj/Lineage-D logs keystrokes for the game Lineage II and emails the author with the results.

Troj/Lineage-D copies itself to the Windows system folder as "ttplorer.exe" and creates a DLL keylogging component "ttinject.dll" as well as the text file "ttdata32.dll" to keep the keylog results.

Troj/Lineage-D creates the following registry entry to run itself automatically on system login or startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Scvhost
<Windows system>\ttplorer.exe

For a complete system scan, virus detection and removal, please check out ARNIT FREE Online Virus Scanner at: http://www.arnit.net/security/tplarnit.php?page=vscan

For removal instruction please check out ARNIT Security Advisories at: http://www.arnit.net/security/sectips.php?platform=windows

Taken From http://www.sophos.com/virusinfo/analyses/w32mydoombc.html

Description:
 W32/MyDoom-BC is an email worm for the Windows platform.

Email sent by the worm has characteristics similar to the following examples:

Subject line:

hi
error
test
Message could not be delivered

Message body:

Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.

Attached file:

attachment.com
letter.zip
<username>.exe

Side effects:

    * Sends itself to email addresses found on the infected computer
    * Forges the sender's email address
    * Uses its own emailing engine
    * Installs itself in the Registry

Aliases:

    * Email-Worm.Win32.Mydoom.am
    * W32/Mydoom.bc@MM
    * W32/Mydoom.db@MM
    * Worm.Mydoom.M-2

Technical Details:
W32/MyDoom-BC is an email worm. When first run, the worm copies itself to either the Windows or Temp folders as java.exe, and adds one of the following registry entries to ensure that the copy is run each time Windows starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JavaVM

W32/MyDoom-BC also creates a file named services.exe in the Windows or Temp folder and runs the file. Services.exe is a backdoor component.

W32/MyDoom-BC searches the hard disk email addresses. The worm searches files with the extensions PL*, PH*, TX*, HT*, ASP, TBB, SHT*, WAB, ADB and DBX and the Windows address book. In addition the worm may use an internet search engine to find more email addresses. The worm will send a query to the search engine using domain names from email addresses found on the hard disk and then examine the query results, searching for more addresses. The internet search engines used by W32/MyDoom-BC and the percentage chance that each is used are:

www.google.com (45%)
search.lycos.com (22.5%)
search.yahoo.com (20%)
www.altavista.com (12.5%)

When choosing addresses to send itself to W32/MyDoom-BC will avoid addresses which contain any of the following strings:

abuse
accoun
admin
anyone
arin.
avp
bar.
bugs
ca
domain
example
feste
foo
foo.com
gmail
gnu.
gold-certs
google
help
hotmail
info
listserv
mailer-d
master
me
microsoft
msdn.
msn.
no
nobody
noone
not
nothing
ntivi
page
panda
privacycertific
rarsoft
rating
ripe.
sample
sarc.
seclist
secur
sf.net
site
soft
someone
sophos
sourceforge
spam
spersk
submit
support
syma
the.bat
trend
update
uslis
winrar
winzip
yahoo
you
your

The email sent by the worm has a spoofed sender.

The subject line may be blank or one of the following:

hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error

The message text of the email is constructed from a set of optional strings within the worm. The message sent is blank or similar to one of the following messages:

Dear user of <domain>
Mail server administrator of <domain> would like to inform you that
We have detected that your e-mail account has been used to send a large
amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now
runs a trojan proxy server.
Please follow our instructions in the attachment file
in order to keep your computer safe.
Virtually yours
<domain> user support team.

The message could not be delivered

The original message was included as attachment

The original message was received at <time> from <address>
----- The following addresses had permanent fatal errors -----
<address>
----- Transcript of the session follows -----
... while talking to host <hostname>:
>>> MAIL From:<address>
<<< 501 User unknown
Session aborted
>>> RCPT To:<address>
<<< 550 MAILBOX NOT FOUND

The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message was not delivered within <number> days:
Mail server <hostname> is not responding.
The following recipients did not receive this message:
<address>
Please reply to postmaster@<domain>
if you feel this message to be in error.

The attached file may be named similarly to the recipient's username or domain
or using one of the following names:

attachment
document
file
instruction
letter
mail
message
readme
text
transcript

with an optional extension of DOC, TXT, HTM, HTML followed by a number of spaces and a final extension of EXE, COM, BAT, CMD, SCR or PIF. The attached file may also be a zip file containing a file named as described.

W32/MyDoom-BC drops a file named services.exe in the Windows or Temp folder and runs the file.

Services.exe adds the following registry entry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
services
<Windows or Temp folder>\services.exe

W32/MyDoom-BC also attempts to download and run files from several websites.
At the time of writing the downloaded files are detected by Sophos's anti-virus products as Troj/Surila-P.

Parts taken from http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.au@mm.html

Description:
W32.Mydoom.AU@mm is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses that it gathers from a compromised computer. This worm is a minor variant of W32.Mydoom.AM@mm.

Also Known As:
Email-Worm.Win32.Mydoom.ak [Kaspersky Lab], W32/Mydoom.ba@MM [McAfee]

Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Technical Details:
Once executed, W32.Mydoom.AU@mm performs the following actions:

   1. Creates the files:

          * %System%\lsasrv.exe
          * %System%\version.ini
          * [path of execution]\hserv.sys

            Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

   2. Creates the mutex -=RTSW.Smash 0a2a0=-, so that only one instance of the worm runs on the compromised computer.

   3. Adds the value:

      "lsass" = "%System%\lsasrv.exe"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


      so that it is executed every time Windows starts.

   4. Modifies the value:

      "Shell" = "explorer.exe %System%\lsasrv.exe"

      in the registry subkey:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

      so that it is executed every time Windows starts.

   5. Creates a text file named %Temp%\Mes#wtelw.txt, which contains only garbage data. The worm uses Notepad to open the file and display the garbage data.

      Note: %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

   6. Gathers email addresses from the Windows Address Book and from files with the following extensions:

          * .wab
          * .pl
          * .adb
          * .tbb
          * .dbx
          * .asp
          * .php
          * .sht
          * .htm
          * .txt

            avoids sending itself to an email address that contains one of the following strings:

          * accoun
          * certific
          * listserv
          * ntivi
          * support
          * icrosoft
          * admin
          * page
          * the.bat
          * gold-certs
          * feste
          * submit
          * not
          * help
          * service
          * privacy
          * somebody
          * soft
          * contact
          * site
          * rating
          * bugs
          * you
          * your
          * someone
          * anyone
          * nothing
          * nobody
          * noone
          * webmaster
          * postmaster
          * samples
          * info
          * root
          * mozilla
          * utgers.ed
          * tanford.e
          * pgp
          * acketst
          * secur
          * isc.o
          * isi.e
          * ripe.
          * arin.
          * sendmail
          * rfc-ed
          * ietf
          * iana
          * usenet
          * fido
          * linux
          * kernel
          * google
          * ibm.com
          * fsf.
          * gnu
          * mit.e
          * bsd
          * math
          * unix
          * berkeley
          * foo.
          * .mil
          * gov.
          * .gov
          * ruslis
          * nodomai
          * mydomai
          * example
          * inpris
          * borlan
          * sopho
          * panda
          * hotmail
          * msn.
          * icrosof
          * syma
          * avp
          * .edu
          * abuse
          * www
          * fcnz
          * spm

   7. Uses its own SMTP engine to send itself to the email addresses that it finds. The email will have the following characteristics:

      From: Composes a fake address in the format [First name][Random last name]@[Domain]

      Where [First name] is one of the following:

          * Joseph
          * Ronald
          * Hannah
          * Kimberly
          * Maria
          * George
          * Charles
          * Len
          * Cissi
          * Sandra
          * Jennifer
          * Hans
          * Richard
          * Lee
          * Emily
          * Helen
          * Elizabeth
          * Donald
          * David
          * Harris
          * Nicholas
          * Betty
          * Barbara
          * Mark
          * William
          * Martin
          * Ethan
          * Karen
          * Linda
          * Paul
          * Michael
          * Edward
          * Cynthia
          * Nancy
          * Patricia
          * Daniel
          * Robert
          * Olivia
          * Angela
          * Dorothy
          * Kevin
          * Christopher
          * John
          * Josefine
          * Melissa
          * Susan
          * Anthony
          * Thomas
          * James


            and [Domain] is one of the following:

          * compuserve.com
          * juno.com
          * earthlink.net
          * yahoo.co.uk
          * hotmail.com
          * yahoo.com
          * msn.com
          * aol.com


            Subject:
            One of the following:

          * Attention!!!
          * Do not reply to this email
          * Error
          * Good day
          * hello
          * Mail Delivery System
          * Mail Transaction Failed
          * Server Report
          * Status


            Attachment:
            One of the following filenames:

          * body
          * message
          * docs
          * data
          * file
          * rules
          * doc
          * readme
          * document


            with one of the following extensions:

          * .bat
          * .cmd
          * .exe
          * .scr
          * .pif
          * .zip


            Message Body:
            One of the following:

          * Mail transaction failed. Partial message is available
          * The message contains Unicode characters and has been sent as a binary attachment.
          * The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
          * Mail transaction failed. Partial message is available.
          * Thank you for registering at WORLDXXXPASS.COM
            All your payment info, login and password you can find in the attachment file.
            It's a real good choise to go to WORLDXXXPASS.COM
          * Attention! New self-spreading virus!
            Be careful, a new self-spreading virus called "RTSW.Smash" spreading very fast via e-mail and P2P networks. It's about two million people infected and it will be more.
            To avoid your infection by this virus and to stop it we provide you with full information how to protect yourself against it and also including free remover. Your can find it in the attachment.
            c 2004 Networks Associates Technology, Inc. All Rights Reserved
          * New terms and conditions for credit card holders
            Here a new terms and conditions for credit card holders using a credit cards for making purchase in the Internet in the attachment. Please, read it carefully. If you are not agree with new terms and conditions do not use your credit card in the World Wide Web.
            Thank you,
            The World Bank Group
            c 2004 The World Bank Group, All Rights Reserved
          * Attention! Your IP was logged by The Internet Fraud Complaint Center
            Your IP was logged by The Internet Fraud Complaint Center. There was a fraud attempt logged by The Internet Fraud Complaint Center from your IP. This is a serious crime, so all records was sent to the FBI. All information you can find in the attachment. Your IP was flagged and if there will be anover attemption you will be busted.
            This message is brought to you by the Federal Bureau of Investigation and the National White Collar Crime Center
          * You have visited illegal websites
            I have a big list of the websites you surfed
          * You think it's funny? You are stupid idiot!!! I'll sendthe attachment to your ISP and then I'll be watchinghow you will go to jail, punk!!!
          * Your credit card was charged for $500 USD. For additional information see the attachment
          * ESMTP [Secure Mail System #334]: Secure message is attached
          * Encrypted message is available
          * Delivered message is attached
          * Can you confirm it?
          * Binary message is available
          * am shocked about your document!
          * Are you a spammer? (I found your email on a spammer website!?!
          * Bad Gateway: The message has been attached
          * Here is your documents you are requested

   8. Copies itself to shared folders of Kazaa, Morpheus, iMesh, eDonkey, or LimeWire. The file has one of the following names with either a bat, pif, scr, or exe extension:

          * porno
          * NeroBROM6.3.1.27
          * avpprokey
          * Ad-awareref01R349
          * winxp_patch
          * adultpasswds
          * dcom_patches
          * K-LiteCodecPack2.34a
          * activation_crack
          * icq2004-final
          * winamp5

   9. Attempts to disable the following processes, including firewall and antivirus applications:

          * i11r54n4.exe
          * irun4.exe
          * d3dupdate.exe
          * rate.exe
          * ssate.exe
          * winsys.exe
          * winupd.exe
          * SysMonXP.exe
          * bbeagle.exe
          * Penis32.exe
          * teekids.exe
          * MSBLAST.exe
          * mscvb32.exe
          * sysinfo.exe
          * PandaAVEngine.exe
          * taskmon.exe
          * wincfg32.exe
          * outpost.exe
          * zonealarm.exe
          * navapw32.exe
          * navw32.exe
          * zapro.exe
          * msblast.exe
          * netstat.exe

  10. Appends the following lines to the Hosts file to prevent access to antivirus-related Web sites:

      127.0.0.1 www.symantec.com
      127.0.0.1 securityresponse.symantec.com
      127.0.0.1 symantec.com
      127.0.0.1 www.sophos.com
      127.0.0.1 sophos.com
      127.0.0.1 www.mcafee.com
      127.0.0.1 mcafee.com
      127.0.0.1 liveupdate.symantecliveupdate.com
      127.0.0.1 www.viruslist.com
      127.0.0.1 viruslist.com
      127.0.0.1 www.f-secure.com
      127.0.0.1 f-secure.com
      127.0.0.1 kaspersky.com
      127.0.0.1 kaspersky-labs.com
      127.0.0.1 www.avp.com
      127.0.0.1 avp.com
      127.0.0.1 www.kaspersky.com
      127.0.0.1 www.networkassociates.com
      127.0.0.1 networkassociates.com
      127.0.0.1 www.ca.com
      127.0.0.1 ca.com
      127.0.0.1 mast.mcafee.com
      127.0.0.1 www.my-etrust.com
      127.0.0.1 my-etrust.com
      127.0.0.1 download.mcafee.com
      127.0.0.1 dispatch.mcafee.com
      127.0.0.1 secure.nai.com
      127.0.0.1 www.nai.com
      127.0.0.1 nai.com
      127.0.0.1 update.symantec.com
      127.0.0.1 updates.symantec.com
      127.0.0.1 us.mcafee.com
      127.0.0.1 liveupdate.symantec.com
      127.0.0.1 customer.symantec.com
      127.0.0.1 rads.mcafee.com
      127.0.0.1 www.trendmicro.com
      127.0.0.1 trendmicro.com
      127.0.0.1 www.grisoft.com
      127.0.0.1 grisoft.com

[B]Removal Instructions:[B]
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

   1. Disable System Restore (Windows Me/XP).
   2. Update the virus definitions.
   3. Run a full system scan and delete all the files detected as W32.Mydoom.AU@mm.
   4. Delete the value that was added to the registry.

For specific details on each of these steps, read the following instructions.

1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:

    * "How to disable or enable Windows Me System Restore"
    * "How to turn off or turn on Windows XP System Restore"


Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.


2. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

    * Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
    * Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted daily. You should dow