W32/Maax@MM

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Minimum DAT

4248 (2003-02-19)

Updated DAT

4248 (2003-02-19)

Minimum Engine

5.1.00

File Length

11,776 bytes

Description Added

2003-02-12

Description Modified

2003-02-12

Malware Proliferation

Characteristics

This virus was submitted to several anti-virus companies by the virus author. It is not known to be in the wild.

This is a mass-mailing, and peer-to-peer file sharing worm. It spreads via Microsoft Outlook, KaZaA, KaZaA Lite, Morpheus, Grokster, BearShare, Edonkey2000, and Limewire.

Email Propagation
It may arrive in an email message with the following information:

Subject: One of the following

Are you a Bussiness man?
Care to trade world map?
DAA Holding have an Idea for Bussiness man
Do you have an enough salaries for you job?
Don't missed Logon to DAABussiness.com
Don't waste you money!
Good Idea For ya!
Great Job for Professional Programmer
Hello man!
Hey, how are you?
Hi! ;)
How to make a money in one day?
How to prevent from Pirate CD!
HOW TO PREVENT YOUR EMAIL FROM VIRUSES?
IMPORTANT DISCUSSION!
Job for you!
NICE TO MEET YOU!
No More Blood!
Trade and Care about customer!
Who's should be attacked first?

Body:

Hello Mr/Mrs/Sir/Mdm,

I have an Idea for you, This will make your business more efficient. To download this important tips just click here or you can downloaded the files from an attachment.

Regard,
Alexander Joshia
Executive Manager of DAA Holding

Attachment: Axam.exe

Note: The email message links to the virus on the virus author's website.

When the attachment is run, a message box is displayed:

PreSeNt Axam Spitmaxa W0rM -=< GReeTz to AsEaN HacKeRs GrOuP >=-
> MelHacKer > InVisible_man > AjeedNASA > Zied666 > Foot-Art > PakBrain aNd All mY fRieNd iN thE WorLd... Melhacker, Inc. (c) Copyright 1995-2003. All Right Reserved.

P2P Propagation
The virus copies itself to the following peer to peer file sharing software folders:

\KMD\My Shared Folder\Axam.exe
\Kazaa\My Shared Folder\Invisible_man.exe
\KaZaA Lite\My Shared Folder\AjeedNASA.exe
\Morpheus\My Shared Folder\Blaster.exe
\Grokster\My Grokster\XXX_HOTSEX.exe
\BearShare\Shared\fxbgbear.exe
\Edonkey2000\Incoming\setup_flash.exe
\limewire\Shared\Super Mario.exe

System Changes
The virus copies itself to 2 locations on the local system:

%StartUp Folder%\Axam.exe
%Application Data%\Axam.exe

A registry run key is created to load the worm at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "sysaxam32" = %Application Data%\Axam.exe

The default handling of .EXE files is altered in the registry such that whenever an .EXE file is run, the virus is run instead:

HKEY_CLASSES_ROOT\Spitmaxa\DefaultIcon "(Default)" = %1
HKEY_CLASSES_ROOT\Spitmaxa\shell\open\command "(Default)" =
C:\WINDOWS\Application Data\Axam.exe "%1" %*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "sysaxam32" = C:\WINDOWS\Application Data\Axam.exe
HKEY_CLASSES_ROOT\.exe "(Default)" = Spitmaxa

Payload
The virus terminates the following processes:

_Avp32.exe
_Avpcc.exe
_Avpm.exe
Ackwin32.exe
Anti-Trojan.exe
Apvxdwin.exe
Autodown.exe
Avconsol.exe
Ave32.exe
Avgctrl.exe
Avkserv.exe
Avnt.exe
Avp.exe
Avp32.exe
Avpcc.exe
Avpdos32.exe
Avpm.exe
Avptc32.exe
Avpupd.exe
Avsched32.exe
Avwin95.exe
Avwupd32.exe
Blackd.exe
Blackice.exe
ccApp.exe
Cfiadmin.exe
Cfiaudit.exe
Cfinet.exe
Cfinet32.exe
Claw95.exe
Claw95cf.exe
Cleaner.exe
Cleaner3.exe
Cmd.exe
Command.com
Dvp95.exe
Dvp95_0.exe
Ecengine.exe
Esafe.exe
Espwatch.exe
F-Agnt95.exe
Findviru.exe
Fprot.exe
F-Prot.exe
F-Prot95.exe
Fp-Win.exe
Frw.exe
F-Stopw.exe
HH.exe
Iamapp.exe
Iamserv.exe
Ibmasn.exe
Ibmavsp.exe
Icload95.exe
Icloadnt.exe
Icmon.exe
Icsupp95.exe
Icsuppnt.exe
Iface.exe
Iomon98.exe
Jedi.exe
Lockdown2000.exe
Lookout.exe
Luall.exe
Moolive.exe
Mpftray.exe
N32scanw.exe
Navapw32.exe
Navlu32.exe
Navnt.exe
Navw32.exe
Navwnt.exe
Nisum.exe
Nmain.exe
Normist.exe
Nupgrade.exe
Nvc95.exe
Outpost.exe
Padmin.exe
Pavcl.exe
Pavsched.exe
Pavw.exe
Pccwin98.exe
Pcfwallicon.exe
Persfw.exe
Rav7.exe
Rav7win.exe
Regedit.com
Regedit.exe
Rescue.exe
Safeweb.exe
Scan32.exe
Scan95.exe
Scanpm.exe
Scrscan.exe
Serv95.exe
Smc.exe
Sphinx.exe
Sweep95.exe
Tbscan.exe
Tca.exe
Tds2-98.exe
Tds2-Nt.exe
VControl.exe
Vet95.exe
Vettray.exe
Vscan40.exe
Vsecomr.exe
Vshwin32.exe
Vsstat.exe
Webscanx.exe
Wfindv32.exe
Zonealarm.exe

The virus appends the C:\AUTOEXEC.BAT file with the following commands:

echo off
cls
echo ###################################
echo ...-= AxAm WOrm PreSenT =-...
echo ###################################
pause >>NUL

The code also suggests that instructions to format the C: and D: drives may be inserted as well. This was not observed during testing.

Symptoms

Inability to run executable files.

Method of Infection

This mass-mailing worm sends itself to all recipients found in the Outlook Address Book, using MAPI. It also relies on default P2P file sharing paths to spread via popular P2P servent applications.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Threat Detail