W32/Blurt@MM

This threat is deemed Low-Profiled due to media attention at http://www.theregister.co.uk/content/56/32662.html

McAfee users are proactively protected from this threat when scanning with the 4252 DAT files, compressed executables, and the 4.2.40 scan engine.  4.1.60 engine users are also protected under the same scenario, but also require program heuristics.  The detection name varies with DAT file version and engine, and will be along the lines of W32/Generic or New Worm.

The virus is detected as W32/Generic.worm!irc This worm attempts to spread via Microsoft Outlook, and Internet Relay Chat. The worm also terminates security software, contains a Denial of Service attack payload, a web page overwriting payload, and disables the registry editor and task manager. The virus may be received in an email message as follows:

Subject : (one of the following)
• Your Account Infomation.
• Your Account is on hold.
• Your Account has been suspended.
• Account Infomation.
• Account Invoice.
• Email Account Infomation.
• This quaters invoice.
• Account Billing Information.
• YOUR ACCOUNT REF:
• ORDER CONFIRMATION:
• Account,is on hold.

Body :

• Dear Sir,

Followed by

• Please can you check that your account information is up to date.
  Your details are attached to this email.
• Please can you confirm that your account information is correct.
  Your current details are attached to this email.
• Please find attached this quaters invoice for your Internet Account. 
• Please find your details attached. Thank you.
  Details are attached to this email. 

Followed by

• Regards, Billing Team.
  Regards, Support Team.

Attachment : (one of the following)
• Account Invoice.Doc.exe
• Your Account.Doc.exe
• Account Details.Doc.exe
• Your Account Info.Doc.exe
• Account Information.Doc.exe
• Billing Information.Doc.exe
• Invoice.Doc.exe
• Account Update.Doc.exe
• Account Status.Doc.exe
• Your Account Status.exe

For example:

When the attachment is run (manually accessed with the mouse or keyboard), the virus attempts to copy itself to the PROGRA~1 (Program Files) directory as ACCOUNT_DETAILS.DOC.exe. This failed during testing. A registry key is created to load this, non-existent, file:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "Windows Task Manager" = c:\progra~1\ACCOUNT_DETAILS.DOC.exe

• Infected by the WIN32.SORT-IT-OUT-BLAIR Virus!

• c:\inetpub\wwwroot\default.asp
• c:\inetpub\wwwroot\default.htm
• c:\inetpub\wwwroot\default.html
• c:\inetpub\wwwroot\index.asp
• c:\inetpub\wwwroot\index.htm
• c:\inetpub\wwwroot\index.html

Hey, Do you want to take part of the iRC chain mail world record? If so all you have to do is load up the program add your irc nick and press submit! Just rename the file from .irc to .exe and your ready to go!

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Policies\System "DisableRegistryTools" = 1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Policies\System "DisableTaskMgr" = 1

The virus terminates the following processes:

• ADVXDWIN.EXE
• ALERTSVC.EXE
• ALOGSERV.EXE
• AMON9X.EXE
• ANTI-TROJAN.EXE
• ANTS.EXE
• APVXDWIN.EXE
• ATCON.EXE
• ATUPDATER.EXE
• ATWATCH.EXE
• AUTODOWN.EXE
• AVCONSOL.EXE
• AVE32.EXE
• AVGCC32.EXE
• AVGCTRL.EXE
• AVGSERV.EXE
• AVGSERV9.EXE
• AVGW.EXE
• AVKSERV.EXE
• AVNT.EXE
• AVP.EXE
• AVP32.EXE
• AVPCC.EXE
• AVPDOS32.EXE
• AVPM.EXE
• AVPTC32.EXE
• AVPUPD.EXE
• AVSCHED32.EXE
• AVSYNMGR.EXE
• AVWIN95.EXE
• AVWINNT.EXE
• AVWUPD32.EXE
• AVXMONITOR9X.EXE
• AVXMONITORNT.EXE
• AVXQUAR.EXE.EXE
• AVXW.EXE
• AgentSvr.exe
• AutoTrace.exe
• Avgctrl.exe
• Avsched32.exe
• BLACKD.EXE
• BLACKICE.EXE
• CFIADMIN.EXE
• CFIAUDIT.EXE
• CFINET.EXE
• CFINET32.EXE
• CLAW95.EXE
• CLAW95CF.EXE
• CLEANER.EXE
• CLEANER3.EXE
• CMGRDIAN.EXE
• CONNECTIONMONITOR.EXE
• CPD.EXE
• CPDCLNT.EXE
• DEFWATCH.EXE
• DOORS.EXE
• DVP95.EXE
• DVP95_0.EXE
• ECENGINE.EXE
• EFPEADM.EXE
• ESAFE.EXE
• ESPWATCH.EXE
• ETRUSTCIPE.EXE
• EVPN.EXE
• EXPERT.EXE
• F-AGNT95.EXE
• F-PROT.EXE
• F-PROT95.EXE
• F-STOPW.EXE
• FINDVIRU.EXE
• FP-WIN.EXE
• FPROT.EXE
• FRW.EXE
• GENERICS.EXE
• GUARD.EXE
• GUARDDOG.EXE
• IAMAPP.EXE
• IAMSERV.EXE
• IBMASN.EXE
• IBMAVSP.EXE
• ICLOAD95.EXE
• ICLOADNT.EXE
• ICMON.EXE
• ICSUPP95.EXE
• ICSUPPNT.EXE
• IFACE.EXE
• IOMON98.EXE
• ISRV95.EXE
• InoRT.exe
• InoRpc.exe
• InoTask.exe
• JEDI.EXE
• LDNETMON.EXE
• LDPROMENU.EXE
• LDSCAN.EXE
• LOCKDOWN.EXE
• LOCKDOWN2000.EXE
• LOOKOUT.EXE
• LUALL.EXE
• LUCOMSERVER.EXE
• MCAGENT.EXE
• MCMNHDLR.EXE
• MCSHIELD.EXE
• MCTOOL.EXE
• MCUPDATE.EXE
• MCVSRTE.EXE
• MCVSSHLD.EXE
• MGAVRTCL.EXE
• MGAVRTE.EXE
• MGHTML.EXE
• MINILOG.EXE
• MONITOR.EXE
• MOOLIVE.EXE
• MPFTRAY.EXE
• MWATCH.EXE
• N32SCANW.EXE
• NAVAPSVC.EXE
• NAVAPW32.EXE
• NAVLU32.EXE
• NAVNT.EXE
• NAVW32.EXE
• NAVWNT.EXE
• NDD32.EXE
• NETUTILS.EXE
• NISSERV.EXE
• NISUM.EXE
• NMAIN.EXE
• NORMIST.EXE
• NPROTECT.EXE
• NPSSVC.EXE
• NSCHED32.EXE
• NTVDM.EXE
• NTXconfig.exe
• NUPGRADE.EXE
• NVC95.EXE
• NWService.exe
• NWTOOL16.EXE
• Navapw32.exe
• NeoWatchLog.exe
• Nui.EXE
• PADMIN.EOUTPOST.EXE
• PADMIN.EXE
• PAVCL.EXE
• PAVSCHED.EXE
• PAVW.EXE
• PCCIOMON.EXE
• PCCWIN98.EXE
• PCFWALLICON.EXE
• PERSFW.EXE
• POP3TRAP.EXE
• POPROXY.EXE
• PORTMONITOR.EXE
• PROCESSMONITOR.EXE
• PVIEW95.EXE
• RAV7.EXE
• RAV7WIN.EXE
• REALMON.EXE
• RESCUE.EXE
• RTVSCN95.EXE
• Realmon.exe
• SAFEWEB.EXE
• SCAN32.EXE
• SCAN95.EXE
• SCANPM.EXE
• SCRSCAN.EXE
• SERV95.EXE
• SMC.EXE
• SPHINX.EXE
• SPYXX.EXE
• SS3EDIT.EXE
• SWEEP95.EXE
• SWNETSUP.EXE
• SYMPROXYSVC.EXE
• SYMTRAY.EXE
• SymProxySvc.exe
• TBSCAN.EXE
• TC.EXE
• TCA.EXE
• TCM.EXE
• TDS-3.EXE
• TDS2-98.EXE
• TDS2-NT.EXE
• TFAK.EXE
• VET32.EXE
• VET95.EXE
• VETTRAY.EXE
• VIR-HELP.EXE
• VPC32.EXE
• VPTRAY.EXE
• VSCAN40.EXE
• VSCHED.EXE
• VSECOMR.EXE
• VSHWIN32.EXE
• VSMAIN.EXE
• VSMON.EXE
• VSSTAT.EXE
• VbCons.exe
• WATCHDOG.EXE
• WEBSCANX.EXE
• WEBTRAP.EXE
• WFINDV32.EXE
• WGFE95.EXE
• WIMMUN32.EXE
• WRADMIN.EXE
• WRCTRL.EXE
• ZAPRO.EXE
• ZONEALARM.EXE
• _AVP32.EXE
• _AVPCC.EXE
• _AVPM.EXE
• apvxdwin.exe
• avkpop.exe
• avkservice.exe
• avkwctl9.exe
• defscangui.exe
• fameh32.exe
• fch32.exe
• fih32.exe
• fnrb32.exe
• fsaa.exe
• fsav32.exe
• fsgk32.exe
• fsm32.exe
• fsma32.exe
• fsmb32.exe
• gbmenu.exe
• gbpoll.exe
• zapro.exe
• iamapp.exe
• netstat.exe
• nisum.exe
• ntrtscan.EXE
• nvsvc32.exe
• pavproxy.exe
• pccntmon.EXE
• pccwin97.EXE
• pcscan.EXE
• regedit.exe
• sbserv.exe
• sscansvc.exe
• taskmgr.exe
• vbcmserv.exe
• vsmon.exe
• zonealarm.exe

The virus attempts to stop the following services:

• Event Log
• Messenger
• Zonealarm
• TrueVector Internet Monitor
• Norton Antivirus Auto Protect Service
• Norton Internet Security Accounts Manager
• Norton Internet Security Proxy Service
• Norton Internet Security Service 
• Norton AntiVirus Server
• Norton AntiVirus Auto Protect Service
• Norton AntiVirus Client
• Symantec AntiVirus Client
• McShield
• IPSEC Policy Agent
• DefWatch
• WMDM PMSP Service

This virus spreads via Microsoft Outlook (by sending itself to Outlook Address Book recipients) and the mIRC Internet Relay Chat client.

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

• Insert the Windows XP CD into the CD-ROM drive and restart the computer.
• When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
• Select the Windows installation that is compromised and provide the administrator password.
• Issue 'fixmbr' command to restore the Master Boot Record
• Follow onscreen instructions.
• Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

• Insert the Windows CD into the CD-ROM drive and restart the computer.
• Click on "Repair Your Computer".
• When the System Recovery Options dialog comes up, choose the Command Prompt.
• Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
• Follow onscreen instructions.
• Reset and remove the CD from CD-ROM drive.