W32/Syney@MM

Proactive detection: Products running the 4.2.40 engine with the 4283 DATs or greater detect this threat as "W32/Generic.worm!p2p".

This will be detected exactly as W32/Syney@MM with the 4293 DATs and higher.

Mail Propagation

This worm uses Microsoft Outlook to send itself to all the email addresses found the Outlook Address Book.

The email has the following characteristics:

Subject:
Fwd:
Message:
Do you want to surprise you wife or husband? Do you want to do something Romantic for them? Wanna find out how to get lucky ;? Sydney has made this Awesome Document Attached.  It tells men everything a Lady wants! And ladies you can add stuff onto it before forwarding it to all your freinds.

Installation

When run, the worm displays the following message:

Then, it installs itself onto the victim machine as:

• c:\Attach.exe (Size: 536 578 bytes)
• c:\Batch.Bat (Size: 7 635 bytes)
• c:\Time.Bat (Size: 717 bytes)
• c:\Virus.exe (Size: 536 578 bytes)
• c:\VirusGen.Bat (Size: 864 bytes)

The following registry key is set to hook system startup:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "filename " = pathname filename .exe

Where filename is the original name of the file and pathname is the directory where the file were run.

Attachment: Attach.exe

The worm also modifies AUTOEXEC.BAT file by adding a new control at the end of the file to run it at startup :

• "Start C:\Virus.Exe"

The worm deletes the REGEDIT.EXE file and creates various BATCH files to be able to run various payloads:

c:\VirusGen.Bat copies itself to following locations:

• %windir%\%random%\%random%.bat
• %SystemRoot%\%random%\%random%.bat
• %programfilesdir%\%random%\%random%.bat
• %programfilesdir%\%random%\%

where:

• %Random% is a self-generated random number
• %Windir% is the Windows folder
• %SystemRoot% is the System folder
• %programfilesdir% is the Program Files folder

C:\Batch.Bat  attempts to induce the Distributed Denial of Service (DDoS) attacks against the following Web sites:

• www.Microsoft.com
• www.Norton.com
• www.Mcafee.com

The worm spreads via mailing itself to recipients listed in the Outlook address book, using Outlook to construct outgoing messages

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.