This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
approx 34kB (EXE, ZIP) 8,192 bytes (dropped EXE)
This new variant of W32/Mydoom is packed with ASPack.
The dropped SERVICES.EXE is the same binary W32/Mydoom.o@MM uses.
The behaviour is similar to W32/Mydoom.o@MM and bears the following characteristics:
(spoofed From: header)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.
The From: address may be spoofed with a harvested email address. Additionally, it may be constructed so as to appear as a bounce, using the following addresses:
The following display names are used in this case:
The following subjects are used:
The virus constructs messages from pools of strings it carries in its body. For example:
The attachment may be an EXE file with one of the following extensions:
It may also be a copy of the worm within a ZIP file (may be doubly ZIPped). In this case the extension is:
The attachment may use the target email address name as the filename, in addition to the following:
The attachment may use a double extension, and there may be multiple spaces inserted between the file extensions to deceive users.
Email Address Harvesting
Email addresses are harvested from the following file types on the victim machine:
The virus queries four search engines to harvest addresses from the results returned from such queries :
The virus will also harvest email addresses from any Outlook window that is active on the victim machine.
The virus avoids emailing itself to target domains containing any of the following strings:
Peer to Peer Propagation
The virus is intended to copy itself to folders containing the following strings:
It also drops the file SERVICES.EXE into this directory:
The following Registry keys are added to hook system startup:
The following Registry keys are also added:
TCP Port 1034 is opened on the victim machine by the SERVICES.EXE process and listens for incoming connections. This process also sends TCP network traffice from a highport of the infected machine, to randomly generated IP addresses on destination Port 1034. When another IP address is found to be infected with the backdoor, the IP address of that machine is encrypted and written to a file named zincite.log.
This worm propagates via email constructing messages using its own SMTP engine. Email addresses are harvested from the victim machine, and the From: address of outgoing messages is spoofed.
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).