W32/Derdero.a@MM

This is a mass-mailing virus that bears the following characteristics:

• contains its own SMTP engine to construct outgoing messages
• infects file by prepending itself

The virus is proactively detected as New Malware.b with DATs 4232 or higher when heuristic scanning is enabled.

When run, the virus displays a fake error message box "Runtime error '4': String out of bounds".

The virus creates the following files in the Windows system32 directory:

• detroit.txt
• exe64.sys
• SysHeal.exe
• thunk32.exe
• zip64.sys

It creates the following registry key in order to load itself at Windows startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  "32-bit Thunking service" = "%SysDir%\thunk32.exe "

It copies itself to folder contains "shar" string using the following filenames:

• Nero ACID new cd burning and p2p.exe
• Internet Explorer 7.exe
• Nero ACID new cd burning and p2p.exe
• Snood new version.exe
• Tits.mpeg                                                .scr
• Visual Studio.NET.FULL.rar                                                   .exe
• WinAmp 5 Crack.exe
• Windows XP crack.zip                                              .exe
• Windows XP Pro SP2.pif
• Young teen gets reamed.mpg       

It creates files with long blank file name with ".exe", ".pif" extension.

The virus harvests email addresses from files on local machine, uses its own SMTP engine to send mail.  The email sent has the following characteristics:

From: (one of the following sender name)@(collected addresses)

• administration
• management
• service
• userhelp

Subject: (one of the following)

• Urgent Update!
• Server Error
• AHKER.C Alert
• URGENT PLEASE READ!
• Detailed Information
• User Information
• New Worm Alert
• Malware Avoidance tips

Body: (one of the following )

• Our Email system has received reports of your account flooding email servers. There is more information on this matter in the attachment
• Our server is experiencing some latency in our email service. The attachment contains details on how your account will be affected.
• Please run the urgent patch attached to protect yourself from a new worm
• There is urgent information in the attachment regarding your Email account
• Your Email account information has been removed from the system due to inactivity. To renew your account information refer to the attachment
• We regret to inform you that your account has been hijacked and used for illegal purposes. The attachment has more information about what has happened.
• Due to recent internet attacks, your Email account security is being upgraded. The attachment contains more details
• A new worm is circulating around. To protect yourself, read the attached document
• As a service to our users, we have attached a note on avoiding malware.

Attachment: (one of the following file names)

• Update
• Details
• Information
• Gift
• Word_Document
• Account_Information
• Malware_prevention_tips
• Patch

with the following extension:

• .bmp.cmd
• .cmd
• .doc.pif
• .exe
• .pif
• .scr
• .txt.exe
• zip

The virus searches executable files on local machine.  It prepends itself to any files found.

The virus terminates a list of antivirus application processes.

Existence of the registry key and files mentioned above.

The virus propagates via SMTP mail and file sharing.

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations