Overview
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
|
Minimum DAT
5005 (2007-04-10) Updated DAT5038 (2007-05-24) |
Minimum Engine
5.1.00 File Lengthvarious |
Description Added
2007-04-10 Description Modified2007-05-31 |
Malware Proliferation
Characteristics
The W32/Archiles.worm will try to copy itself to removable devices, such as external storage devices.
It will also add the following line on the Internet Explorer Window Title:
"Hacked by 1BYTE {'NO VIRUS NO WORK NO MONEY'}"
Some file are added on the system:
C:\WINDOWS\inf\lsass.exe
C:\WINDOWS\system32\CatRoot2\tmp.edb
C:\WINDOWS\csrss.exe
C:\WINDOWS\smss.exe
C:\autorun.inf
C:\winlogon.exe
The worm will disable some Operating System features to keep his files hidden and not letting the use to terminate or delete them, by disabling Regedit and TaskManager for example.
It will also add the following line on the Internet Explorer Window Title:
"Hacked by 1BYTE {'NO VIRUS NO WORK NO MONEY'}"
Some file are added on the system:
C:\WINDOWS\inf\lsass.exe
C:\WINDOWS\system32\CatRoot2\tmp.edb
C:\WINDOWS\csrss.exe
C:\WINDOWS\smss.exe
C:\autorun.inf
C:\winlogon.exe
The worm will disable some Operating System features to keep his files hidden and not letting the use to terminate or delete them, by disabling Regedit and TaskManager for example.
Symptoms
Presence of the files added on the system:
C:\WINDOWS\inf\lsass.exe
C:\WINDOWS\system32\CatRoot2\tmp.edb
C:\WINDOWS\csrss.exe
C:\WINDOWS\smss.exe
C:\autorun.inf
C:\winlogon.exe
Also, the user will receive a message that some applications "has been disabled by yout administrator". It may occurs with applications like TaskManager, or RegEdit.
Another symptom is the Line "Hacked by 1BYTE {'NO VIRUS NO WORK NO MONEY'}" that will appear in Internet Explorer window title when your are visiting a website.
C:\WINDOWS\inf\lsass.exe
C:\WINDOWS\system32\CatRoot2\tmp.edb
C:\WINDOWS\csrss.exe
C:\WINDOWS\smss.exe
C:\autorun.inf
C:\winlogon.exe
Also, the user will receive a message that some applications "has been disabled by yout administrator". It may occurs with applications like TaskManager, or RegEdit.
Another symptom is the Line "Hacked by 1BYTE {'NO VIRUS NO WORK NO MONEY'}" that will appear in Internet Explorer window title when your are visiting a website.
Method of Infection
An user may be infected in different ways, such as:
- inserting a external storage device in an infected computer
- Many of these additionally are mass spammed by the author to entice people into double-clicking on them.
- Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants