W32/Wart.A@mm

Alias/esEmail-Worm.Win32.generic [KAV], W32.Rants.B@mm [SAV], W32/FlyVB-C [Sophos], W32/Generic.m [McAfee], W32/Wart.A-mm, WORM_FATSO.F [Trend]
Release DateJul 15, 2005
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 11.582
Description

Visible Symptoms

  • The file windows32.exe  exists in the System folder.
  • Possible termination of the firewall or other security applications, including antivirus monitors.
  • Inability to connect with certain security related websites.

Detailed Analysis

  • Copies itself to the Windows folder as windows32.exe.


    Autostart Mechanism

  • Adds the following registry entry:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      services = "%SYSTEM%\windows32.exe"

    Email Propagation

  • Gathers email addresses from the Microsoft Outlook Address Book and from files with the following extensions:

    • htt
    • htm
    • html
    • hta
    • hte
    • htx
    • shtml
    • stm
    • asp
    • xml
    • doc
    • rtf
    • txt
    • dbx
    • php
    • php3
    • phtml
    • jsp
    • sql
    • eml

  • Uses Microsoft Outlook to send a copy of itself as an attachment to all email addresses gathered. The email has the following format:

    From: one of the following:

    • update@symantec.com
    • update@microsoft.com
    • [Spoofed]

    Subject: one of the following:

    • Microsoft SP3 Update
    • Latest update [service pack 3]
    • Fwd: Microsoft SP3 Update
    • Latest Update

    Message Body: one of the following:

    • Microsoft SP3 Update Download It
    • Update your computer with the latest services pack from microsoft

    Attachment: one of the following:

    • windows32.EXE
    • SP3 UPDATE.EXE


    Propagation via MSN Messenger and America Online User Interface

  • Sends a message with a URL to online contacts via MSN Messenger or the America Online user interface. The following is the message that is sent:
    http://]j0{REMOVED}/lolcentral.php?vid0017 your pic it's funny lol :P

    Backdoor and/or Trojan Behavior

  • Modifies the following registry entries:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center
    HKEY_CURRENT_USER\Software\Microsoft\security center
      FirewallDisableNotify = 1
      UpdatesDisableNotify = 1
      AntiVirusDisableNotify = 1
      FirewallDisableNotify = 1
      UpdatesDisableNotify = 1
      AntiVirusDisableNotify = 1

    HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
      NoAutoUpdate = 1

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
      NMain.exe = 1
      taskmgr.exe = 1
      ZLCLIENT.EXE = 1
  • Attempts to terminate the following processes, some of which may be security related:

    • _AVPM.EXE
    • _AVPCC.EXE
    • ACKWIN32.EXE
    • AckWin32.EXE
    • ADVXDWIN.EXE
    • AGENTSVR.EXE
    • agentw.EXE
    • ALERTSVC.EXE
    • ALOGSERV.EXE
    • AMON9X.EXE
    • ANTI-TROJAN.EXE
    • ANTIVIRUS.EXE
    • ANTS.EXE
    • APIMONITOR.EXE
    • APLICA32.EXE
    • apvxdwin.EXE
    • APVXDWIN.EXE
    • ATCON.EXE
    • ATGUARD.EXE
    • ATGUARD.EXE
    • ATRO55EN.EXE
    • ATUPDATER.EXE
    • ATWATCH.EXE
    • AUPDATE.EXE
    • AUTODOWN.EXE
    • AutoTrace.EXE
    • AUTOUPDATE.EXE
    • AVCONSOL.EXE
    • AVGCC32.EXE
    • Avgctrl.EXE
    • AVGCTRL.EXE
    • AvgServ.EXE
    • AVGSERV.EXE
    • AVGSERV9.EXE
    • AVGW.EXE
    • avkpop.EXE
    • AvkServ.EXE
    • avkservice.EXE
    • avkwctl9.EXE
    • AVP.EXE
    • AVP32.EXE
    • AVPCC.EXE
    • AVPM.EXE
    • avpm.EXE
    • Avsched32.EXE
    • AVSYNMGR.EXE
    • AVWINNT.EXE
    • AVXMONITOR9X.EXE
    • AVXMONITORNT.EXE
    • AVXQUAR.EXE
    • AVXQUAR.EXE
    • AVXW.EXE
    • BD_PROFESSIONAL.EXE
    • BIDEF.EXE
    • BIDSERVER.EXE
    • BIPCP.EXE
    • BIPCPEVALSETUP.EXE
    • BISP.EXE
    • BLACKD.EXE
    • blackd.EXE
    • BLACKICE.EXE
    • BlackICE.EXE
    • BOOTWARN.EXE
    • BORG2.EXE
    • BS120.EXE
    • ccApp.EXE
    • ccEvtMgr.EXE
    • ccPxySvc.EXE
    • CDP.EXE
    • CFGWIZ.EXE
    • CFIADMIN.EXE
    • CFIAUDIT.EXE
    • CFINET.EXE
    • CFINET32.EXE
    • cleaner3.EXE
    • CLEANPC.EXE
    • CMGRDIAN.EXE
    • CMON016.EXE
    • CONNECTIONMONITOR.EXE
    • CPD.EXE
    • cpd.EXE
    • Claw95.EXE
    • CLAW95CF.EXE
    • Claw95cf.EXE
    • CLEAN.EXE
    • CLEANER.EXE
    • cleaner.EXE
    • CLEANER3.EXE
    • CPF9X206.EXE
    • CPFNT206.EXE
    • CTRL.EXE
    • CV.EXE
    • CV.EXE
    • CWNB181.EXE
    • CWNTDWMO.EXE
    • defalert.EXE
    • defscangui.EXE
    • DEFWATCH.EXE
    • DEPUTY.EXE
    • DOORS.EXE
    • DPF.EXE
    • DPFSETUP.EXE
    • DRWATSON.EXE
    • DRWEB32.EXE
    • DVP95.EXE
    • DVP95_0.EXE
    • EFPEADM.EXE
    • ENT.EXE
    • ESCANH95.EXE
    • ESCANHNT.EXE
    • ESCANV95.EXE
    • ETRUSTCIPE.EXE
    • ETRUSTCIPE.EXE
    • EVPN.EXE
    • EXANTIVIRUS-CNET.EXE
    • EXPERT.EXE
    • F-AGNT95.EXE
    • fameh32.EXE
    • FAST.EXE
    • fch32.EXE
    • fih32.EXE
    • FIREWALL.EXE
    • FLOWPROTECTOR.EXE
    • fnrb32.EXE
    • F-PROT.EXE
    • F-PROT95.EXE
    • FP-WIN.EXE
    • FP-WIN_TRIAL.EXE
    • FRW.EXE
    • fsaa.EXE
    • FSAV.EXE
    • fsav32.EXE
    • FSAV530STBYB.EXE
    • FSAV530WTBYB.EXE
    • FSAV95.EXE
    • fsgk32.EXE
    • fsm32.EXE
    • fsma32.EXE
    • fsmb32.EXE
    • F-STOPW.EXE
    • f-stopw.EXE
    • GBMENU.EXE
    • gbmenu.EXE
    • gbpoll.EXE
    • GBPOLL.EXE
    • GENERICS.EXE
    • GUARD.EXE
    • GUARDDOG.EXE
    • HACKTRACERSETUP.EXE
    • HTLOG.EXE
    • HWPE.EXE
    • IAMAPP.EXE
    • iamapp.EXE
    • IAMSERV.EXE
    • iamserv.EXE
    • IAMSTATS.EXE
    • ICLOAD95.EXE
    • ICLOADNT.EXE
    • ICMON.EXE
    • ICSUPP95.EXE
    • ICSUPPNT.EXE
    • IFACE.EXE
    • IFW2000.EXE
    • IOMON98.EXE
    • IPARMOR.EXE
    • IRIS.EXE
    • ISRV95.EXE
    • JAMMER.EXE
    • JEDI.EXE
    • KAVLITE40ENG.EXE
    • KAVPERS40ENG.EXE
    • KAVPF.EXE
    • KERIO-PF-213-EN-WIN.EXE
    • KERIO-WRL-421-EN-WIN.EXE
    • KERIO-WRP-421-EN-WIN.EXE
    • KILLPROCESSSETUP161.EXE
    • LDNETMON.EXE
    • LDPRO.EXE
    • LDPROMENU.EXE
    • LDSCAN.EXE
    • LOCALNET.EXE
    • LOCKDOWN.EXE
    • LOCKDOWN2000.EXE
    • lockdown2000.EXE
    • LSETUP.EXE
    • LUALL.EXE
    • LUAU.EXE
    • LUCOMSERVER.EXE
    • LUINIT.EXE
    • LUSPT.EXE
    • MCAGENT.EXE
    • MCMNHDLR.EXE
    • Mcshield.EXE
    • MCTOOL.EXE
    • MCUPDATE.EXE
    • MCVSRTE.EXE
    • MCVSSHLD.EXE
    • MFW2EN.EXE
    • MFWENG3.02D30.EXE
    • MGAVRTCL.EXE
    • MGAVRTE.EXE
    • MGHTML.EXE
    • MGUI.EXE
    • MINILOG.EXE
    • MONITOR.EXE
    • Monitor.EXE
    • MOOLIVE.EXE
    • MPFAGENT.EXE
    • MPFSERVICE.EXE
    • MPFTRAY.EXE
    • MRFLUX.EXE
    • MSCONFIG.EXE
    • MSINFO32.EXE
    • MSSMMC32.EXE
    • MU0311AD.EXE
    • MWATCH.EXE
    • MWATCH.EXE
    • NAV80TRY.EXE
    • navapsvc.EXE
    • NAVAPSVC.EXE
    • NAVAPW32.EXE
    • NAVDX.EXE
    • NAVLU32.EXE
    • NAVSTUB.EXE
    • NAVW32.EXE
    • Navw32.EXE
    • NAVWNT.EXE
    • NC2000.EXE
    • NCINST4.EXE
    • NDD32.EXE
    • NEOMONITOR.EXE
    • NeoWatchLog.EXE
    • NETARMOR.EXE
    • NETARMOR.EXE
    • NETINFO.EXE
    • NETMON.EXE
    • NETSCANPRO.EXE
    • NETSPYHUNTER-1.2.EXE
    • NETSTAT.EXE
    • NETUTILS.EXE
    • NISSERV.EXE
    • NISUM.EXE
    • NMAIN.EXE
    • NORMIST.EXE
    • NORTON_INTERNET_SECU_3.0_407.EXE
    • notstart.EXE
    • NPF40_TW_98_NT_ME_2K.EXE
    • NPFMESSENGER.EXE
    • NPROTECT.EXE
    • npscheck.EXE
    • NPSSVC.EXE
    • NSCHED32.EXE
    • ntrtscan.EXE
    • NTVDM.EXE
    • NTXconfig.EXE
    • Nui.EXE
    • Nupgrade.EXE
    • NVARCH16.EXE
    • NVC95.EXE
    • nvsvc32.EXE
    • NWINST4.EXE
    • NWService.EXE
    • NWTOOL16.EXE
    • OSTRONET.EXE
    • OUTPOST.EXE
    • OUTPOSTINSTALL.EXE
    • OUTPOSTPROINSTALL.EXE
    • PADMIN.EXE
    • PANIXK.EXE
    • pavproxy.EXE
    • PAVPROXY.EXE
    • PCC2002S902.EXE
    • PCC2K_76_1436.EXE
    • PCCIOMON.EXE
    • pccntmon.EXE
    • pccwin97.EXE
    • PCCWIN98.EXE
    • PCDSETUP.EXE
    • PCFWALLICON.EXE
    • PCFWALLICON.EXE
    • PCIP10117_0.EXE
    • pcscan.EXE
    • PDSETUP.EXE
    • PERISCOPE.EXE
    • PERSFW.EXE
    • PERSWF.EXE
    • PF2.EXE
    • PFWADMIN.EXE
    • PINGSCAN.EXE
    • PLATIN.EXE
    • POP3TRAP.EXE
    • POPROXY.EXE
    • POPSCAN.EXE
    • PORTDETECTIVE.EXE
    • PORTMONITOR.EXE
    • PPINUPDT.EXE
    • PPTBC.EXE
    • PPVSTOP.EXE
    • PROCESSMONITOR.EXE
    • PROCEXPLORERV1.0.EXE
    • PROGRAMAUDITOR.EXE
    • PROPORT.EXE
    • PROTECTX.EXE
    • PSPF.EXE
    • PURGE.EXE
    • PVIEW95.EXE
    • QCONSOLE.EXE
    • QSERVER.EXE
    • rapapp.EXE
    • RAV7.EXE
    • RAV7WIN.EXE
    • RAV8WIN32ENG.EXE
    • REALMON.EXE
    • REGEDIT.EXE
    • REGEDT32.EXE
    • RESCUE.EXE
    • RESCUE32.EXE
    • RRGUARD.EXE
    • RSHELL.EXE
    • RTVSCN95.EXE
    • RULAUNCH.EXE
    • SAFEWEB.EXE
    • SBSERV.EXE
    • sbserv.EXE
    • SCAN32.EXE
    • SCRSCAN.EXE
    • SD.EXE
    • SETUP_FLOWPROTECTOR_US.EXE
    • SETUPVAMEEVAL.EXE
    • SFC.EXE
    • SGSSFW32.EXE
    • SH.EXE
    • SHELLSPYINSTALL.EXE
    • SHN.EXE
    • SMC.EXE
    • SOFI.EXE
    • SPF.EXE
    • SPHINX.EXE
    • Sphinx.EXE
    • SPYXX.EXE
    • SS3EDIT.EXE
    • ST2.EXE
    • SUPFTRL.EXE
    • SUPPORTER5.EXE
    • SWEEP95.EXE
    • SweepNet
    • SWEEPSRV.SYS
    • SWNETSUP.EXE
    • SYMPROXYSVC.EXE
    • SymProxySvc.EXE
    • SYMTRAY.EXE
    • SYSEDIT.EXE
    • TASKMON.EXE
    • TAUMON.EXE
    • TC.EXE
    • TCA.EXE
    • TCM.EXE
    • TDS2-98.EXE
    • TDS2-NT.EXE
    • TDS-3.EXE
    • TFAK.EXE
    • TFAK5.EXE
    • TGBOB.EXE
    • TITANIN.EXE
    • TITANINXP.EXE
    • TRACERT.EXE
    • TRJSCAN.EXE
    • TRJSETUP.EXE
    • TROJANTRAP3.EXE
    • UNDOBOOT.EXE
    • UPDATE.EXE
    • VBCMSERV.EXE
    • vbcmserv.EXE
    • rtvscan.EXE
    • VBCONS.EXE
    • VbCons.EXE
    • VBUST.EXE
    • VBWIN9X.EXE
    • VBWINNTW.EXE
    • VCSETUP.EXE
    • VET32.EXE
    • VET32.EXE
    • VET95.EXE
    • Vet95.EXE
    • VETTRAY.EXE
    • VetTray.EXE
    • VFSETUP.EXE
    • VIR-HELP.EXE
    • VIRUSMDPERSONALFIREWALL.EXE
    • VNLAN300.EXE
    • VNPC3000.EXE
    • VPC32.EXE
    • VPC42.EXE
    • VPFW30S.EXE
    • VPTRAY.EXE
    • VSCENU6.02D30.EXE
    • VSCHED.EXE
    • VSECOMR.EXE
    • vshwin32.EXE
    • VSISETUP.EXE
    • VSMAIN.EXE
    • VSMON.EXE
    • vsmon.EXE
    • VSSTAT.EXE
    • VSWIN9XE.EXE
    • VSWINNTSE.EXE
    • VSWINPERSE.EXE
    • W32DSM89.EXE
    • W9X.EXE
    • WATCHDOG.EXE
    • WEBSCANX.EXE
    • WEBTRAP.EXE
    • WGFE95.EXE
    • WHOSWATCHINGME.EXE
    • WIMMUN32.EXE
    • WINRECON.EXE
    • WNT.EXE
    • WRADMIN.EXE
    • WrAdmin.EXE
    • WRCTRL.EXE
    • WrCtrl.EXE
    • WSBGATE.EXE
    • WYVERNWORKSFIREWALL.EXE
    • XPF202EN.EXE
    • ZAPRO.EXE
    • zapro.EXE
    • ZAPSETUP3001.EXE
    • ZATUTOR.EXE
    • ZAUINST.EXE
    • ZONALM2601.EXE
    • ZONEALARM.EXE
    • zonealarm.EXE
    • AVGNT.EXE
    • AVGUARD.EXE
    • AVWUPSRV.EXE
    • _avp*
    • ackwin32*
    • anti-trojan*
    • aplica32*
    • apvxdwin*
    • autodown*
    • avconsol*
    • ave32*
    • avgcc32*
    • avgctrl*
    • avgw*
    • avkserv*
    • avnt*
    • avp*
    • avsched32*
    • avwin95*
    • avwupd32*
    • blackd*
    • blackice*
    • bootwarn*
    • ccapp*
    • ccshtdwn*
    • cfiadmin*
    • cfiaudit*
    • cfind*
    • cfinet*
    • claw95*
    • dv95*
    • ecengine*
    • efinet32*
    • esafe*
    • espwatch*
    • f-agnt95*
    • findviru*
    • fprot*
    • f-prot*
    • fprot95*
    • f-prot95*
    • fp-win*
    • frw*
    • f-stopw*
    • gibe*
    • iamapp*
    • iamserv*
    • ibmasn*
    • ibmavsp*
    • icload95*
    • icloadnt*
    • icmon*
    • icmoon*
    • icssuppnt*
    • icsupp*
    • iface*
    • iomon98*
    • jedi*
    • kpfw32*
    • lockdown2000*
    • lookout*
    • luall*
    • moolive*
    • mpftray*
    • msconfig*
    • nai_vs_stat*
    • navapw32*
    • navlu32*
    • navnt*
    • navsched*
    • navw*
    • nisum*
    • nmain*
    • normist*
    • nupdate*
    • nupgrade*
    • nvc95*
    • outpost*
    • padmin*
    • pavcl*
    • pavsched*
    • pavw*
    • pcciomon*
    • pccmain*
    • pccwin98*
    • pcfwallicon*
    • persfw*
    • pop3trap*
    • pview*
    • rav*
    • regedit*
    • rescue*
    • safeweb*
    • serv95*
    • sphinx*
    • sweep*
    • tca*
    • tds2*
    • vcleaner*
    • vcontrol*
    • vet32*
    • vet95*
    • vet98*
    • vettray*
    • vscan*
    • vsecomr*
    • vshwin32*
    • vsstat*
    • webtrap*
    • wfindv32*
    • zapro*
    • zonealarm*
    • McVSEscn*
    • mcvsrte*
    • mcvsftsn*
    • mcvsshld*
    • ccapp
    • zlclient

  • Prevents the infected system from connecting to update servers and various other security related web pages by adding the following to the local HOSTS file:
    127.0.0.1 www.symantec.com
    127.0.0.1 securityresponse.symantec.com
    127.0.0.1 symantec.com
    127.0.0.1 www.sophos.com
    127.0.0.1 sophos.com
    127.0.0.1 www.mcafee.com
    127.0.0.1 mcafee.com
    127.0.0.1 liveupdate.symantecliveupdate.com
    127.0.0.1 www.viruslist.com
    127.0.0.1 viruslist.com
    127.0.0.1 f-secure.com
    127.0.0.1 www.f-secure.com
    127.0.0.1 kaspersky.com
    127.0.0.1 www.avp.com
    127.0.0.1 www.kaspersky.com
    127.0.0.1 avp.com
    127.0.0.1 www.networkassociates.com
    127.0.0.1 networkassociates.com
    127.0.0.1 www.ca.com
    127.0.0.1 ca.com
    127.0.0.1 mast.mcafee.com
    127.0.0.1 my-etrust.com
    127.0.0.1 www.my-etrust.com
    127.0.0.1 www.trendmicro.com
    127.0.0.1 trendmicro.com
    127.0.0.1 download.mcafee.com
    127.0.0.1 dispatch.mcafee.com
    127.0.0.1 secure.nai.com
    127.0.0.1 updates.symantec.com
    127.0.0.1 update.symantec.com
Description Last Updated Date: Sep 15, 2006
Reference: ID - 66469