/* Style Definitions */
mso-padding-alt:0in 5.4pt 0in 5.4pt;
font-family:”Times New Roman”,”serif”;}
When this e-threat is executed, it drops a randomly named
DLL file (ex: 97a2ljq.tmp) in the temporary folder of the current user.
It infects several DLL files located in the system32 folder in order to ensure
it’s execution after system reboot and uses an exported function from the
dropped DLL to delete itself.
Once loaded, the DLL file will try to kill processes
belonging to several Antivirus products and will try to download other malware
from locations such as:
Discovered on the 2nd December by BitDefender,
this worm spreads using well known Peer-2-Peer applications and email spam.
After decrypting its content, the worm uses www.whatismyip.com to get the host of the newly infected
system. Next it will harvest email addresses from Thunderbird, MS Outlook and
other files on the system.
It creates registry values to ensure its startup after reboot.
It will also lower the victims security setting by editing the following
This worm should also set registry key:
but because of a bug in its code, it won’t do this correctly.
These settings in registry will allow the malware to automatically
download and execute files from the Internet without any user notification. It
adds itself to the firewalls authorized applications list.
Meanwhile, another component detected as Backdoor.Bot.67413 is
loaded. This one has backdoor capabilities, and will log everything the user
types, and save the data in a file (drm.ocx). It will send this file to a
server on a regular basis.
spreads in three ways:
copying itself to shared folders of Peer-2-Peer spplications like: Kazza, DC++,
eMule, Morpheus, Tesla, etc. using “hot” file names like:
XP PRO Corp SP3 valid-key generator.exe”
“Kaspersky Internet Security 2009 keygen.exe”
“Tuneup Ultilities 2008.exe”
“Joannas Horde Leveling Guide TBC Woltk.exe”
“Wow WoLTk keygen generator-sfx.exe”
“FOOTBALL MANAGER 2009.exe”
“Winamp.Pro.v6.53.PowerPack.Portable [XmaS edition].exe”
“Half life 3 preview 10 minutes gameplay video.exe”
ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent – P.I.M.P, Jennifer
Lopez Feat. Ll Cool J – All I Have, 50 Cent – 21 Question).exe”
“Ultimate ring tones package2 (Lil Wayne – Way Of Life,Khia – My Neck My
Back Like My Pussy And My Crack,Mario – Let Me Love You,R. Kelly – The Worlds
“Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin,
“Norton Anti-Virus 2009 Enterprise Crack.exe”
- by copying
itself into any removable media connected to the system, creating an
“autorun.inf” file to execute the worm when the device is
connected to another system.
- by email
spam, using its own SMTP engine and the email addresses it previously
gathered. Emails can arrive in three formats:
“Mcdonalds wishes you Merry Christmas!”
Subject: “Coca Cola is proud to
accounce our new Christmas Promotion.”
Subject: “You’ve received A
The attachments are compressed zip files containing the worm
in this article is available courtesy of BitDefender virus researchers: Marius
Tivadar, Deac Razvan-Ioan