virus scan software   contact virus scan software
virus scan software   online software store
virus scan software anti virus software virus scan software mission   new anti virus scan software
User solutions
scan for viruses
virus removal
virus protection
secure browsing
block hackers
data protection
filter email
kill spam
Corporate solutions
virus protection
mailserver
Firewall software
Black ice
Zone alarm pro
Featured product
trend micro pc-cillin
 


VIRUS NAME : W32/Floodnet@MM




Virus Characteristics

This threat has a risk assessment of Low Profiled as media interest was sparked due to a recent news report on Incidents.org.

This is a remote access trojan and worm. When run, it attempts to send a message to the alias
"All Users" using Microsoft Outlook. If this address is not present in a local or global address book, or not an alias on the specified SMTP server, then the message will not get sent. Otherwise, the following message is sent:

Subject: Thoughts...
Body: I just found this program, and, i dont know why...but it reminded me of you. check it out.
Attachment: Cute.exe (228,352 bytes)

When the attachment is run, a copy is saved to the WINDOWS directory and 2 registry keys are created:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run\Windows=C:\WINDOWS\KERNEL32.EXE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    RunServices\Windows=C:\WINDOWS\KERNEL32.EXE
Two INI keys are also created:
  • SYSTEM.INI - [boot]\shell=explorer.exe C:\WINDOWS\KERNEL32.EXE
  • WIN.INI - [windows]\load=C:\WINDOWS\KERNEL32.EXE
The worm looks for the following security programs (including anti-virus and firewall programs) in memory and terminates them if found:
  • Anti-Trojan.exe
  • ANTS.EXE
  • APLICA32.EXE
  • AVCONSOL.EXE
  • AVP.EXE
  • AVP32.EXE
  • AVP32.EXE
  • AVPCC.EXE
  • AVPCC.EXE
  • AVPM.EXE
  • AVPM.EXE
  • blackd.exe
  • blackice.exe
  • CFIADMIN.EXE
  • CFIAUDIT.EXE
  • CFINET.EXE
  • CFINET32.EXE
  • cleaner.exe
  • cleaner3.exe
  • expl32.exe
  • FRW.EXE
  • iamapp.exe
  • iamserv.exe
  • ICLOAD95.EXE
  • ICLOADNT.EXE
  • ICMON.EXE
  • ICSUPP95.EXE
  • ICSUPPNT.EXE
  • IFACE.EXE
  • LIBUPDATE.EXE
  • lockdown2000.exe
  • minilog.exe
  • MooLive.exe
  • MPGSRV32.EXE
  • Mssmmc32.exe
  • NAVAPW32.EXE
  • NAVW32.EXE
  • nvarch16.exe
  • PCFWallIcon.EXE
  • RunDii.exe
  • RunDIl.exe
  • rundli.exe
  • SAFEWEB.EXE
  • Sphinx.exe
  • tca.exe
  • TDS2-.EXE
  • TDS2-.EXE
  • TEMP.EXE
  • VSECOMR.EXE
  • VSHWIN32.EXE
  • vsmon.exe
  • VSSTAT.EXE
  • WEBSCANX.EXE
  • WinDll.exe
  • WrAdmin.exe
  • WrCtrl.exe
  • zonealarm.exe
This event helps conceal the actions of this threat. The .VX extension is registered on the system:
  • HKEY_CLASSES_ROOT\.vx\(Default)=exefile
  • HKEY_CLASSES_ROOT\.vx\Content Type=application/x-msdownload
  • HKEY_CLASSES_ROOT\.vx\NeverShowExt=
An attacker can send various commands to the infected machine. The commands include:
  • Sending instant messages via MSN Messenger and AOL Instant Messenger
  • Sending email
  • Flood commands, to initiate a denial of service attack
  • Various IRC commands (join/part channels, privmsg, etc)
  • FTP commands (file access, copy, move, delete)


Symptoms

Presence of %WinDir%\KERNEL32.EXE (228,352 bytes) - A fake error message may be displayed


Method Of Infection

This virus arrives as a UPX packed Delphi executable. When run, it acts as a remote access server and worm.


 

 

 
Latest viruses
MyLife.e@MM
Goround.worm
Gluas.a
Linux/Alfa
QDel234
BackDoor-OG
Best sellers
Kaspersky PRO
Panda Platinum
Tiny firewall
Volume licensing

symantec volume licensing

mcafee volume licensing
Online services
Mcafee clinic
 
   

[ virus-scan-software.com ] - [ products ] - [ security ] - [ services ] - [ support ] - [ what's new ] - [ contact ]

website design by Siteowners