virus scan software   contact virus scan software
virus scan software   online software store
virus scan software anti virus software virus scan software mission   new anti virus scan software
User solutions
scan for viruses
virus removal
virus protection
secure browsing
block hackers
data protection
filter email
kill spam
Corporate solutions
virus protection
mailserver
Firewall software
Black ice
Zone alarm pro
Featured product
trend micro pc-cillin
 


VIRUS NAME : W32/Sowsat@MM




Virus Characteristics

This email virus sends itself to addresses extracted from .HTM* files in the Windows directory of the victim machine.

The worm is also capable of spreading via IRC, via a dropped SCRIPT.INI file, which is detected as Mirc/Generic with the 4149 DATs or later.

The worm contains its own SMTP engine, and uses a public SMTP server (address hardcoded within the worm) for mailing. It may arrive in an email formatted in a number of ways:

From: Screensaver-Demo coder (DEMOS@SCREENSAVE.ORG)
Subject: Kewl FX screensaver
Attachment: setupc.exe
Body: A nice FX-screensaver.Better than the last one!

From: AVP-Team (AVP.MAILER@AVP.COM)
Subject: AVP-Virus-Warning
Attachment: setupc.exe
Body: New virus in "The Wild" called "W32/Cow".Spreads through e-mail and IRC.A solution is this free program.Send this message to your friends. Thank you, AVP

From: Your friend (JOHN@YAHOO.COM)
Subject: My cool, litle program
Attachment: setupc.exe
Body: Something I programmed.It's really cool!

From: Crazy Games inc. -New gaming company (Crazygames@crazygamez.com)
Subject: freeware nice game
Attachment: setupc.exe
Body: hya, chaeck this cool freeware!

The worm contains the string:

I-Worm/Cow
[Team A] kicks [Team B]'s ass!


Symptoms

existence of the following Registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

  • Cow" = Moooo
  • existence of the Registry keys detailed in the 'Method of Infection' section.
  • Two identical files named SETUPC.EXE and SYSCn.EXE in the Windows directory, whose size matches that listed above.
  • existence of the archive OSCn.ZIP in the Windows directory, containing a copy of SYSC3.EXE (where 'n' is a digit 0-9).

Method Of Infection

The worm copies itself to the Windows directory as SETUPC.EXE and SYSCn.EXE (n = digit 0-9), and modifies the Registry to run SYSCn.EXE on subsequent system startup, for example:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion_
    \Run "Cow" = C:\WINDOWS\SYSC3.EXE
  • Upon restarting, the worm mails itself to email addresses extracted from *.HTM* files in the Windows directory (recursive).
  • The worm checks if WinZip is installed on the victim machine, and, if so, creates a further copy of itself in an archive by setting a Registry key to run WinZip at next startup. The archive, named OSCn.ZIP (n = digit 0-9), is created in the Windows directory.


  
Latest viruses
MyLife.e@MM
Goround.worm
Gluas.a
Linux/Alfa
QDel234
BackDoor-OG
Best sellers
Kaspersky PRO
Panda Platinum
Tiny firewall
Volume licensing

McAfee, Inc
Online services
Mcafee removal
 
   

[ virus-scan-software.com ] - [ products ] - [ security ] - [ services ] - [ support ] - [ what's new ] - [ contact ]

website design by Siteowners