From; Sophos Alert System: Name: W32/Ahker-F Aliases: Email-Worm.Win32.Anker.g, WORM_AHKER.F Type: Win32 worm Date: 31 March 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the May 2005 (3.93) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Information about W32/Ahker-F can be found at: http://www.sophos.com/virusinfo/analyses/w32ahkerf.html W32/Ahker-F is a mass-mailing and P2P worm. W32/Ahker-F may also attempt to spread via Mirc. W32/Ahker-F will mail itself out to email addresses found on an infected computer. W32/Ahker-F will arrive as a ZIP attachment to an email. The characteristics of the email will be as follows: Attachment name: "Clip.zip" Subject: Service pack 2 update! Read this for your own good!: Service pack 2 bug! Read! hurry! before it's too late! Microsoft windows service pack 2 bug!: Microsoft's worst mistake! Read this for your PC safety! Please READ! Nice! ...HOT!! Free! Read it! Read this TWICE! Believe it or not! Oh hell its true! RATED 21! From: Administrator@xxxxxxxxxxxx Body: Hey buddy, Check out this new porn clip of Britney Sprers! Very Short but HOT!! DOWNLOAD IT and WATCH IT! Adminstrator From: owner@xxxxxxxxxxxx Body: Hello! Paris Hilton new SEX TAPE has been released! In the attachment you will find some short quick scenes(HOT!!) that I liked the most!! Download it! I know its SHORT but at least youve watched the HOTTEST parts of it! Owner From: Clip@xxxxxxxxxxxxxx Body: Hi... Watch this and tell me what you think! Download it! Its short but its VERY HOT! Clip Owner From: Admin@xxxxxxxxxxxxxxxxx Body: Hell yeah...it's Pam! Watch this latest clip of Pamela Anderson! You will find the clip in the attachment! Enjoy! Admin From: cought@xxxxxxxxxxxxx Body: Hi, Watch Angelina Jolie and Brad Pitt cought on TAPE! SEXY CLIP! WATCH IT! Admin and Owner W32/Ahker-F will attempt to spread through P2P file sharing networks by copying itself to shared folders with the following filenames: Paris-Hilton.exe Britney_porno.exe PamelaAnderson.exe wwedivas.exe Porn_Celeb.exe parishilton.exe Sex.exe Porn.exe Paris Hilton.exe PORNO.exe XXX.exe Naked WWE Divas.exe Naked Britney.exe Naked Celebrity.exe Celeb uncensord.exe SUCK.exe Nude Britney.exe W32/Ahker-F will attempt to spread as NUDE BRITNEY.EXE via Mirc by modifing mirc.ini When first run, W32/Ahker-F will copy itself to the user's Startup folder as SVCHOST-.EXE. The worm will also copy itself to %HOMEDRIVE%\LSASS.EXE. In order to run automatically each time a user logs in, W32/Ahker-F will set the following registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run LSA Shell (Export Version) %HOMEDRIVE%\LSASS.exe W32/Ahker-F will associate itself with the opening of text files by setting the following registry entry: HKCR\txtfile\Shell\open\command @ %HOMEDRIVE%\LSASS.exe %1 W32/Ahker-F will download a ZIP copy of itself from a website in order to send out via email. W32/Ahker-F will also download and run an executable file, currently also detected as W32/Ahker-F. This file will be copied to the user's Startup folder. W32/Ahker-F will attempt to change the computer name to "Agent Hacker" W32/Ahker-F will attempt to terminate the following processes: i11r54n4.exe irun4.exe d3dupdate.exe rate.exe ssate.exe winsys.exe ccApp.exe winupd.exe SysMonXP.exe bbeagle.exe Penis32.exe teekids.exe MSBLAST.exe mscvb32.exe sysinfo.exe PandaAVEngine.exe taskmon.exe wincfg32.exe outpost.exe zonealarm.exe navapw32.exe navw32.exe zapro.exe msblast.exe netstat.exe dap.exe W32/Ahker-F will append the following lines to the HOSTS file in order to deny access to certain websites: 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 www.f-secure.com 127.0.0.1 f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 kaspersky-labs.com 127.0.0.1 www.avp.com 127.0.0.1 avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 www.my-etrust.com 127.0.0.1 my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 www.nai.com 127.0.0.1 nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 www.trendmicro.com 127.0.0.1 trendmicro.com 127.0.0.1 www.grisoft.com 127.0.0.1 grisoft.com 127.0.0.1 windowsupdate.microsoft.com W32/Ahker-F will set the following registry entries: HKCU\Software\Microsoft\Windows NT\CurrentVersion\systemrestore DisableSR 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoRun 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer DisallowRun 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun 1 regedit.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun 2 notepad.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun 3 wordpad.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun 4 write.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun 5 wuauclt.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun 6 wupdmgr.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun 7 msnmsgr.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun 8 LUALL.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun 9 AUPDATE.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun 10 ALUNOTIFY.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun 12 DAP.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools 1 HKCU\Software\Microsoft\security center FirewallDisableNotify 1 HKCU\Software\Microsoft\security center UpdatesDisableNotify 1 HKCU\Software\Microsoft\security center AntiVirusDisableNotify 1 HKCU\Software\Policies\Microsoft\WindowsFirewall\DomainProfile EnableFirewall 1 HKCU\Software\Policies\Microsoft\WindowsFirewall\StandardProfile EnableFirewall 1 HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU NoAutoUpdate 1 HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions 1 HKLM\SOFTWARE\Microsoft\security center FirewallDisableNotify 1 HKLM\SOFTWARE\Microsoft\security center UpdatesDisableNotify 1 HKLM\SOFTWARE\Microsoft\security center AntiVirusDisableNotify 1 HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile EnableFirewall 1 HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile EnableFirewall 1 HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions 1 HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU NoAutoUpdate 1 HKLM\SOFTWARE\speedBit\Download Accelerator BrowserIntegration 0 W32/Ahker-F will set the following registry entries, depending on the current state of the worm: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun 11 svchost-.exe W32/Ahker-F will attempt a Denial of Service (DOS) attack against www.windowsupdate.microsoft.com and www.rohitab.com Periodically, W32/Ahker-F will attempt to shut down the computer. W32/Ahker-F will create a file named C:\Ahker.F.dat with the following text: Don't blame me, Agent Hacker for creating these worms. BLAME www.rohitab.com! W32/Ahker-F will append a number of system files with vanity text: %SYSTEM%\firewall.dll with "Agent Hacker rules!" %SYSTEM%\hal.dll with: "Genes don't contain any record of humain history, you'll NEVER catch me!(Agent Hacker - Bazzi)" %SYSTEM%\svcpack.dll with a URL This IDE file also includes detection for: Troj/Bdoor-GN http://www.sophos.com/virusinfo/analyses/trojbdoorgn.html W32/Sdbot-AVX http://www.sophos.com/virusinfo/analyses/w32sdbotavx.html W32/Sdbot-WP http://www.sophos.com/virusinfo/analyses/w32sdbotwp.html Troj/Dloader-KJ http://www.sophos.com/virusinfo/analyses/trojdloaderkj.html Troj/LowZone-V http://www.sophos.com/virusinfo/analyses/trojlowzonev.html Troj/Multidr-CV http://www.sophos.com/virusinfo/analyses/trojmultidrcv.html Troj/Chimo-B http://www.sophos.com/virusinfo/analyses/trojchimob.html Download the IDE file from: http://www.sophos.com/downloads/ide/ahker-f.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member