[virusinfo] W32/Ahker-F
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Thu, 31 Mar 2005 10:32:10 -0800
From; Sophos Alert System:
Name: W32/Ahker-F
Aliases: Email-Worm.Win32.Anker.g, WORM_AHKER.F
Type: Win32 worm
Date: 31 March 2005
A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the May 2005 (3.93) release of Sophos Anti-Virus.
Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.
At the time of writing, Sophos has received no reports from
users affected by this worm. However, we have issued this
advisory following enquiries to our support department from
customers.
Information about W32/Ahker-F can be found at:
http://www.sophos.com/virusinfo/analyses/w32ahkerf.html
W32/Ahker-F is a mass-mailing and P2P worm. W32/Ahker-F may also attempt to
spread via Mirc.
W32/Ahker-F will mail itself out to email addresses found on an infected
computer.
W32/Ahker-F will arrive as a ZIP attachment to an email. The characteristics of
the email will be as follows:
Attachment name: "Clip.zip"
Subject:
Service pack 2 update!
Read this for your own good!:
Service pack 2 bug!
Read! hurry! before it's too late!
Microsoft windows service pack 2 bug!:
Microsoft's worst mistake!
Read this for your PC safety!
Please READ!
Nice!
...HOT!!
Free!
Read it!
Read this TWICE!
Believe it or not!
Oh hell its true!
RATED 21!
From: Administrator@xxxxxxxxxxxx
Body:
Hey buddy,
Check out this new porn clip of Britney Sprers!
Very Short but HOT!!
DOWNLOAD IT and WATCH IT!
Adminstrator
From: owner@xxxxxxxxxxxx
Body:
Hello!
Paris Hilton new SEX TAPE has been released!
In the attachment you will find some short quick scenes(HOT!!) that I liked the
most!!
Download it! I know its SHORT but at least youve watched the HOTTEST parts of
it!
Owner
From: Clip@xxxxxxxxxxxxxx
Body:
Hi...
Watch this and tell me what you think!
Download it! Its short but its VERY HOT!
Clip Owner
From: Admin@xxxxxxxxxxxxxxxxx
Body:
Hell yeah...it's Pam!
Watch this latest clip of Pamela Anderson!
You will find the clip in the attachment! Enjoy!
Admin
From: cought@xxxxxxxxxxxxx
Body:
Hi,
Watch Angelina Jolie and Brad Pitt cought on TAPE!
SEXY CLIP! WATCH IT!
Admin and Owner
W32/Ahker-F will attempt to spread through P2P file sharing networks by copying
itself to shared folders with the following filenames:
Paris-Hilton.exe
Britney_porno.exe
PamelaAnderson.exe
wwedivas.exe
Porn_Celeb.exe
parishilton.exe
Sex.exe
Porn.exe
Paris Hilton.exe
PORNO.exe
XXX.exe
Naked WWE Divas.exe
Naked Britney.exe
Naked Celebrity.exe
Celeb uncensord.exe
SUCK.exe
Nude Britney.exe
W32/Ahker-F will attempt to spread as NUDE BRITNEY.EXE via Mirc by modifing
mirc.ini
When first run, W32/Ahker-F will copy itself to the user's Startup folder as
SVCHOST-.EXE. The worm will also copy itself to %HOMEDRIVE%\LSASS.EXE. In order
to run automatically each time a user logs in, W32/Ahker-F will set the
following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LSA Shell (Export Version)
%HOMEDRIVE%\LSASS.exe
W32/Ahker-F will associate itself with the opening of text files by setting the
following registry entry:
HKCR\txtfile\Shell\open\command
@
%HOMEDRIVE%\LSASS.exe %1
W32/Ahker-F will download a ZIP copy of itself from a website in order to send
out via email. W32/Ahker-F will also download and run an executable file,
currently also detected as W32/Ahker-F. This file will be copied to the user's
Startup folder.
W32/Ahker-F will attempt to change the computer name to "Agent Hacker"
W32/Ahker-F will attempt to terminate the following processes:
i11r54n4.exe
irun4.exe
d3dupdate.exe
rate.exe
ssate.exe
winsys.exe
ccApp.exe
winupd.exe
SysMonXP.exe
bbeagle.exe
Penis32.exe
teekids.exe
MSBLAST.exe
mscvb32.exe
sysinfo.exe
PandaAVEngine.exe
taskmon.exe
wincfg32.exe
outpost.exe
zonealarm.exe
navapw32.exe
navw32.exe
zapro.exe
msblast.exe
netstat.exe
dap.exe
W32/Ahker-F will append the following lines to the HOSTS file in order to deny
access to certain websites:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 grisoft.com
127.0.0.1 windowsupdate.microsoft.com
W32/Ahker-F will set the following registry entries:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\systemrestore
DisableSR
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DisallowRun
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
1
regedit.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
2
notepad.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
3
wordpad.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
4
write.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
5
wuauclt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
6
wupdmgr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
7
msnmsgr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
8
LUALL.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
9
AUPDATE.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
10
ALUNOTIFY.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
12
DAP.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\security center
FirewallDisableNotify
1
HKCU\Software\Microsoft\security center
UpdatesDisableNotify
1
HKCU\Software\Microsoft\security center
AntiVirusDisableNotify
1
HKCU\Software\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
1
HKCU\Software\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
1
HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1
HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1
HKLM\SOFTWARE\Microsoft\security center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\security center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Microsoft\security center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1
HKLM\SOFTWARE\speedBit\Download Accelerator
BrowserIntegration
0
W32/Ahker-F will set the following registry entries, depending on the current
state of the worm:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
11
svchost-.exe
W32/Ahker-F will attempt a Denial of Service (DOS) attack against
www.windowsupdate.microsoft.com and www.rohitab.com
Periodically, W32/Ahker-F will attempt to shut down the computer.
W32/Ahker-F will create a file named C:\Ahker.F.dat with the following text:
Don't blame me, Agent Hacker for creating these worms. BLAME www.rohitab.com!
W32/Ahker-F will append a number of system files with vanity text:
%SYSTEM%\firewall.dll with "Agent Hacker rules!"
%SYSTEM%\hal.dll with: "Genes don't contain any record of humain history,
you'll NEVER catch me!(Agent Hacker - Bazzi)"
%SYSTEM%\svcpack.dll with a URL
This IDE file also includes detection for:
Troj/Bdoor-GN
http://www.sophos.com/virusinfo/analyses/trojbdoorgn.html
W32/Sdbot-AVX
http://www.sophos.com/virusinfo/analyses/w32sdbotavx.html
W32/Sdbot-WP
http://www.sophos.com/virusinfo/analyses/w32sdbotwp.html
Troj/Dloader-KJ
http://www.sophos.com/virusinfo/analyses/trojdloaderkj.html
Troj/LowZone-V
http://www.sophos.com/virusinfo/analyses/trojlowzonev.html
Troj/Multidr-CV
http://www.sophos.com/virusinfo/analyses/trojmultidrcv.html
Troj/Chimo-B
http://www.sophos.com/virusinfo/analyses/trojchimob.html
Download the IDE file from:
http://www.sophos.com/downloads/ide/ahker-f.ide
Download all the IDE files available for the current version of
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:
Zip file:
http://www.sophos.com/downloads/ide/ides.zip
Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
- » [virusinfo] W32/Ahker-F
