From; Sophos Alert System: Name: W32/Assiral-B Type: Win32 worm Date: 1 March 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the April 2005 (3.92) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Note: The IDE issued for W32/Assiral-B at 13:35 GMT on 01 March 2005 also contained detection for W32/Infor-Zip, Troj/Dloader-IK, Troj/Banker-GQ, W32/Sdbot-VS, Troj/Bancos-BG and W32/Jeans-A . This IDE has now been updated to enhance detection of W32/Jeans-A. Information about W32/Assiral-B can be found at: http://www.sophos.com/virusinfo/analyses/w32assiralb.html W32/Assiral-B is a mass-mailing worm. W32/Assiral-B copies itself to the Windows system folder with the filenames CmdPrompt32.pif and MSLARISSA.pif, and to the Windows folder with the filename SP00Lsv32.pif. W32/Assiral-B then sets the following entries in the registry so as to run the copies on system startup: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ MSLARISSA HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Cinnabd Prompt32 HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ (L4r1$$4) (4nt1) (V1ruz) W32/Assiral-B also attempts to copy itself to removable, fixed and remote drives with the filename LOVE_LETTER_FOR_YOU.pif. W32/Assiral-B searches for email addresses in files of type *.HT* in the current folder, in the Windows folder, and in the folder found at the following registry entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Personal W32/Assiral-B sends itself to the addresses it finds in emails with the following characteristics: From address: MSLarissa@xxxxxxxxx Subject line from the following list: Re: Message Re: Letter Re: Information I LOVE YOU Re: Your Documents Re: Account Info Windows Update Re: My Letter Re: Docs Re: Your Email Info Message text from the following list: The message is located in the attachments. The letter you requested is in the attachments. Information attached. Kindly read and reply to my LOVE LETTER in the attachments :-) The documents you requested are in the attachments. Info reguarding your Email account is in the attachments. Dear Windows User, Please download the windows updated included in the attachments. My letter is in the attachments. Please read the documents included in the attachments Your email account is about to expire, please check the attachments for details. Attachment name from the following list: Message.exe Letter.exe Information.exe LOVE_LETTER_FOR_YOU.exe Documents.exe Attached_Message.exe Microsoft_Update.exe Private_Letter.exe Private_Document.exe Important_Message.exe W32/Assiral-B attempts to terminate a number of processes related to security and anti-virus programs. W32/Assiral-B drops and runs a file C:\WINDOWS\WinVBS.vbs, also detected as W32/Assiral-B, which attempts to set the following registry entries in restrict the user's activity on the infected machine: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoRun = 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ DisableRegistryTools = 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoDrives = 67108863 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\ Disabled = 1 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ NoAdminPage = 1 W32/Assiral-B attempts to load a hidden instance of Microsoft Internet Explorer and to load a file at http://www.geocities.com/mslarissac. W32/Assiral-B attempts to delete all DLL and EXE files from the folders C:\WINDOWS\System32, C:\WINDOWS\System and C:\WINDOWS W32/Assiral-B may display fake error message boxes with the title "System Error" and the text "Invalid memory address: Program terminating." W32/Assiral-B drops 3 files, C:\MESSAGE_TO_USER.txt, C:\MESSAGE_TO_AVs.txt and MESSAGE_TO_BROPIA.txt. C:\MESSAGE_TO_USER.txt contains the following text: Greetz to infected user! I will survive, In this moment in time. Your computer will crash, So, you will be mine. I will not crash, I will not fail. So, in this moment in time, I will survive... - LARISSA AUTHOR : 2-24-05 C:\MESSAGE_TO_AVs.txt contains the following text: Greetz to AVs! I wanna be in AV industry when I grow up :-) ---------------------------------------- - LARISSA AUTHOR : 2-24-05 MESSAGE_TO_BROPIA.txt contains the following text: Hey Bropia.. stop making MSN worms it's stupid... ... lol -- Larissa Anti Bropia... -- Saving the world from BROPIA!!! - LARISSA AUTHOR : 2-24-05 This IDE file also includes detection for: W32/Infor-Zip http://www.sophos.com/virusinfo/analyses/w32inforzip.html Troj/Dloader-IK http://www.sophos.com/virusinfo/analyses/trojdloaderik.html Troj/Banker-GQ http://www.sophos.com/virusinfo/analyses/trojbankergq.html W32/Sdbot-VS http://www.sophos.com/virusinfo/analyses/w32sdbotvs.html Troj/Bancos-BG http://www.sophos.com/virusinfo/analyses/trojbancosbg.html W32/Jeans-A http://www.sophos.com/virusinfo/analyses/w32jeansa.html Download the IDE file from: http://www.sophos.com/downloads/ide/assira-b.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member