From; Sophos Alert System: Name: W32/Capside-C Aliases: P2P-Worm.Win32.Capside.c, WORM_CASPID.C, Win32/Capside.C Type: Win32 worm Date: 12 March 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the May 2005 (3.93) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Information about W32/Capside-C can be found at: http://www.sophos.com/virusinfo/analyses/w32capsidec.html W32/Capside-C is a worm for the Windows platform. The worm copies itself to the Windows system folder as Ireul.pif, NETINSTALLDRV.EXE, WINAPLOGUPD.COM and XPEXTRATDLL.SCR W32/Capside-C creates several copies of itself in shared folders of common Peer to Peer (P2P) applications such as eDonkey, Limewire and Morpheus. The worm uses the following filenames: ACDSee 5.5.exe AOL Instant Messenger.exe AVP Antivirus Pro Key Crack.exe Age of Empires 2 crack.exe Ana Kournikova Sex Video.exe Animated Screen 7.0b.exe AquaNox2 Crack.exe Audiograbber 2.05.exe BabeFest 2003 ScreenSaver 1.5.exe Babylon 3.50b reg_crack.exe Battlefield1942_bloodpatch.exe Battlefield1942_keygen.exe Britney Spears Sex Video.exe Buffy Vampire Slayer Movie.exe Business Card Designer Plus 7.9.exe Clone CD 5.0.0.3 (crack).exe Clone CD 5.0.0.3.exe Coffee Cup Free zip 7.0b.exe Cool Edit Pro v2.55.exe Crack Passwords Mail.exe Credit Card Numbers generator(incl Visa,MasterCard,...).exe Cristina Aguilera Sex Video.exe DVD Copy Plus v5.0.exe DVD Region-Free 2.3.exe Diablo 2 Crack.exe DirectDVD 5.0.exe DirectX Buster (all versions).exe DirectX InfoTool.exe DivX Video Bundle 6.5.exe Download Accelerator Plus 6.1.exe Edonkey2000-Speed me up scotty.exe FIFA2003 crack.exe Final Fantasy VII XP Patch 1.5.exe Flash MX crack (trial).exe FlashGet 1.5.exe FreeRAM XP Pro 1.9.exe GTA 3 Crack.exe GTA 3 Serial.exe Game Cube Real Emulator.exe GetRight 5.0a.exe Global DiVX Player 3.0.exe Gothic2 licence.exe Guitar Chords Library 5.5.exe Hentai Anime Girls Movie.exe Hitman_2_no_cd_crack.exe Hot Babes XXX Screen Saver.exe HotGirls.exe Hotmail Hacker 2003-Xss Exploit.exe ICQ Pro 2003a.exe ICQ Pro 2003b (new beta).exe IrfanView 4.5.exe Jenifer Lopez Sex Video.exe KaZaA Hack 2.5.0.exe KaZaA Speedup 3.6.exe Kazaa SDK + Xbit speedUp for 2.xx.exe Links 2003 Golf game (crack).exe Living Waterfalls 1.3.exe MSN Messenger 5.2.exe Mafia_crack.exe Matrix Movie.exe Matrix Screensaver 1.5.exe Mcafee Antivirus Scan Crack.exe MediaPlayer Update.exe Microsoft KeyGenerator-Allmost all microsoft stuff.exe NBA2003_crack.exe NHL 2003 crack.exe Need 4 Speed crack.exe Nero Burning ROM crack.exe Netbios Nuker 2003.exe Netfast 1.8.exe Network Cable e ADSL Speed 2.0.5.exe Nimo CodecPack (new) 8.0.exe Norton Anvirus Key Crack.exe PS2 PlayStation Simulator.exe PalTalk 5.01b.exe Panda Antivirus Titanium Crack.exe Per Antivirus 8.7.exe Pop-Up Stopper 3.5.exe Popup Defender 6.5.exe Quick Time Key Crack.exe QuickTime_Pro_Crack.exe Sakura Card Captor Movie.exe Screen saver christina aguilera naked.exe Screen saver christina aguilera.exe Security-2003-Update.exe Serials 2003 v.8.0 Full.exe Sex Live Simulator.exe Sex Passwords.exe SmartFTP 2.0.0.exe SmartRipper v2.7.exe Space Invaders 1978.exe Spiderman Movie.exe Splinter_Cell_Crack.exe Starcraft serial.exe Start Wars Trilogy Movies.exe Steinberg_WaveLab_5_crack.exe Stripping MP3 dancer+crack.exe Thalia Sex Video.exe The Hacker Antivirus 5.7.exe Trillian 0.85 (free).exe TweakAll 3.8.exe UT2003_bloodpatch.exe UT2003_keygen.exe UT2003_no cd (crack).exe UT2003_patch.exe Unreal2_bloodpatch.exe Unreal2_crack.exe Virtua Girl (Full).exe VirtualSex.exe Visual Basic 6.0 Msdn Plugin.exe Visual basic 6.exe WarCraft_3_crack.exe WinOnCD 4 PE_crack.exe WinRar 3.xx Password Cracker.exe WinZip 9.0b.exe WinZipped Visual C++ Tutorial.exe Winamp 3.8.exe WindowBlinds 4.0.exe Windows XP complete + serial.exe Windows Xp Exploit.exe Winzip KeyGenerator Crack.exe XNuker 2003 2.93b.exe Yahoo Messenger 6.0.exe Zelda Classic 2.00.exe aol cracker.exe aol password cracker.exe cable modem ultility pack.exe counter-strike.exe delphi.exe divx pro.exe divx_pro.exe hotmail_hack.exe iMesh 3.6.exe iMesh 3.7b (beta).exe index.exe mIRC 6.15.exe macromedia dreamweaver key generator.exe mp3Trim PRO 2.5.exe pamela_anderson.exe play station emulator.exe serials2000.exe subseven.exe vb6.exe virtua girl - adriana.exe virtua girl - bailey short skirt.exe warcraft 3 crack.exe warcraft 3 serials.exe winamp plugin pack.exe winzip full version key generator.exe The worm also spreads through network shares and through Internet Relay Chat (IRC) client applications. W32/Capside-C modifies the system files autoexec.bat and win.ini in order to startup automatically when a user logs on. When first run, the worm displays a fake error message that reads "Impossible to open the file, this total or partially damaged." The worm also displays the following text: <******************GEDZAC LABS******************> Win32.Ireul.a By MachineDramon/GEDZAC Worm de Mensageria: Msn, Yahoo, AIM, Icq, Mirc (Resultara?) Ireul = Angel del Miedo Cometario Politico: Toledo, hazle un favor al Peru, Matate EEUU jamas podras barrer todo la arena del desierto The worm may create or modify the following registry entries: HKCR\batfile\shell\open\command HKCR\comfile\shell\open\command HKCR\exefile\shell\open\command HKCR\keyfile\shell\open\command HKCR\piffile\shell\open\command HKCR\regfile\shell\open\command HKCR\scrfile\shell\open\command HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Policies\System HKLM\Software\Gedzac\Ireul HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System HKLM\Software\Microsoft\Windows\CurrentVersion\Run WINAPLOGUPD "WINAPLOGUPD.EXE" This IDE file also includes detection for: W32/Assiral-C http://www.sophos.com/virusinfo/analyses/w32assiralc.html Troj/Botget-A http://www.sophos.com/virusinfo/analyses/trojbotgeta.html Troj/IRCBot-AA http://www.sophos.com/virusinfo/analyses/trojircbotaa.html Troj/PPdoor-C http://www.sophos.com/virusinfo/analyses/trojppdoorc.html Troj/PPdoor-B http://www.sophos.com/virusinfo/analyses/trojppdoorb.html Download the IDE file from: http://www.sophos.com/downloads/ide/capsid-c.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member