[virusinfo] W32/Capside-C

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Sat, 12 Mar 2005 10:57:24 -0800

From; Sophos Alert System:

Name: W32/Capside-C
Aliases: P2P-Worm.Win32.Capside.c, WORM_CASPID.C, Win32/Capside.C
Type: Win32 worm
Date: 12 March 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the May 2005 (3.93) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.


Information about W32/Capside-C can be found at:
http://www.sophos.com/virusinfo/analyses/w32capsidec.html

W32/Capside-C is a worm for the Windows platform. 
The worm copies itself to the Windows system folder as Ireul.pif, 
NETINSTALLDRV.EXE, WINAPLOGUPD.COM and XPEXTRATDLL.SCR 
W32/Capside-C creates several copies of itself in shared folders of common Peer 
to Peer (P2P) applications such as eDonkey, Limewire and Morpheus. The worm 
uses the following filenames: 
ACDSee 5.5.exe
AOL Instant Messenger.exe
AVP Antivirus Pro Key Crack.exe
Age of Empires 2 crack.exe
Ana Kournikova Sex Video.exe
Animated Screen 7.0b.exe
AquaNox2 Crack.exe
Audiograbber 2.05.exe
BabeFest 2003 ScreenSaver 1.5.exe
Babylon 3.50b reg_crack.exe
Battlefield1942_bloodpatch.exe
Battlefield1942_keygen.exe
Britney Spears Sex Video.exe
Buffy Vampire Slayer Movie.exe
Business Card Designer Plus 7.9.exe
Clone CD 5.0.0.3 (crack).exe
Clone CD 5.0.0.3.exe
Coffee Cup Free zip 7.0b.exe
Cool Edit Pro v2.55.exe
Crack Passwords Mail.exe
Credit Card Numbers generator(incl Visa,MasterCard,...).exe
Cristina Aguilera Sex Video.exe
DVD Copy Plus v5.0.exe
DVD Region-Free 2.3.exe
Diablo 2 Crack.exe
DirectDVD 5.0.exe
DirectX Buster (all versions).exe
DirectX InfoTool.exe
DivX Video Bundle 6.5.exe
Download Accelerator Plus 6.1.exe
Edonkey2000-Speed me up scotty.exe
FIFA2003 crack.exe
Final Fantasy VII XP Patch 1.5.exe
Flash MX crack (trial).exe
FlashGet 1.5.exe
FreeRAM XP Pro 1.9.exe
GTA 3 Crack.exe
GTA 3 Serial.exe
Game Cube Real Emulator.exe
GetRight 5.0a.exe
Global DiVX Player 3.0.exe
Gothic2 licence.exe
Guitar Chords Library 5.5.exe
Hentai Anime Girls Movie.exe
Hitman_2_no_cd_crack.exe
Hot Babes XXX Screen Saver.exe
HotGirls.exe
Hotmail Hacker 2003-Xss Exploit.exe
ICQ Pro 2003a.exe
ICQ Pro 2003b (new beta).exe
IrfanView 4.5.exe
Jenifer Lopez Sex Video.exe
KaZaA Hack 2.5.0.exe
KaZaA Speedup 3.6.exe
Kazaa SDK + Xbit speedUp for 2.xx.exe
Links 2003 Golf game (crack).exe
Living Waterfalls 1.3.exe
MSN Messenger 5.2.exe
Mafia_crack.exe
Matrix Movie.exe
Matrix Screensaver 1.5.exe
Mcafee Antivirus Scan Crack.exe
MediaPlayer Update.exe
Microsoft KeyGenerator-Allmost all microsoft stuff.exe
NBA2003_crack.exe
NHL 2003 crack.exe
Need 4 Speed crack.exe
Nero Burning ROM crack.exe
Netbios Nuker 2003.exe
Netfast 1.8.exe
Network Cable e ADSL Speed 2.0.5.exe
Nimo CodecPack (new) 8.0.exe
Norton Anvirus Key Crack.exe
PS2 PlayStation Simulator.exe
PalTalk 5.01b.exe
Panda Antivirus Titanium Crack.exe
Per Antivirus 8.7.exe
Pop-Up Stopper 3.5.exe
Popup Defender 6.5.exe
Quick Time Key Crack.exe
QuickTime_Pro_Crack.exe
Sakura Card Captor Movie.exe
Screen saver christina aguilera naked.exe
Screen saver christina aguilera.exe
Security-2003-Update.exe
Serials 2003 v.8.0 Full.exe
Sex Live Simulator.exe
Sex Passwords.exe
SmartFTP 2.0.0.exe
SmartRipper v2.7.exe
Space Invaders 1978.exe
Spiderman Movie.exe
Splinter_Cell_Crack.exe
Starcraft serial.exe
Start Wars Trilogy Movies.exe
Steinberg_WaveLab_5_crack.exe
Stripping MP3 dancer+crack.exe
Thalia Sex Video.exe
The Hacker Antivirus 5.7.exe
Trillian 0.85 (free).exe
TweakAll 3.8.exe
UT2003_bloodpatch.exe
UT2003_keygen.exe
UT2003_no cd (crack).exe
UT2003_patch.exe
Unreal2_bloodpatch.exe
Unreal2_crack.exe
Virtua Girl (Full).exe
VirtualSex.exe
Visual Basic 6.0 Msdn Plugin.exe
Visual basic 6.exe
WarCraft_3_crack.exe
WinOnCD 4 PE_crack.exe
WinRar 3.xx Password Cracker.exe
WinZip 9.0b.exe
WinZipped Visual C++ Tutorial.exe
Winamp 3.8.exe
WindowBlinds 4.0.exe
Windows XP complete + serial.exe
Windows Xp Exploit.exe
Winzip KeyGenerator Crack.exe
XNuker 2003 2.93b.exe
Yahoo Messenger 6.0.exe
Zelda Classic 2.00.exe
aol cracker.exe
aol password cracker.exe
cable modem ultility pack.exe
counter-strike.exe
delphi.exe
divx pro.exe
divx_pro.exe
hotmail_hack.exe
iMesh 3.6.exe
iMesh 3.7b (beta).exe
index.exe
mIRC 6.15.exe
macromedia dreamweaver key generator.exe
mp3Trim PRO 2.5.exe
pamela_anderson.exe
play station emulator.exe
serials2000.exe
subseven.exe
vb6.exe
virtua girl - adriana.exe
virtua girl - bailey short skirt.exe
warcraft 3 crack.exe
warcraft 3 serials.exe
winamp plugin pack.exe
winzip full version key generator.exe 
The worm also spreads through network shares and through Internet Relay Chat 
(IRC) client applications. 
W32/Capside-C modifies the system files autoexec.bat and win.ini in order to 
startup automatically when a user logs on. 
When first run, the worm displays a fake error message that reads "Impossible 
to open the file, this total or partially damaged." The worm also displays the 
following text: 
<******************GEDZAC LABS******************>
Win32.Ireul.a By MachineDramon/GEDZAC
Worm de Mensageria: Msn, Yahoo, AIM, Icq, Mirc (Resultara?)
Ireul = Angel del Miedo
Cometario Politico: Toledo, hazle un favor al Peru, Matate
EEUU jamas podras barrer todo la arena del desierto 
The worm may create or modify the following registry entries: 
HKCR\batfile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\exefile\shell\open\command
HKCR\keyfile\shell\open\command
HKCR\piffile\shell\open\command
HKCR\regfile\shell\open\command
HKCR\scrfile\shell\open\command
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Policies\System
HKLM\Software\Gedzac\Ireul
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WINAPLOGUPD
"WINAPLOGUPD.EXE" 

This IDE file also includes detection for:

W32/Assiral-C
http://www.sophos.com/virusinfo/analyses/w32assiralc.html
Troj/Botget-A
http://www.sophos.com/virusinfo/analyses/trojbotgeta.html
Troj/IRCBot-AA
http://www.sophos.com/virusinfo/analyses/trojircbotaa.html
Troj/PPdoor-C
http://www.sophos.com/virusinfo/analyses/trojppdoorc.html
Troj/PPdoor-B
http://www.sophos.com/virusinfo/analyses/trojppdoorb.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/capsid-c.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Capside-C

1. Home
2. virusinfo
3. Archive
4. 03-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---