Du brauchst Hilfe? Frage die Community oder wende dich an einen Experten.
Zu Avira Answers
Alias:W32.Mexer.E@mm, Worm.Win32.Delf.e, W32/Fightrub.A.worm,
Type:Worm 
Size:30,720 Bytes 
Origin: 
Date:09-21-2004 
Damage: 
VDF Version:6.27.0.68 
Danger:Low 
Distribution:Medium 

General DescriptionAffected operating systems:
Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, Windows Server 2003

DistributionWorm/Mexer.E sends itself as attachment to all emailaddresses it can find in files of type:
.dbx
.htm
.sht
.doc
.rtf
.txt
.wab

The worm is not sent to emailaddesses containing the following strings:
root
newv
kasp
admi
host
supp
micr
webm
viru

The worm uses its own SMTP engine.
The subject is randomly chosen from the list below:
Your Crack
Internet Information
EBAY Information
VISA Information
Provider Information

The attachment name is obtained from C:/SYSNET directory.

The email body is one of the following lines:
Here is your crack!
New account data...
Security Tool...
EBAY Installer...

Technical DetailsWorm/Mexer.E is a massmailer that can also spread over P2P(Peer-to-Peer) networks.

When activated, the worm makes the registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Ruby13"="C:\sysnet\Ruby13.exe"
HKEY_CURRENT_USER\Software\Imesh\Client\LocalContent\
HKEY_CURRENT_USER\Software\Kazaa\LocalContent
HKEY_CURRENT_USER\Software\Kazaa\Transfer
"Dir0"="012345:c:\sysnet\"

Some worm copies are created in SYS32 folder of the Windows System or Windows System32 directory (according to the Windows version):
%SystemDIR%\SYS32\*

The names of the worm files are:
Warcraft 3 Frozen Throne map hack.exe
EZ Dvd Ripper.exe
Nimo Codec Pack Updater.exe
Xvid Codec Installer.exe
Starcraft + Broodwar 1.10 map hack.exe
Crack McAfee 7.exe
Crack Norton 3000.exe
Borland KeyGens.exe
SophosCrackAllVersion.exe
PANDA.lusers.exe
Starcraft + Broodwar 1.10 no-cd hack.exe
Diablo 2 map hack.exe
Diablo 2 no-cd hack.exe
Jamella's Diablo 2 hero editor.exe
Warcraft 3 map hack.exe
Warcraft 3 stat hack.exe
Warcraft 3 no-cd hack.exe
EBAY.exe
VISA.EXE
PROVIDER.EXE
INTERNET.EXE
Warcraft 3 Frozen Throne cd-cd hack.exe
The Frozen Throne map hack.exe
Counterstrike hacks.exe
Counterstrike aim hack.exe
Ruby13.exe
Nero Burning ROM v6.3 Ultra: Enterprise edition key.exe
Counter-Strike, Condition Zero: Activation Key.exe
icqbomber.exe
BurnDvds.exe
Dvd Ripper.exe
Dvd To Vcd.exe
PANDA.AVers.lusers.exe
MP3 encoder decoder V1.8.exe
Cisco Certification Test.exe
MSCE Certification Test.exe
Windows Nt Certification Test.exe
XBOX X-Fer Ripper and Transfer.exe
Information.exe
Easy Dvd Ripper.exe

The following names are also used, when the worm adds the extensions:
NoCD.exe
Crack.exe
Keygen.exe
Serial.exe

The names begin with:
Private Nurse -
Norton AntiVirus 2004 Pro Activation Key &
Microsoft Windows XP Professional
Adobe Photoshop CS and ImageReady CS 8.0
Zone Alarm 5.0 pro
Harry Potter and the Prisoner of Azkaban KeyGen and
Norton Internet Security 2004 Keygen &
All Adobe Products
All Macromedia Products
All Microsoft Products
Divx Pro 5.1
Dvd Plus
Dvd Wizard Pro
Dvd Xcopy
DvdCopyOne
DvdToVcd
Ipswich Town Official Management Game -
Bridge Baron 13
American Conquest -
Grom -
Slot City 3
Command and Conquer Generals
Nascar Racing 2003 Season
Eonix Realm Of Hepmia -
I Was An Atomic Mutant -
Fetish Fighters -
Battlefield 1942 The Road to Rome -
The Campaigns of La Grande Armee -
Unreal II The Awakening -
The Emperors Mahjong -
Sim City 4 -
Easy Dvd creator
Nero Burning Rom
Spider-Man 2
Spellforce Breath of Winter
Norton Internet Security 2005 Pro
Norton Internet Security 2004 Pro
Symantec Internet Secutiy 2005
Symantec Antivirus 2005
Harry Potter und der Gefangene von Askaban
Kazaa all
Windows Server 2003
Office XP Universal
BitDefender
Nod32
Impossible Creatures -
Test Drive -
Shadow of Memories -
World Of Outlaws Sprint Car Racing 2002 -
Tombstone 1882 -
Airport Tycoon II -
Apache AH-64 Air Assault -
A+ Certification Test.exe
Serious Sam Gold Edition -
IGI-2 Covert Strike -
Tom Clancys Splinter Cell -
Robot Arena Design And Destroy -
Freelancer -
Battlefield Vietnam -
Deus Ex -
Forbidden Siren -
Doom 3 -
WinRAR 3
WinACE
WinZIP 9
Norton AntiVirus 2005
Shrek 2

Worm/Mexer.E displays a message named "Ruby V1.3, (c)BI 16.08.2004", with the text "Fight against MICROSOFT and make a virus!"
Die Beschreibung wurde erstellt von Crony Walker am Dienstag, 15. Juni 2004

zurück . . . .