Worm/NiceHello - Worm

Siehe auch

Vollständig

Alias:	W32/NiceHello@mm
Type:	Worm
Size:	99,328 bytes
Origin:	unknown
Date:	03-12-2003
Damage:	Worm/NiceHello sends itself by email, using its own SMTP engine. It copies itself in Windows system folder as "Sys64dvr.exe" (99,328 bytes) and makes a run entry in the registry.
VDF Version:	6.18.00.xx
Danger:	Low
Distribution:	Medium

SymptomsThe files and registry entries mentioned below.

DistributionThe worm has its own SMTP engine and sends itself to all email addresses found on the infected computer.

Technical DetailsWorm/NiceHello sends itself by email, using its own SMTP engine. This enables it to send emails without depending on other email programs, such as Outlook. The addresses are collected from the Contact List of Microsoft Messenger.

The email sent by Worm/NiceHello can have the following characteristics:

Subject: Presentaciones PowerPoint
Body: Las presentaciones en power point que tenia que mandarte, estan comprimidas en el archivo adjunto, recuerda que es solo para vos
Attachment: presentaciones.exe

or
Subject: ahora el juego va a funcionar
Body: El parche para el juego que mas te gusta, esta comprimido, recuerda que es solo para vos
Attachment: parchejuego.exe

or
Subject: Fotos ultima fiesta
Body: Hola, como estas, te mando las fotos de la ultima fiesta, por cierto tienes una cara!!!. , recuerda que es solo para vos. bye
Attachment: fotos.exe

or
Subject: Datos ultimo trimistre
Body: Los datos del ultimo trimestre esta en el archivo adjunto, estan
comprimidos, recuerda que es solo para vos
Attachment: datos.exe

or
Subject: Video de la ultima reunion de amigos, recuerda que es solo para vos
Body: Hola, te mando el video de la ultima fiesta, no se ve muy bien pero algo es algo, recuerda que es solo para vos
Attachment: video.exe

or
Subject: Animaciones en flash de nuestros politicos
Body: Mira las animaciones sobre la clase politica del pais, recuerda que es solo para vos
Attachment: politicos.exe

or
Subject: Codigo fuente
Body: Hola, te mando el codigo fuente que te prometi, esta comprimido; ya sabes esto es solo para vos!!. Saludos
Attachment: condigo.exe

or
Subject: Mis primeras animaciones
Body: Te mando la primera animacion en flash sobre nuestros amigos; espero tus comentarios, recuerda que es solo para vos
Attachment: animacion.exe

or
Subject: parche
Body: El parche del programa que me pediste. Cualquier cosa estoy para ayudarte. recuerda que es solo para vos
Attachment: parche.exe

Or
Subject: Actualizacion de programa
Body: Recien puedo enviarte la actualizacion, es que tuve mucho trabajo, recuerda que es solo para vos
Attachment: actualizacion.exe

When the attachment is opened, Worm/NiceHello should copy itself as:

* C:\Windows\System\Sys64dvr.exe and
* C:\Windows\System32\Sys64dvr.exe

but a program error in its code will name these files 'SystemSys64dvr.exe' and 'System32Sys64dvr.exe'.

The worm will be activated by the next system start, because of the registry entry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"System 64 Driver for Games"="sys64dvr.exe"

But because of that name error, the worm can not run on the system start. In Windows NT/2000/XP will appear the following false message:

Just in time Debbuger
Microsoft Windows XP or greater required!

Worm/NiceHello will send an email with the Microsoft Messenger log-in and password to a randomly chosen email address.

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* Sys64dvr.exe
* Sys64dvr.exe
* SystemSys64dvr.exe
* System32Sys64dvr.exe

Start "regedit" after that and edit the following registry entry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"System 64 Driver for Games"="sys64dvr.exe"

Restart your computer.

- for Windows 9x/ME:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* Sys64dvr.exe
* Sys64dvr.exe
* SystemSys64dvr.exe
* System32Sys64dvr.exe

Start "regedit" after that and edit the following registry entry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"System 64 Driver for Games"="sys64dvr.exe"

Restart your computer.

Kurzfassung hier.

Beschreibung erstellt von Crony Walker am Tue, 15 Jun 2004 14:00 (GMT+1)

» Über Malware
» Über Phishing
» In-the-Wild-Viren

« zurück