Virus:Worm/KillAV.GR
CME number:24
Date discovered:19/01/2006
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:No
File size:~100.000 Bytes
VDF version:6.33.00.140

 General Methods of propagation:
   • Email
   • Local network


Aliases:
   •  Symantec: W32.Blackmal.E@mm
   •  Mcafee: W32/MyWife.d@MM!M24
   •  Kaspersky: Email-Worm.Win32.Nyxem.e
   •  TrendMicro: WORM_GREW.A
   •  F-Secure: Email-Worm.Win32.Nyxem.e
   •  Sophos: W32/Nyxem-D
   •  Panda: W32/Tearec.A.worm
   •  Grisoft: Worm/Generic.FX
   •  VirusBuster: Worm.P2P.VB.CIL
   •  Bitdefender: Win32.Nyxem.E@mm

It was previously detected as:
   •  TR/KillAV.GR


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Uses its own Email engine
   • Registry modification

 Files It copies itself to the following locations:
   • %WINDIR%\Rundll16.exe
   • %WINDIR%\sytem32\scanregw.exe
   • %WINDIR%\sytem32\Update.exe
   • %WINDIR%\sytem32\Winzip.exe



It overwrites the following files.
The build-in time synchronisation will trigger on the following point of time: If day equals the following value: 3

%all directories%

File extensions:
   • .doc
   • .xls
   • .mdb
   • .mde
   • .ppt
   • .pps
   • .zip
   • .rar
   • .pdf
   • .psd
   • .dmp

With the following contents:
   • DATA Error [47 0F 94 93 F4 K5]




It deletes the following files:
   • %PROGRAM FILES%\*.htm*
   • %PROGRAM FILES%\DAP\*.dll
   • %PROGRAM FILES%\BearShare\*.dll
   • %PROGRAM FILES%\Symantec\LiveUpdate\*.*
   • %PROGRAM FILES%\Symantec\Common Files\Symantec Shared\*.*
   • %PROGRAM FILES%\Norton AntiVirus\*.exe
   • %PROGRAM FILES%\Alwil Software\Avast4\*.exe
   • %PROGRAM FILES%\McAfee.com\VSO\*.exe
   • %PROGRAM FILES%\McAfee.com\Agent\*.*
   • %PROGRAM FILES%\McAfee.com\shared\*.*
   • %PROGRAM FILES%\Trend Micro\PC-cillin 2002\*.exe
   • %PROGRAM FILES%\Trend Micro\PC-cillin 2003\*.exe
   • %PROGRAM FILES%\Trend Micro\Internet Security\*.exe
   • %PROGRAM FILES%\NavNT\*.exe
   • %PROGRAM FILES%\Morpheus\*.dll
   • %PROGRAM FILES%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
   • %PROGRAM FILES%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
   • %PROGRAM FILES%\Grisoft\AVG7\*.dll
   • %PROGRAM FILES%\TREND MICRO\OfficeScan\*.dll
   • %PROGRAM FILES%\Trend Micro\OfficeScan Client\*.exe
   • %PROGRAM FILES%\LimeWire\LimeWire 4.2.6\LimeWire.jar



The following file is created:

%SYSDIR%\%executed file%.zip It is opened using the default application for this file type.

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "ScanRegistry"="scanregw.exe /scan"



The values of the following registry keys are removed:

–  HKLM\Software\Microsoft\Windows\CurrentVersion\Run
   • APVXDWIN
   • avast!
   • AVG_CC
   • AVG7_CC
   • AVG7_EMC
   • Avgserv9.exe
   • AVGW
   • BearShare
   • ccApp
   • CleanUp
   • defwatch
   • DownloadAccelerator
   • kaspersky
   • KAVPersonal50
   • McAfeeVirusScanService
   • MCAgentExe
   • McRegWiz
   • MCUpdateExe
   • McVsRte
   • MPFExe
   • MSKAGENTEXE
   • MSKDetectorExe
   • NAV Agent
   • NPROTECT
   • OfficeScanNT Monitor
   • PCCClient.exe
   • pccguide.exe
   • PCCIOMON.exe
   • PCClient.exe
   • PccPfw
   • Pop3trap.exe
   • rtvscn95
   • ScanInicio
   • ScriptBlocking
   • SSDPSRV
   • TM Outbreak Agent
   • tmproxy
   • Vet Alert
   • VetTray
   • VirusScan Online
   • vptray
   • VSOCheckTask

–  HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • APVXDWIN
   • avast!
   • AVG_CC
   • AVG7_CC
   • AVG7_EMC
   • Avgserv9.exe
   • AVGW
   • BearShare
   • ccApp
   • CleanUp
   • defwatch
   • DownloadAccelerator
   • kaspersky
   • KAVPersonal50
   • McAfeeVirusScanService
   • MCAgentExe
   • McRegWiz
   • MCUpdateExe
   • McVsRte
   • MPFExe
   • MSKAGENTEXE
   • MSKDetectorExe
   • NAV Agent
   • NPROTECT
   • OfficeScanNT Monitor
   • PCCClient.exe
   • pccguide.exe
   • PCCIOMON.exe
   • PCClient.exe
   • PccPfw
   • Pop3trap.exe
   • rtvscn95
   • ScanInicio
   • ScriptBlocking
   • SSDPSRV
   • TM Outbreak Agent
   • tmproxy
   • Vet Alert
   • VetTray
   • VirusScan Online
   • vptray
   • VSOCheckTask



The following registry key is changed:

– HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
   Old value:
   • "WebView""=%user defined settings%
   New value:
   • "WebView""=dowrd:00000000

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
–Email addresses gathered from Yahoo! Messenger
–Email addresses gathered from MSN Messenger


Subject:
One of the following:
   • The Best Videoclip Ever; School girl fantasies gone bad; A Great
      Video; Fuckin Kama Sutra pics; Arab sex DSC-00465.jpg; give me a kiss;
      *Hot Movie*; Fw: Funny :); Fwd: Photo; Fwd: image.jpg; Fwd: Crazy
      illegal Sex!; Fw: Sexy; Re:; Fw:; Fw: Picturs; Fw: DSC-00465.jpg; Word
      file; eBook.pdf; the file; Part 1 of 6 Video clipe; You Must View This
      Videoclip!; Miss Lebanon 2006; Re: Sex Video; My photos; Photos; Fwd:
      image.jpg

In some cases the subject might also be empty.


Body:
The body of the email is one of the following:

   • Note: forwarded message attached.

   • Hot XXX Yahoo Groups

   • Fuckin Kama Sutra pics

   • ready to be FUCKED ;)

   • VIDEOS! FREE! (US$ 0,00)

   • >> forwarded message

   • ----- forwarded message -----

   • i just any one see my photos. It's Free :)

   • hello,
     i send the file.
     bye

   • hi
     i send the details
     bye

   • how are you?
     i send the details.
     OK ?

   • i attached the details.

   • Thank you

   • Please see the file.

   • What?

   • ???????????????????????????? ????????????? ??????
     ???????????


Attachment:
The filename of the attachment is one of the following:
   • DSC-00465.Pif; image04.pif; photo.pif; School.pif; 677.pif; 04.pif;
      eBook.PIF; New_Document_file.pif; 007.pif; document.pif;
      DSC-00465.pIf; Video_part.mim; Attachments[001].B64;
      3.92315089702606E02.UUE; WinZip.BHX; Attachments001.BHX; Sex.mim;
      Original Message.B64; eBook.Uu; Attachments00.HQX; Word_Document.hqx;
      Word_Document.uu

The attachment is a copy of the malware itself.



The email may look like one of the following:



 Mailing Search addresses:
It searches the following files for email addresses:
   • .HTM; .DBX; .EML; .MSG; .OFT; .NWS; .VCF; .MBX; .IMH; .TXT; .MSF


Resolving server names:
It has the ability to contact the DNS server:
   • ns1.%receiver's domain name from email address%

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops a copy of itself to the following network share:
   • C$


It uses the following login information in order to gain access to the remote machine:

– The following username:
   • administrator



Remote execution:
–It attempts to schedule a remote execution of the malware, on the newly infected machine. Therefore it uses the NetScheduleJobAdd function.

 Process termination Processes containing one of the following window titles are terminated:
   • SYMANTEC
   • SCAN
   • KASPERSKY
   • VIRUS
   • MCAFEE
   • TREND MICRO
   • NORTON
   • REMOVAL
   • FIX


 Backdoor Contact server:
The following:
   • http://webstats.web.rcn.net/cgi-bin/**********?df=765247

As a result it may send some information. This is done via the HTTP GET request on a CGI script.


Sends information about:
    • Current malware status

 File details Programming language:
 The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Ivanes on Friday, January 20, 2006
Description updated by Andrei Gherman on Tuesday, September 12, 2006

Back . . . .