Full description

Virus:	Worm/TermX.A
Date discovered:	14/05/2007
Type:	Worm
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low to medium
Damage Potential:	Low to medium
Static file:	Yes
File size:	186.166 Bytes
MD5 checksum:	09b5dc62a921a88153cd34b08716b479
VDF version:	6.38.01.136
IVDF version:	6.38.01.142 - Tuesday, May 15, 2007

General Method of propagation:
   • Messenger

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a malicious file
   • Registry modification

Files It copies itself to the following location:
• %WINDIR%\svhost32.exe

It tries to download a file:

– The location is the following:
• http://bestwish.info**********
Furthermore this file gets executed after it was fully downloaded. At the time of writing it was an updated version of the malware itself.

Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Task Manager"="%WINDIR%\svhost32.exe"

The following registry keys are added:

– [HKCU\Software\Google\GoogleToolbarNotifier]
   • "KeepDS"=dword:00000000
   • "ShowTrayIcon"=dword:00000000

– [HKCU\Software\Yahoo\pager\View\YMSGR_Launchcast]
   • "content url"="http://bestwish.info/**********"

– [HKCU\Software\Yahoo\pager\View\YMSGR_buzz]
   • "content url"="http://bestwish.info/**********"

The following registry keys are changed:

Internet Explorer's start page:
– [HKCU\Software\Microsoft\Internet Explorer\Main]
   New value:
   • "Search Page"="http://bestwish.info/**********"
   • "Start Page"="http://bestwish.info/**********"

Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   New value:
   • "DisableRegistryTools"=dword:00000001
   • "DisableTaskMgr"=dword:00000001

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   New value:
   • "NoRun"=dword:00000001

– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   New value:
   • "DisableConfig"="1"

– [HKCU\Software\Microsoft\Internet Explorer\SearchUrl]
   New value:
   • "(Default)"="http://bestwish.info/**********"

– [HKCU\Software\Microsoft\Search Assistant]
   New value:
   • "DefaultSearchURL"="http://bestwish.info/**********"

Messenger It is spreading via Messenger. The characteristics are described below:

– AIM Messenger
– ICQ Messenger
– Windows Live Messenger
– Yahoo Messenger
– Windows Messenger

To:
All entries in the contact list.

Message
The sent message looks like one of the following:

   • c’est ma carte de voeux de Noel que j’ai fait seulement pour toi http://bestwish.info/********** ^_^

   • Microsoft donne 2007 copies gratuits de Windows Vista pour 2007 premieres inscriptions : http://bestwish.info/********** >:D< est envoyé par %current username% pas de virus

   • vote pour notre Miss de beauté aujourd’hui :x " http://bestwish.info/********** :x:x:x:x:x est envoyé par %current username% pas de virus

   • the only way to clean some online viruses that may lead you into troubles : http://bestwish.info/********** << est envoyé par %current username% pas de virus

   • Joyeux Noel et Bonne année !!! http://bestwish.info/********** <<

   • l’entrainneur de Chelsea est gravement blessé par Gallad http://bestwish.info/********** est envoyé par %current username% pas de virus

   • Attention!!! Il y aura un tremblement de terre ce soir : http://bestwish.info/********** est envoyé par %current username% pas de virus

   • J’ai fait 10 cadeaux pour les 10 premieres personnes qui commentent sur mon site web : http://bestwish.info/********** c0ol !!! est envoyé par %current username% pas de virus

   • you are virus infected . Use this tool to remove viruses from your PC : http://bestwish.info/********** << est envoyé par %current username% pas de virus

   • Enculé !!! http://bestwish.info/********** X-(

   • Osama Bin Laden est arreté http://bestwish.info/********** est envoyé par %current username% pas de virus

   • Creer les bombs hyper forts avec Whisky, Coke et Mentos http://bestwish.info/********** est envoyé par %current username% pas de virus

   • J'ai gagne au LOTO: http://bestwish.info/********** Viens feter chez moi !!!

The received message may look like the following:

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX

Description inserted by Ernest Szocs on Monday, May 14, 2007
Description updated by Ernest Szocs on Tuesday, May 15, 2007

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools