Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32.Supova.B.worm (Symantec), W32/Supova.E (Panda), Win32.Kitty.d (ESafe), Win32.Supova.D.pac (VET), Worm.P2P.Surnova.d (AVP)
Type:Worm 
Size:14,336 Bytes 
Origin: 
Date:00-00-0000 
Damage:Spreads over KaZaA and MSN Messenger 
VDF Version:6.23.00.00 
Danger:Low 
Distribution:Low 

DistributionWorm/Surnova.D spreads over KaZaA and MSN Messanger. The worm is disguised under software names, for tempting KaZaA users to download it.
For spreading over MSN Messenger, it uses the Contacts list.

The message is:
Hehe, check this out :-)
Funny, check it out
LOL!! See this :D
LOL!! Check this out :)
Hehe, this is fun :-)

Technical DetailsWhen activated, Worm/Surnova.D displays an error message, named 'CHEESE-BURGER.exe':
"Application attempted to read memory at 0xFFFFFFFFh
Terminating application"

Then, the worm copies itself in C:\%WinDIR%\Media directory, as:
a.exe
age of empires 2 crack.exe
battle.net key generator (works!!).exe
britney spears hard porn (real!).exe
britney spears nude.exe
cable modem uncapper.exe
christina aguilera fuck (real!).exe
clonecd + crack.exe
clonecd all-versions key generator.exe
copy protection remover.exe
crazy taxi crack.exe
divx codec v6.0.exe
divx newest version.exe
divx patch - increases quality.exe
divx pro key generator.exe
divx.exe
doom 3 preview!!.exe
doom 3 screenshots.exe
dragonball z complete episode guide.exe
dragonball z episode 1.exe
dragonball z shootout.exe
dragonball z.exe
gamecube emulator (works!!).exe
grand prix 4 crack.exe
grand theft auto 3 cd1 crack.exe
grand theft auto 3 trainer.exe
gta3 crack.exe
hack into any computer!!.exe
half-life online key generator.exe
half-life won key generator.exe
jedi knight 2 crack.exe
j-lo nude (real!!).exe
kazaa hack.exe
kazaa lite.exe
kazaa media desktop v2.0 unofficial.exe
kazaa spyware remover.exe
key generator for all windows xp versions.exe
key generator for over 1,000 applications (really!).exe
kiddy child incest porn.exe
macromedia dreamweaver mx key generator.exe
macromedia flash mx key generator.exe
macromedia mx key generator (all products).exe
microsoft key generator, works for all microsoft products!!.exe
microsoft office xp (english) key generator.exe
microsoft office xp.iso.exe
microsoft windows xp crack pack.exe
neverwinter nights crack.exe
nokia simlock remover (includes new models).exe
norton antivirus 2002.exe
quake 4 beta.exe
resident evil [divx].exe
sex.exe
shrek.exe
star wars episode 2 downloader.exe
starcraft 2 preview!.exe
starcraft battle.net key generator.exe
starcraft online crack.exe
warcraft 3 battle.net serial generator.exe
warcraft 3 online key generator.exe
warcraft 3 trainer.exe
windows xp key generator.exe
windows xp serial generator.exe
winrar + crack.exe
winzip 8.0 + serial.exe
xbox emulator (works!!).exe
xbox.info.exe

A worm copy is also made in Windows directory, named BigMac.exe.
It makes the following autostart registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Supernova= C:\%WinDIR%\BigMac.exe

The following text file is saved in Windows directory, with 11 random characters:
W32.Supernova - Ban religion
---------------------------------------------------
Religion = War
Religion = Based on fairytales
Wars based on fairytales?
Ban religion, welcome to the truth
---------------------------------------------------

This worm has two payloads:
The first routine is active on the 5th day of every month and uses PING as Denial of Service attack against the following domains:
www.beliefnet.com
www.christianity.com
www.islamicity.com

The other routine is active on the 7th day of every month. It displays some error messages:
-"Owned by blasting star"
-"Patch the leaks... Or the ship will sink..."
-"Religion is war!!"
and it deletes all files in %WinDir% and %WinDir%\%SystemDir% directories.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .