Virus:W32/Weird.e
Date discovered:09/11/2005
Type:File infector
In the wild:No
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:No
File size:~20.000 Bytes
VDF version:6.32.00.159

 General Aliases:
   •  Symantec: W32.Ganty.Worm
   •  Mcafee: W32/Gason
   •  Kaspersky: Virus.Win32.Weird.e
   •  Sophos: W32/Weird-E
   •  VirusBuster: Win32.Ganty
   •  Eset: Win32/Weird.E
   •  Bitdefender: Win32.Weird.E


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a malicious file
   • Third party control

 Files It copies itself to the following location:
   • %WINDIR%\McAfee.exe

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "McAfee AntiVirus Shield"="%WINDIR%\\McAfee.exe"

 File infection Infector type:

Appender - The virus main code is added at the end of the infected file.
The last section of the file is modified to include the virus code.


Stealth:
 No stealth techinques used. It modifies the OEP (Original Entry Point) of the infected file to point to the virus code.


Method:

This memory-resistent infector remains active in memory.


Infection length:

Approximately 20.000 Bytes


The following files are infected:

By file type:
   • *.exe

Files in any of the following directories:
   • %all directories%

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:


From:
The sender of the email is the following:
   • gandeson9871@**********


To:
The recipient of the email is the following:
   • gandeson9871@**********


Subject:
The following:
   • Please send email to %computer name%


 Backdoor The following port is opened:

%executed file% on TCP port 136 in order to provide backdoor capabilities. As a result it may send information and remote control could be provided.

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Daniel Constantin on Tuesday, February 2, 2010
Description updated by Daniel Constantin on Tuesday, February 2, 2010

Back . . . .