Virus:Worm/Minusia.A
Date discovered:22/03/2006
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Low
Static file:No
VDF version:6.34.00.83

 General Methods of propagation:
   • Email
   • Local network


Aliases:
   •  Symantec: W32.Renama.A@mm
   •  Kaspersky: Email-Worm.Win32.Minusi.a
   •  Sophos: W32/Minusia-A
   •  Bitdefender: Win32.Minusia.A


Platforms / OS:
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Registry modification
   • Makes use of software vulnerability


Right after execution it runs a windows application which will display the following window:





   If in victim machine, in %WINDIR%\ exists a file with the following name, muhammad_is_my_prophet.txt, the worm would not infect the machine.
   

 Files It copies itself to the following locations:
   • %SYSDIR%\svchost.exe
   • %WINDIR%\safemode.exe
   • %SYSDIR%\ERSvc.exe
   • %WINDIR%\mmsg\mcAfee.Update.exe.exe
   • %WINDIR%\Config\Easy.Windows.Monitoring.exe.exe
   • %WINDIR%\Config\system.update.exe.exe
   • %WINDIR%\mmsg\mmsg\mmsg.exe.exe
   • %system drive root%\listname_of_terrorist.exe



The following files are created:

%WINDIR%\system_log.txt This is a non malicious text file with the following content:
   • MUHAMMAD ADALAH MANUSIA .............!!!!!!
     MUHAMMAD BUKAN MALAIKAT, DEWA, ATAU BAHKAN TUHAN...!!!!!
     TAPI DIA ADALAH PANUTAN SETIAP UMMAT MANUSIA, KARENA DIA ADALAH NABIULLAH..!!!
     KAMI MENGHORMATI MUHAMMAD SEBAGAI NABI DAN PEMIMPIN KARENA TINDAKANNYA YANG 99% BENAR
     BUKAN SEBAGAI DEWA, MALAIKAT ATAU BAHKAN TUHAN....!!!!
     SEBAGAIMANA KAMI MENGHORMATI NABI ISA DAN NABI-NABI LAIN
     KENAPA...????
     KARENA MEREKA ADALAH MANUSIA JUGA
     JADI MOHON JANGAN MENCARI-CARI KESALAHAN DAN KENISTAANNYA
     YANG MUHAMMAD BERISTRI BANYAKLAH, MENGEKANG WANITA-LAH DAN LAIN-LAIN
     PAKAILAH LOGIKA, NISCAYA AKAN DAPAT KEBENARANNYA
     .......................................................
     JADI, MOHON JANGAN HINA NABI-NABI KAMI...!!!
     KARENA MAREKA ADALAH NABI-NABI KALIAN JUGA..!!!!
     _________________________________________________________________________________________
     
     AKU AKAN BERHENTI JIKA ANDA MENYATAKAN SIAPA NABI KALIAN.....
     AKU AKAN BERHENTI JIKA ANDA MENYATAKAN SIAPA NABI KALIAN.....
     AKU AKAN BERHENTI JIKA ANDA MENYATAKAN SIAPA NABI KALIAN.....
     
     IF YOU DON'T UNDERSTAND, PLEASE TRANSLATE IN YOU LANGUAGE

%WINDIR%\Registry1.dll This is a non malicious text file that contains information about the program itself.
%WINDIR%\Registry1.dll This is a non malicious text file that contains information about the program itself.

 Registry The following registry key is continuously in an infinite loop added in order to run the process after reboot.

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "mcAfee.Instan.Update"="%WINDIR%\mmsg\mcAfee.Update.exe.exe"
   • "KasperskiLab"="%WINDIR%\Config\Easy.Windows.Monitoring.exe.exe"
   • "MsnMsgr"="%PROGRAM FILES%\MSN Messenger\MsnMsgr.Exe .exe
   • "MSMSGS"="%PROGRAM FILES%\Messenger\msmsgs.exe .exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "HotKeysCmds"="%WINDIR%\Config.system.update.exe.exe"



The following registry keys are added in order to load the services after reboot:

– [HKLM\SYSTEM\ControlSet001\Services\srservice]
   • "Type"=dword:00000020
     "Start"=dword:00000002
     "ErrorControl"=dword:00000001
     "ImagePath"=%SYSDIR%\svchost.exe
     "DisplayName"="System Restore Service"
     "DependOnService"=RpcSs
     "DependOnGroup"=%hex values%
     "ObjectName"="LocalSystem"
     "Description"="Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties"

– [HKLM\SYSTEM\ControlSet001\Services\srservice\Parameters]
   • "ServiceDll"=%SYSDIR%\srsvc.dll

– [HKLM\SYSTEM\ControlSet001\Services\srservice\Security]
   • "Security"=%hex values%

– [HKLM\SYSTEM\ControlSet001\Services\srservice\Enum]
   • "0"="Root\\LEGACY_SRSERVICE\\0000"
     "Count"=dword:00000001
     "NextInstance"=dword:00000001

– [HKLM\SYSTEM\ControlSet001\Services\ERSvc]
   • "DependOnService"=RpcSs
     "Description"="Allows error reporting for services and applictions running in non-standard environments."
     "DisplayName"="Error Reporting Service"
     "ErrorControl"=dword:00000000
     "ImagePath"=%SYSDIR%\ERSvc.exe
     "ObjectName"="LocalSystem"
     "Start"=dword:00000002
     "Type"=dword:00000020

– [HKLM\SYSTEM\ControlSet001\Services\ERSvc\Parameters]
   • %SystemRoot%\System32\ersvc.dll

– [HKLM\SYSTEM\ControlSet001\Services\ERSvc\Security]
   • "Security"=%hex values%

– [HKLM\SYSTEM\ControlSet001\Services\ERSvc\Enum]
   • "0"="Root\\LEGACY_ERSVC\\0000"
     "Count"=dword:00000001
     "NextInstance"=dword:00000001



The following registry key is added:

– [HKCU\Identities\%CLSID%\Software\Microsoft\Outlook Express\
   5.0\Mail]
   • "Warn on Mapi Send"=dword:00000000



The following registry keys are changed:

– [HKCU\Software\Policies\Microsoft\Windows\System]
   New value:
   • "DisableCMD"=dword:00000001

Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   New value:
   • "DisableRegistryTools"=dword:00000001
   • "DisableTaskMgr"=dword:00000001

 Email It uses the Messaging Application Programming Interface (MAPI) in order to send emails. The characteristics are further described:


Subject:
One of the following:
   • %random character string%,your name is listed in terrorism organisation..!!!
   • %random character string%,this file from me,%random character string%,
   • %random character string%,Namamu termasuk dalam daftar terrorist..!!



Body:
–  In some cases it may contain random characters.
The body of the email is one of the following:

   • This attachment contain listname of terrorist..!!!
     hope you can be carrefull if you find one of them..!!!!
     or you can reply this email to me after you read the attachment
     thank's...!!!
     

   • jika anda nggak percaya atau kurang yakin, coba baca list attachment ini..!!!
     ini sangat urgent..!!!!
     saya harap dengan begini kita nggak ada salah paham
     thank's...!!!

   • if you are not sure, please read attachment bellow, and please reply to me..!!!
     this message is very urgent..!!!!
     hope we don't have miss understanding
     thank's...!!!


Attachment:
The filename of the attachment is one of the following:
   • %random character string%.zip
   • %random character string%.exe
   • listname_of_terrorist.exe

The attachment is a copy of the malware itself.

The attachment is an archive containing a copy of the malware itself.

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.


IP address generation:
It creates random IP addresses while it keeps the first two octets from its own address. Afterwards it tries to establish a connection with the created addresses.

 Process termination List of processes that are terminated:
   • cmd.exe; mmc.exe; msconfig.exe; MIRC.EXE; MIRC.exe; mirc.exe;
      EXCEL.EXE; EXCEL.exe; excel.exe; WINWORD.EXE; WINWORD.exe; winword.exe


 File details Compilation date:
Date: 28/02/2006
Time: 13:51:45

Description inserted by Andrei Ivanes on Wednesday, March 22, 2006
Description updated by Andrei Ivanes on Friday, September 21, 2007

Back . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. All rights reserved.

My Account

https:// This window is encrypted for your security.