Descripción completa

Alias:	Win32.Antiman.A@mm (Bit Defender), Email-Worm.Win32.Antiman.a (Kaspersky), WORM_ANTIMAN.F (Trend Micro), W32/Antiman.A.worm (Panda), W32.Antiman.A@mm (Symantec), W32/Antiman-A (Sophos)
Type:	Worm
Size:	210.944 bytes
Origin:
Date:	06-07-2005
Damage:
VDF Version:	6.31.0.16
Danger:	Low
Distribution:	Low

General DescriptionAffected Platforms:
*Windows 95
*Windows 98
*Windows ME
*Windows NT
*Windows 2000
*Windows XP
*Windows Server 2003

DistributionThe worm gathers email addresses from the Outlook address book of the infected computer and sends itself to those. It also scans the Yahoo Messenger log files in order to find the email addresses. It sends itself to all the persons from the contact list for which a log file (message archive) exists.

It tries to send itself using the Outlook SMTP server of the infected machine or one of the following servers:

mx1.pcnet.ro
smtp.dnt.ro
scentra.dntcj.ro
relay-1.dntis.ro
mail.easynet.ro
relay1.romania.eu.net
mail-relay.eu.net
smtp.fx.ro
ns.matco.ro
mail.mailbox.ro
mx.kappa.ro
mx2.kappa.ro
mail.rdsnet.ro
mail.rdslink.ro
tag.starnets.ro
mail.totalnet.ro
relay.totalnet.ro
mail.xnet.ro
mail.remote.xnet.ro
mail.remote1.xnet.ro
mail.iasi.rdsnet.ro
mail.pcnet.ro
smtp.xnet.ro
smtp.home.ro
mail.home.ro
relay.n0i.net
omega.tuiasi.ro
hal.cs.tuiasi.ro

The emails sent by the virus contain Romanian texts. They can have one of the following appearances:

-FROM: <%spoofed%>
SUBJECT: Poza de la mare...
BODY: Ti-am trimis ultima poza de la mare. Asta e?
ATTACHMENT: scan_picture_0001._JPG.exe

-FROM: <%spoofed%>
SUBJECT: Antivirus
BODY: Asta e ultimul antivirus. Ar trebui sa rezolve toate problemele.
ATTACHMENT: antivirus.exe

-FROM: <%spoofed%>
SUBJECT: Sex in camin
BODY: Ioana, sex in grup in camin. Cred ca o stii si tu
ATTACHMENT: ioana_divx._AVI.exe

-FROM: <%spoofed%>
SUBJECT: Faza cu camila
ATTACHMENT: camila.exe

-FROM: <%spoofed%>
SUBJECT: De ce mor mai repede curiosii...
BODY: Nu deschide acest mesaj! E numai pentru persoanele prea curioase!
ATTACHMENT: curiosii.exe

-FROM: <%spoofed%>
SUBJECT: Antimanele
BODY: Daca sunteti nu mai suportati manelele la servici, tramvai, taxi, metrou, etc., trimiteti acest mesaj la toti prietenii dvs. ! Va multumesc (din suflet).
ATTACHMENT: antimanele.exe

-FROM: <%spoofed%>
SUBJECT: Votati astazi!
BODY: Credeti ca ar fi mai bine ca Romania sa-si retraga trupele din Irak anul acesta? Deschideti programul Vot, alegeti votul dvs. si vedeti rezultatele. Parerea dvs. conteaza!
ATTACHMENT: <%sysdate%>.exe

-FROM: <%spoofed%>
SUBJECT: Cu sau fara Manele ?
BODY: Credeti ca ar fi mai bine ca manelele sa fie interzise in Romania? Deschideti programul de votare, alegeti votul dvs. si vedeti rezultatele. Parerea dvs. conteaza!
ATTACHMENT: vot_manele.exe

-FROM: <%Spoofed%>
SUBJECT: Pentru Ionel
BODY: Draga Ionel, Scuza-ma ca nu ti-am mai scris de mult timp, dar am avut ceva probleme cu calculatorul. Ti-am promis ultima data pe chat o poza cu mine dezbracata... m-am gandit mult la asta si cred ca pana la urma cel mai bine e sa-ti trimit o poza. Sper sa-ti placa. Daca nu o sa-mi mai scrii dupa mesajul asta, o sa te inteleg... Roxana,
ATTACHMENT: poza_roxana._JPG.exe

-FROM: <%spoofed%>
SUBJECT: Cum a murit Papa?
BODY: Film cu moartea papei. Toate drepturile rezervate. Este interzisa modificarea continutului. Poate fi redistribuit. Asociatia Catolicilor Anonimi din Romania.
ATTACHMENT: film_papa._avi._divx_.exe

The FROM section is spoofed and can be one of the following:

Alexandra@yahoo.com
ionut@yahoo.com
Catalin@yahoo.com
alice@yahoo.com
bia@yahoo.com
Marius.Ancuta@xnet.ro
Georgiana@fantasy.ro
office@bitdefenders.ro
antimanele@antimanele.go.ro
alex@home.ro
roxette@yahoo.com
mikeoldfield@yahoo.com
pasareacolibri@yahoo.com
cccatch@yahoo.com
nicola@yahoo.com
enya@yahoo.com
deepforest@yahoo.com
beatles@yahoo.com
florin.chilian@yahoo.com
enigma@yahoo.com
yanni@yahoo.com
moderntalking@yahoo.com
romantic@yahoo.com
Alina@yahoo.com
Emma@yahoo.com
Ella@yahoo.com
Ramona@yahoo.com
Gaby@yahoo.com
Catalina@yahoo.com
Ana@yahoo.com
Alex@yahoo.com
Georgiana@yahoo.com
Marian@yahoo.com
Bodo@yahoo.com
Vasea@yahoo.com
Cornel@yahoo.com
Sorin@yahoo.com
none

Technical DetailsIf the virus is executed and there is no disk in the floppy drive the virus displays the following error message:
"There is no disk in drive. Please insert a disk into drive A:"

The file "startwin.exe" is created in order to start the virus automatically at each system reboot.

The virus sets the file "funny.scr" as the default screensaver.

It also creates the file "m.txt" which is used by the virus to log its actions.

It scans the local drives of the infected computer looking for files and folders containing the following strings (which are names of romanian well known "manelisti" artists and their songs):
Liviu Guta
Liviu_Guta
Nicolae Guta
Nicolae_Guta
Copilul de aur
Copilul_de_aur
adi de la valcea
adi_de_la_valcea
adi de vito
ady de vito
florin salam
florin_salam
adrian & camy
stana isbasa
adrian cm
adrian copilul minune
adrian_copilul_minune
alina si costi
copilul de aur
dani de la deva
gabi din buzau
gabi de la giulesti
liviu pustiu
guta jr
guta & sorina
printesa ionela
don genove
jean de la craiova
cristian gusatu
ovidiu mititelu
sorinel pustiu
lucian seres
mihaela minune
minodora
n. guta
n.guta
nico cu carbon
nico_cu_carbon
sile dorel
vali vijelie
carmen serban
petrica cercel
nicu paleru
cata boss
liviu_guta
stefan de la barbulesti
florin peste
liviu cu mirela
sorina & florinel
puiu codreanu
catalin de la buzau
daniel dinescu
relu pustiu
victor spaniolu
vali raicu
adi caval
carmen dobre
sorinel copilu de aur
as da zile de la mine
sunt seful vostru pana mor
chefdechef
chef de chef
dusmanii mei
plange sufletul
jumatate tu, jumatate eu
ce le-nnebuneste pe femei
sa cante manelele
manele

and one of the following extensions:
.mp3
.wma
.avi
.wav
.mid
.midi
.asf
.mpg
.mpeg
.jpeg
.jpg
.bmp
.rar
.zip
.ace

If it finds such files, the virus deletes them.

Descripción insertada por Crony Walker el martes 15 de junio de 2004

Volver . . . .