Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Scano.O.2
Date discovered:04/05/2006
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:18.084 Bytes
MD5 checksum:a05bcd12683a646af7b4ff59ce555f7a
VDF version:6.34.01.36
IVDF version:6.34.01.37 - Thursday, May 4, 2006

 General Method of propagation:
   • Email


Aliases:
   •  Mcafee: W32/Areses.h
   •  TrendMicro: WORM_ARESES.S
   •  Sophos: W32/Bagle-IU
   •  VirusBuster: I-Worm.Scano.U
   •  Eset: Win32/Scano.V
   •  Bitdefender: Win32.Scano.O@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads files
   • Uses its own Email engine
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\csrss.exe



It copies itself within an archive to the following location:
   • %TEMPDIR%\Message.zip




It tries to download some files:

The location is the following:
   • http://207.46.250.119/g/**********
At the time of writing this file was not online for further investigation.

The location is the following:
   • http://www.microsoft.com/g/**********
At the time of writing this file was not online for further investigation.

The location is the following:
   • http://84.22.161.192/s/**********
At the time of writing this file was not online for further investigation.



It tries to executes the following files:

Filename:
   • %SYSDIR%\services.exe
using the following command line arguments: %WINDIR%\csrss.exe
Used to hide the process from Task Manager.

Filename:
   • %SYSDIR%\svchost.exe
using the following command line arguments: %WINDIR%\csrss.exe

 Registry The following registry key is added in order to run the process after reboot:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\explorer.exe
   • "Debugger"="%WINDIR%\csrss.exe"



The values of the following registry keys are removed:

–  HKLM\SYSTEM\ControlSet002\Control\Session Manager\
   PendingFileRenameOperations
–  HKLM\SYSTEM\ControlSet002\Control\Session Manager\BootExecute

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Email addresses found in specific files on the system.
 Email addresses gathered from WAB (Windows Address Book)


Subject:
One of the following:
   • Hi, what's up?
   • He, where are you?
   • Hi, drop me a line!!!
   • Hi! Please write to me urgently!
   • Hi! I'm waiting you online today!
   • Will you be online today?
   • When you're gonna answer me?
   • Re: write to me!
   • Re: Call me!
   • Re: Where are you?
   • Re: When you're gonna answer me?
   • Hi!!! How's the mood?
   • Re: How's the mood?
   • Re: Where have you been?



Body:
–  In some cases it may be empty.


The body of the email is one of the following:

   • Hi!!!!! You haven't been writing for a long time. I began to worry) Where have you been? You remember, you've asked a progy from me? I've finally found it, so here it is. Check it out if this is what you've been looking for... bye

   • Hi, what's up? Will you show up online today?
     Drop me a line in ICQ, ok? Btw, I'm sending you the docs you've been looking for, find them attached. Check them out, ok?

   • Hi!
     I'm coming to you tomorrow, ok? When you are going to be home?
     You remember, you've asked some docs. Please find them attached. Check and see what's inside. That's it. Bye, till tomorrow...

   • Hi!
     You disappeared again. If you come online, drop me a line, ok?
     Btw, I sent you those docs that you've been looking for. Check them out. Bye!

   • Hi, give me a call just when you got the message! I'm tired of waiting. Btw, I'm sending that program that you've been looking for. Check it out. Appears to be that one. Bye!

   • Hi, what's up? If you have time tomorrow, please come over. After midday. By the way, don't forget to check the enclosed documents. Bye. See you tomorrow.

   • Hi, I got a free day tomorrow, and I'm waiting for you. Please come after midday. By the way, I'm sending you the documents that you've been asking for. Read them out... Bye!

   • Hi, how are you? What are your plans today? If you have time, please come over, and don't forget to check the program attached. Bye!

   • Hi, what's you gonna do today? I'll come over tonight! By the way, don't give anyone this funny program I'm sending. Check it out. Bye!

   • Hi, I found that program you asked for. Find it attached. Bye.

   • Hi, I saw you around today, but you didn't noticed me ( If you're gonna be at home, give a call, ok? By the way, check this file I'm sending. A very interesting program...
     What's up! You haven't been writing for a long time
     I got news. I've finally that program you needed
     I'm sending it out. Use it. Bye!

   • Hi, drop me a line today, ok? And see the program I'm sending. Bye!

   • Hi, drop me a line if you can. Btw, I have a new ICQ. Please don't forget to check the attached documents. Bye.

   • Hi! How are you? Drop me a line if you can. I found your documents and I'm emailing them to you. Bye.


Attachment:
The filename of the attachment is one of the following:
   • Message.zip
   • File.zip
   • Document.zip
   • README.zip
   • Passwords.zip
   • Readme.zip
   • Important.zip
   • New.zip
   • COOL.zip
   • Archive.zip
   • Fotos.zip
   • private.zip
   • confidential.zip
   • secret.zip
   • images.zip
   • your_documents.zip
   • backup.zip

The attachment is an archive containing a copy of the malware itself.

 Mailing Search addresses:
It searches the following files for email addresses:
   • .adb; .asp; .cfg; .cgi; .mra; .dbx; .dhtm; .eml; .htm; .html; .jsp;
      .mbx; .mdx; .mht; .mmf; .msg; .nch; .ods; .oft; .php; .pl; .sht;
      .shtm; .stm; .tbb; .txt; .uin; .wab; .wsh; .xls; .xml; .dhtml


Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • @microsoft; rating@; f-secur; news; update; .qmail; .gif; anyone@;
      bugs@; contract@; feste; gold-certs@; help@; info@; nobody@; noone@;
      0000; Mailer-Daemon@; @subscribe; kasp; admin; icrosoft; support;
      ntivi; unix; bsd; linux; listserv; certific; torvalds@; sopho; @foo;
      @iana; free-av; @messagelab; winzip; google; winrar; samples; spm111@;
      .00; abuse; panda; cafee; spam; pgp; @avp.; noreply; local; root@;
      postmaster@

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Açıklamayı yerleştiren Irina Boldea tarihinde 7 Kasım 2006 Salı
Açıklamayı güncelleyen: Irina Boldea tarihinde 10 Kasım 2006 Cuma

Geri . . . .
https:// Bu pencere güvenlik amacıyla şifrelenmiştir.