Dismiss Notice
Welcome to Our Community
Wanting to join the rest of our members? Feel free to sign up today.


Discussion in 'General Marketing' started by ovi, Sep 26, 2004.

  1. ovi

    ovi Guest

    Name: Win32.Worm.Mexer.E
    Type: Executable Worm Mass Mailer
    Size: 30,720 bytes (UPX packed), 64,512 bytes unpacked
    Discovered: 21.09.2004
    Detected: 21.09.2004
    Spreading: Very low
    Damage: Medium
    - Presence of the folder C:\sysnet
    - Presence of next file in C:\sysnet folder:
    Ruby31.exe (30,720 bytes)
    - Presence of many copies of Ruby31.exe (30,720 bytes) in C:\sysnet folder under various names
    - Presence of the next registry keys or entries:
    where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
    %SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.

    Technical description:
    The virus spreads through e-mail and also Kazaa and Imesh networks.
    It usually arrives via e-mail. The mail format is as follows:

    From: (spoofed)
    To: (harvested addresss)
    Subject: EBAY Information
    Body: EBAY Installer...
    Attachment: EBAY.exe
    Subject: VISA Information
    Body: Security Tool...
    Attachment: VISA.EXE
    Subject: Provider Information
    Body: New account data...
    Attachment: PROVIDER.EXE
    Subject: Your Crack
    Body: Here is your crack!
    Attachment: (one of the copies of the virus)
    Subject: Internet Information
    Body: New account data...
    Attachment: INTERNET.EXE
    When the virus is run, it does the following:
    1. Display the following message:
    Ruby V1.3
    Serial: %random%
    File crack...
    Note: %random% is a random number (eg: Serial: 41365345)
    2. Creates C:\sysnet folder where it creates copies of itself as:
    A+ Certification Test.exe
    Borland KeyGens.exe
    Cisco Certification Test.exe
    Counter-Strike, Condition Zero - Activation Key.exe
    Counterstrike aim hack.exe
    Counterstrike hacks.exe
    Crack McAfee 7.exe
    Crack Norton 3000.exe
    Diablo 2 map hack.exe
    Diablo 2 no-cd hack.exe
    Dvd Ripper.exe
    Dvd To Vcd.exe
    Easy Dvd Ripper.exe
    EZ Dvd Ripper.exe
    MP3 encoder decoder V1.8.exe
    MSCE Certification Test.exe
    Nero Burning ROM v6.3 Ultra - Enterprise edition key.exe
    Nimo Codec Pack Updater.exe
    s Diablo 2 hero editor.exe
    Starcraft + Broodwar 1.10 map hack.exe
    Starcraft + Broodwar 1.10 no-cd hack.exe
    The Frozen Throne map hack.exe
    Warcraft 3 Frozen Throne cd-cd hack.exe
    Warcraft 3 Frozen Throne map hack.exe
    Warcraft 3 map hack.exe
    Warcraft 3 no-cd hack.exe
    Warcraft 3 stat hack.exe
    Windows Nt Certification Test.exe
    XBOX X-Fer Ripper and Transfer.exe
    Xvid Codec Installer.exe
    And also creates copies of itself by adding
    to the names:
    Adobe Photoshop CS and ImageReady CS 8.0
    Airport Tycoon II -
    All Adobe Products
    All Macromedia Products
    All Microsoft Products
    American Conquest -
    Apache AH-64 Air Assault -
    Battlefield 1942 The Road to Rome -
    Battlefield Vietnam -
    Bridge Baron 13
    Command and Conquer Generals
    Deus Ex -
    Divx Pro 5.1
    Doom 3 -
    Dvd Plus
    Dvd Wizard Pro
    Dvd Xcopy
    Easy Dvd creator
    Eonix Realm Of Hepmia -
    Fetish Fighters -
    Forbidden Siren -
    Freelancer -
    Grom -
    Harry Potter and the Prisoner of Azkaban KeyGen and
    Harry Potter und der Gefangene von Askaban
    I Was An Atomic Mutant -
    IGI-2 Covert Strike -
    Impossible Creatures -
    Ipswich Town Official Management Game -
    Kazaa all
    Microsoft Windows XP Professional
    Nascar Racing 2003 Season
    Nero Burning Rom
    Norton AntiVirus 2004 Pro Activation Key &
    Norton AntiVirus 2005
    Norton Internet Security 2004 Keygen &
    Norton Internet Security 2004 Pro
    Norton Internet Security 2005 Pro
    Office XP Universal
    Private Nurse -
    Robot Arena Design And Destroy -
    Serious Sam - Gold Edition -
    Shadow of Memories -
    Shrek 2
    Sim City 4 -
    Slot City 3
    Spellforce - Breath of Winter
    Spider-Man 2
    Symantec Antivirus 2005
    Symantec Internet Secutiy 2005
    Test Drive -
    The Campaigns of La Grande Armee -
    The Emperors Mahjong -
    Tom Clancys Splinter Cell -
    Tombstone 1882 -
    Unreal II The Awakening -
    Windows Server 2003
    WinRAR 3
    WinZIP 9
    World Of Outlaws Sprint Car Racing 2002 -
    Zone Alarm 5.0 pro

    (example: Zone Alarm 5.0 pro Crack.exe, BitDefender Keygen.exe)

    3. Sets the default Kazaa and Imesh download/shared folder to c:\sysnet

    4. Creates the registry entry


    in order to run at startup.

    5. Starts to harvest e-mail addresses in files matching:


    but avoiding e-mail addresses containing:


    And send itself to each e-mail address found in the e-mail format described above using it's own smtp engine.

    6. May display a message:

    Ruby V1.3, (c)BI 16.08.2004
    Fight against MICROSOFT and make a virus!

Featured Resources (View All)

Share This Page