Home Education E-BooksTravel Troubleshooting Linux Contact Us About Us
Troubleshooting Tips And Steps
Windows & Hardware Tips
Information On Viruses
Miscellaneous

virus file

VIRUS NAME : W32/Floodnet@MM

VIRUS NAME : W32/Floodnet@MM

Virus Characteristics

This threat has a risk assessment of Low Profiled as media interest was sparked due to a recent news report on Incidents.org.

This is a remote access trojan and worm. When run, it attempts to send a message to the alias "All Users" using Microsoft Outlook. If this address is not present in a local or global address book, or not an alias on the specified SMTP server, then the message will not get sent. Otherwise, the following message is sent:

Subject: Thoughts...
Body: I just found this program, and, i dont know why...but it reminded me of you. check it out.
Attachment: Cute.exe (228,352 bytes)

When the attachment is run, a copy is saved to the WINDOWS directory and 2 registry keys are created:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Windows=C:\WINDOWS\KERNEL32.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices\Windows=C:\WINDOWS\KERNEL32.EXE

Two INI keys are also created:

SYSTEM.INI - [boot]\shell=explorer.exe C:\WINDOWS\KERNEL32.EXE
WIN.INI - [windows]\load=C:\WINDOWS\KERNEL32.EXE

The worm looks for the following security programs (including anti-virus and firewall programs) in memory and terminates them if found:

Anti-Trojan.exe
ANTS.EXE
APLICA32.EXE
AVCONSOL.EXE
AVP.EXE
AVP32.EXE
AVP32.EXE
AVPCC.EXE
AVPCC.EXE
AVPM.EXE
AVPM.EXE
blackd.exe
blackice.exe
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
cleaner.exe
cleaner3.exe
expl32.exe
FRW.EXE
iamapp.exe
iamserv.exe
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
LIBUPDATE.EXE
lockdown2000.exe
minilog.exe
MooLive.exe
MPGSRV32.EXE
Mssmmc32.exe
NAVAPW32.EXE
NAVW32.EXE
nvarch16.exe
PCFWallIcon.EXE
RunDii.exe
RunDIl.exe
rundli.exe
SAFEWEB.EXE
Sphinx.exe
tca.exe
TDS2-.EXE
TDS2-.EXE
TEMP.EXE
VSECOMR.EXE
VSHWIN32.EXE
vsmon.exe
VSSTAT.EXE
WEBSCANX.EXE
WinDll.exe
WrAdmin.exe
WrCtrl.exe
zonealarm.exe
This event helps conceal the actions of this threat. The .VX extension is registered on the system:

HKEY_CLASSES_ROOT\.vx\(Default)=exefile
HKEY_CLASSES_ROOT\.vx\Content Type=application/x-msdownload
HKEY_CLASSES_ROOT\.vx\NeverShowExt=

An attacker can send various commands to the infected machine. The commands include:
Sending instant messages via MSN Messenger and AOL Instant Messenger
Sending email
Flood commands, to initiate a denial of service attack
Various IRC commands (join/part channels, privmsg, etc)
FTP commands (file access, copy, move, delete)

Symptoms

Presence of %WinDir%\KERNEL32.EXE (228,352 bytes) - A fake error message may be displayed Method Of Infection This virus arrives as a UPX packed Delphi executable. When run, it acts as a remote access server and worm.

If you are fed up with any virus and not getting solution of it. mail us on amgroup@skillsheaven.com and please provide all the detail about virus.