Win32.Worm.Mexer.E Virus

This is a discussion on Win32.Worm.Mexer.E Virus within the Warcraft 3 forum board part of the Hot Games category; Win32.Worm.Mexer.E Spreading: VERY LOW Download removal tool Damage: MEDIUM Size: 30,720 bytes (UPX packed), 64,512 bytes unpacked Discovered: 2004 Sep ...

Results 1 to 3 of 3
  1. #1
    PlayerH's Avatar
    PlayerH is offline Premium Member
    Array
    Join Date
    Apr 2007
    Posts
    592
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    12
    Reputation
    311

    Win32.Worm.Mexer.E Virus


    Win32.Worm.Mexer.E

    Spreading: VERY LOW
    Download removal tool
    Damage: MEDIUM
    Size: 30,720 bytes (UPX packed), 64,512 bytes unpacked
    Discovered: 2004 Sep 21

    SYMPTOMS:
    - Presence of the folder C:\sysnet

    - Presence of next file in C:\sysnet folder:

    Ruby31.exe (30,720 bytes)

    - Presence of many copies of Ruby31.exe (30,720 bytes) in C:\sysnet folder under various names

    - Presence of the next registry keys or entries:

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run]
    "Ruby13"="c:\sysnet\Ruby13.exe"


    where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.

    TECHNICAL DESCRIPTION:
    The virus spreads through e-mail and also Kazaa and Imesh networks.
    It usually arrives via e-mail. The mail format is as follows:

    From: (spoofed)
    To: (harvested addresss)




    Subject: EBAY Information
    Body: EBAY Installer...
    Attachment: EBAY.exe

    Subject: VISA Information
    Body: Security Tool...
    Attachment: VISA.EXE

    Subject: Provider Information
    Body: New account data...
    Attachment: PROVIDER.EXE


    Subject: Your Crack
    Body: Here is your crack!
    Attachment: (one of the copies of the virus)


    Subject: Internet Information
    Body: New account data...
    Attachment: INTERNET.EXE



    When the virus is run, it does the following:

    1. Display the following message:

    Ruby V1.3
    Serial: %random%
    File crack...

    Note: %random% is a random number (eg: Serial: 41365345)


    2. Creates C:\sysnet folder where it creates copies of itself as:

    A+ Certification Test.exe
    Borland KeyGens.exe
    BurnDvds.exe
    Cisco Certification Test.exe
    Counter-Strike, Condition Zero - Activation Key.exe
    Counterstrike aim hack.exe
    Counterstrike hacks.exe
    Crack McAfee 7.exe
    Crack Norton 3000.exe
    Diablo 2 map hack.exe
    Diablo 2 no-cd hack.exe
    Dvd Ripper.exe
    Dvd To Vcd.exe
    Easy Dvd Ripper.exe
    EZ Dvd Ripper.exe
    icqbomber.exe
    Information.exe
    MP3 encoder decoder V1.8.exe
    MSCE Certification Test.exe
    Nero Burning ROM v6.3 Ultra - Enterprise edition key.exe
    Nimo Codec Pack Updater.exe
    PANDA.AVers.lusers.exe
    PANDA.lusers.exe
    s Diablo 2 hero editor.exe
    SophosCrackAllVersion.exe
    Starcraft + Broodwar 1.10 map hack.exe
    Starcraft + Broodwar 1.10 no-cd hack.exe
    The Frozen Throne map hack.exe
    Warcraft 3 Frozen Throne cd-cd hack.exe
    Warcraft 3 Frozen Throne map hack.exe
    Warcraft 3 map hack.exe
    Warcraft 3 no-cd hack.exe
    Warcraft 3 stat hack.exe

    Windows Nt Certification Test.exe
    XBOX X-Fer Ripper and Transfer.exe
    Xvid Codec Installer.exe

    And also creates copies of itself by adding

    Keygen.exe
    Serial.exe
    NoCD.exe
    Crack.exe

    to the names:

    Adobe Photoshop CS and ImageReady CS 8.0
    Airport Tycoon II -
    All Adobe Products
    All Macromedia Products
    All Microsoft Products
    American Conquest -
    Apache AH-64 Air Assault -
    Battlefield 1942 The Road to Rome -
    Battlefield Vietnam -
    BitDefender
    Bridge Baron 13
    Command and Conquer Generals
    Deus Ex -
    Divx Pro 5.1
    Doom 3 -
    Dvd Plus
    Dvd Wizard Pro
    Dvd Xcopy
    DvdCopyOne
    DvdToVcd
    Easy Dvd creator
    Eonix Realm Of Hepmia -
    Fetish Fighters -
    Forbidden Siren -
    Freelancer -
    Grom -
    Harry Potter and the Prisoner of Azkaban KeyGen and
    Harry Potter und der Gefangene von Askaban
    I Was An Atomic Mutant -
    IGI-2 Covert Strike -
    Impossible Creatures -
    Ipswich Town Official Management Game -
    Jamella
    Kazaa all
    Microsoft Windows XP Professional
    Nascar Racing 2003 Season
    Nero Burning Rom
    Nod32
    Norton AntiVirus 2004 Pro Activation Key &
    Norton AntiVirus 2005
    Norton Internet Security 2004 Keygen &
    Norton Internet Security 2004 Pro
    Norton Internet Security 2005 Pro
    Office XP Universal
    Private Nurse -
    Robot Arena Design And Destroy -
    Serious Sam - Gold Edition -
    Shadow of Memories -
    Shrek 2
    Sim City 4 -
    Slot City 3
    Spellforce - Breath of Winter
    Spider-Man 2
    Symantec Antivirus 2005
    Symantec Internet Secutiy 2005
    Test Drive -
    The Campaigns of La Grande Armee -
    The Emperors Mahjong -
    Tom Clancys Splinter Cell -
    Tombstone 1882 -
    Unreal II The Awakening -
    WinACE
    Windows Server 2003
    WinRAR 3
    WinZIP 9
    World Of Outlaws Sprint Car Racing 2002 -
    Zone Alarm 5.0 pro

    (example: Zone Alarm 5.0 pro Crack.exe, BitDefender Keygen.exe)

    3. Sets the default Kazaa and Imesh download/shared folder to c:\\sysnet

    4. Creates the registry entry

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run]
    "Ruby13"="c:\sysnet\Ruby13.exe"

    in order to run at startup.

    5. Starts to harvest e-mail addresses in files matching:

    *.wab
    *.dbx
    *.htm
    *.sht
    *.txt
    *.doc
    *.rtf

    but avoiding e-mail addresses containing:

    supp
    webm
    viru
    newv
    kasp
    micr
    root
    admi
    host

    And send itself to each e-mail address found in the e-mail format described above using it's own smtp engine.

    6. May display a message:


    Ruby V1.3, (c)BI 16.08.2004
    Fight against MICROSOFT and make a virus!

  2. #2
    Caramba is offline Premium Member
    Array
    Join Date
    Feb 2007
    Location
    Germany
    Posts
    1,815
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    11
    Reputation
    58

    Re: Win32.Worm.Mexer.E Virus

    Can you attach it, no ?

  3. #3
    PlayerH's Avatar
    PlayerH is offline Premium Member
    Array
    Join Date
    Apr 2007
    Posts
    592
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Rep Power
    12
    Reputation
    311

    Re: Win32.Worm.Mexer.E Virus

    lol

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •