I have just found this on FOUR computers on my Network!
WORM_REDIST.E is a non-destructive worm that spreads via email using Microsoft Outlook, and via peer-to-peer (P2P) file-sharing networks. It also has password-stealing capabilities. It runs on Windows 95, 98, ME, NT, 2000, and XP.
Upon execution, this worm displays the following message box:
Error Starting Progam
A required .DLL file, MSVBM60.DLL, was not found.
It drops the following copies of itself into the Windows folder:
Ircskins.skn
Msgsf32.exe
Msipxc32.exe
Scrset32.scr
Winscz32.exe
Winsetr32.exe
It drops the following copies of itself into the Windows system folder:
Icmpmgr32.exe
Lnkscrc32.scr
Msgmain32.exe
Msgsvc32.pif
Msrun32.exe
Svcmsg32.pif
Winlnkf32.pif
It drops the following copy into the Startup folder:
Startw32.pif
The worm creates registry entries that allow its dropped copy, WINSCZ32.EXE, to execute at every Windows startup.
This worm propagates by sending a copy of itself to all email addresses found in the infected users' address book. It uses Microsoft Outlook (MAPI) to send email with varying details. A sample of the email it sends, are as follows:
Subject: A new screensaver
Message Body: Take a look at this new screensaver in the attachments that I downloaded from the internet a while ago. If you like it, try setting it as your system screensaver :) Cya!
Attachment: 3DFish.scr
Subject: Your file
Message Body: Here is that file that you asked for (in the attachments). Sorry that I sent it late, I had trouble finding it on the computer.
Attachment: Picture2.pif
This worm also attempts to propagate to other P2P and chat clients. To do so, it drops the following copies of itself:
Bruce Almighty (Downloader).pif
Legally Blonde 2 (Downloader).pif
Movie - Finding Nemo (Downloader).pif
Movie - Terminator 3 (Downloader).pif
Movie - The Hulk (Downloader).pif
Movie - The Italian Job (Downloader).pif
Sinbad - Legend of the Seven Seas (Downloader).pif
into the following paths, if they exist:
%Program Files%\BearShare\Shared
%Program Files%\Grokster\My Grokster
%Program Files%\ICQ\Shared Files
%Program Files%\Kazaa Lite\My Shared Folder
%Program Files%\Kazaa\My Shared Folder
%Program Files%\KMD\My Shared Folder
%Program Files%\Limewire\Shared
%Program Files%\Morpheus\My Shared Folder
%Program Files%\Overnet\Incoming
%Program Files%\Rapigator\Share
%Program Files%\Shareaza\Downloads
%Program Files%\Tesla\Files
%Program Files%\WinMX\My Shared Folder
%Program Files%\XoloX\Downloads
This worm also drops randomly named files into the following paths:
\My Music
\My Documents\My Music
This worm also attempts to capture and send cached passwords to a remote malicious user. This function only applies on systems running Windows 95 and 98, since the API used is not available on NT-based systems. It appears that the information is being sent to the following email address: Zed_rRlf@hotmail.com
I got this info from Trend Macro.
October 18th, 2003, 09:39 AM
PoSer
which AV did you find it with or did you look for it after seeing the stuff in trend macro?
has any body else had problems like this?
October 18th, 2003, 09:51 AM
Nokia
I used Mcaffe first but that didnt find anything, then i got this in a email from trend macro so i done a quick scan with PC-Cillin and it picked it up straight away!
