Results 1 to 5 of 5

Thread: Worm_redist.e

  1. #1
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696

    Worm_redist.e

    I have just found this on FOUR computers on my Network!

    WORM_REDIST.E is a non-destructive worm that spreads via email using Microsoft Outlook, and via peer-to-peer (P2P) file-sharing networks. It also has password-stealing capabilities. It runs on Windows 95, 98, ME, NT, 2000, and XP.

    Upon execution, this worm displays the following message box:

    Error Starting Progam
    A required .DLL file, MSVBM60.DLL, was not found.

    It drops the following copies of itself into the Windows folder:

    Ircskins.skn
    Msgsf32.exe
    Msipxc32.exe
    Scrset32.scr
    Winscz32.exe
    Winsetr32.exe
    It drops the following copies of itself into the Windows system folder:

    Icmpmgr32.exe
    Lnkscrc32.scr
    Msgmain32.exe
    Msgsvc32.pif
    Msrun32.exe
    Svcmsg32.pif
    Winlnkf32.pif
    It drops the following copy into the Startup folder:

    Startw32.pif
    The worm creates registry entries that allow its dropped copy, WINSCZ32.EXE, to execute at every Windows startup.

    This worm propagates by sending a copy of itself to all email addresses found in the infected users' address book. It uses Microsoft Outlook (MAPI) to send email with varying details. A sample of the email it sends, are as follows:

    Subject: A new screensaver
    Message Body: Take a look at this new screensaver in the attachments that I downloaded from the internet a while ago. If you like it, try setting it as your system screensaver Cya!
    Attachment: 3DFish.scr

    Subject: Your file
    Message Body: Here is that file that you asked for (in the attachments). Sorry that I sent it late, I had trouble finding it on the computer.
    Attachment: Picture2.pif

    This worm also attempts to propagate to other P2P and chat clients. To do so, it drops the following copies of itself:

    Bruce Almighty (Downloader).pif
    Legally Blonde 2 (Downloader).pif
    Movie - Finding Nemo (Downloader).pif
    Movie - Terminator 3 (Downloader).pif
    Movie - The Hulk (Downloader).pif
    Movie - The Italian Job (Downloader).pif
    Sinbad - Legend of the Seven Seas (Downloader).pif
    into the following paths, if they exist:

    %Program Files%\BearShare\Shared
    %Program Files%\Grokster\My Grokster
    %Program Files%\ICQ\Shared Files
    %Program Files%\Kazaa Lite\My Shared Folder
    %Program Files%\Kazaa\My Shared Folder
    %Program Files%\KMD\My Shared Folder
    %Program Files%\Limewire\Shared
    %Program Files%\Morpheus\My Shared Folder
    %Program Files%\Overnet\Incoming
    %Program Files%\Rapigator\Share
    %Program Files%\Shareaza\Downloads
    %Program Files%\Tesla\Files
    %Program Files%\WinMX\My Shared Folder
    %Program Files%\XoloX\Downloads
    This worm also drops randomly named files into the following paths:

    \My Music
    \My Documents\My Music
    This worm also attempts to capture and send cached passwords to a remote malicious user. This function only applies on systems running Windows 95 and 98, since the API used is not available on NT-based systems. It appears that the information is being sent to the following email address:
    Zed_rRlf@hotmail.com

    I got this info from Trend Macro.

  2. #2
    Senior Member
    Join Date
    Sep 2003
    Posts
    126
    which AV did you find it with or did you look for it after seeing the stuff in trend macro?
    has any body else had problems like this?
    [Shadow] have you ever noticed work is like a tree full of monkeys you look down and all you see is monkeys below you then you look up and all you see is a bunch of *******s above[/shadow]

  3. #3
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    I used Mcaffe first but that didnt find anything, then i got this in a email from trend macro so i done a quick scan with PC-Cillin and it picked it up straight away!

  4. #4
    I assume you have managed to remove it then...
    http://www.danasoft.com/sig/c0bra.jpg
    click here to hack my computer and delete all my important files

  5. #5
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    yes pc cillin cleaned them with no problem.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •