Discussion in 'malware problems & news' started by Bowserman, Jun 18, 2003.

Thread Status:
Not open for further replies.
  1. Bowserman

    Bowserman Infrequent Poster

    Apr 15, 2003
    South Australia
    From Symantec:

    "BAT.Snoital@mm is a batch file worm that will try to delete antivirus software from your computer. It spreads through MAPI-enabled email clients, such as Microsoft Outlook and IRC. The email will have the following characteristics:

    Subject: Free antivirus program
    Attachment: Nod32.bat

    Type: Worm
    Infection Length: 13,425 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Windows 3.x, Macintosh, OS/2, UNIX, Linux

    BAT.Snoital@mm arrives in an email with the following characteristics:

    Subject: Free antivirus program
    Message Body: Best free antivirus around
    Attachment: Nod32.bat

    When BAT.Snoital@mm is run, it does the following:

    Deletes the following files:
    %Program Files%avpersonalantivir.vdf
    %Program Files%f-prot95fpwm32.dll
    %Program Files%kasper~1avp32.exe
    %Program Files%mcafeescan.dat
    %Program Files%norton~1*.exe
    %Program Files%norton~1s32integ.dll
    %Program Files%tbavtbav.dat
    %Program Files%trojan~1tc.exe
    %Program Files%tbscan.sig

    Copies itself to various locations on the system. The filenames vary and may consist of what appears to be random characters.
    For example:

    Creates several script files. Some typical filenames are:

    When the scripts are run, they do the following:
    Sends a copy of the worm to all the contacts in the Windows Address Book. These files will be detected as Bloodhound.VBS.Worm.

    Creates various registry values, including:


    in the key:



    "Event17" = "dcc send $nick C:VircSuck-Me.BAT"

    in the key:

    HKEY_CURRENT_USERSoftwareMegalith SoftwareVisual IRC 96Events

    The last registry value will cause a particular IRC client to send the worm to IRC users when they enter the same channel as the current victim.

    Overwrite all the .VBS and .JS scripts with malicious scripts, which execute and send the worm by email.

    NOTE: Due to bugs in the worm, it may not be able to correctly attach itself to email messages."

    For more information:

    Regards, Jade :).
Thread Status:
Not open for further replies.