W32/Surnova-D

Discussion in 'malware problems & news' started by Technodrome, Jul 19, 2002.

Thread Status:
Not open for further replies.
  1. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    W32/Surnova-D is a worm that spreads using the KaZaA network software installation and the MSN instant messenger utility. The worm will initially copy itself to the Windows folder with one of the following filenames:

    Alles-ist-vorbei.exe
    Desktop-shooting.exe
    Hello-Kitty.exe
    BigMac.exe
    Cheese-Burger.exe
    Blaargh.exe

    The registry value

    HKLM\Software\Microsoft\Windows\CurrenVersion\Run\Supernova

    is added to the registry and points to the new copy of the worm so that the worm is run when Windows starts up.

    The following fake error message will be displayed by the worm when it is first executed:

    Application attempted to read memory at 0xFFFFFFFFh Terminating application

    W32/Surnova-D queries the registry entry

    HKLM\Software\KaZaA\LocalContent

    for a folder that is shared across the KaZaA network. If a value is not found then the folder C:\<Windows>\Media is used. The worm then creates over seventy copies of the worm in this folder with the following filenames:

    Windows XP key generator.exe
    Windows XP serial generator.exe
    Key generator for all windows XP versions.exe
    Warcraft 3 ONLINE key generator.exe
    Half-life ONLINE key generator.exe
    Quake 4 BETA.exe
    Grand theft auto 3 CD1 crack.exe
    GTA3 crack.exe
    Battle.net key generator (WORKS!!).exe
    Warcraft 3 battle.net serial generator.exe
    Half-life WON key generator.exe
    Star wars episode 2 downloader.exe
    Winzip 8.0 + serial.exe
    Winrar + crack.exe
    Britney spears nude.exe
    Macromedia MX key generator (all products).exe
    KaZaA media desktop v2.0 UNOFFICIAL.exe
    Microsoft key generator, works for ALL microsoft products!!.exe
    Microsoft Windows XP crack pack.exe
    Hack into any computer!!.exe
    DivX codec v6.0.exe
    DivX newest version.exe
    DivX.exe
    DivX pro key generator.exe
    Key generator for over 1,000 applications (really!).exe
    DivX patch - Increases quality.exe
    KaZaA spyware remover.exe
    Age of empires 2 crack.exe
    Norton antivirus 2002.exe
    Macromedia Dreamweaver MX Key Generator.exe
    Macromedia Flash MX Key Generator.exe
    Neverwinter nights crack.exe
    Microsoft Office XP (english) key generator.exe
    Microsoft Office XP.iso.exe
    CloneCD + crack.exe
    CloneCD all-versions key generator.exe
    XBOX emulator (WORKS!!).exe
    Gamecube Emulator (WORKS!!).exe
    Xbox.info.exe
    Grand Prix 4 crack.exe
    Nokia simlock remover (includes new models).exe
    Norton antivirus 2002.exe
    Macromedia Dreamweaver MX Key Generator.exe
    Macromedia Flash MX Key Generator.exe
    Neverwinter nights crack.exe
    Microsoft Office XP (english) key generator.exe
    Microsoft Office XP.iso.exe
    CloneCD + crack.exe
    CloneCD all-versions key generator.exe
    XBOX emulator (WORKS!!).exe
    Gamecube Emulator (WORKS!!).exe
    Xbox.info.exe
    Grand Prix 4 crack.exe
    Nokia simlock remover (includes new models).exe
    Britney spears hard porn (REAL!).exe
    Christina Aguilera **** (REAL!).exe
    Kiddy child incest porn.exe
    Doom 3 preview!!.exe
    Crazy taxi crack.exe
    Copy protection remover.exe
    Sex.exe
    Jedi Knight 2 crack.exe
    Warcraft 3 trainer.exe
    Cable modem uncapper.exe
    Grand theft auto 3 trainer.exe
    KaZaA hack.exe
    KaZaA lite.exe
    Dragonball Z.exe
    Dragonball Z COMPLETE episode guide.exe
    Dragonball Z shootout.exe
    Dragonball Z episode 1.exe
    J-LO Nude (REAL!!).exe
    Doom 3 screenshots.exe
    Resident Evil [DivX].exe
    Shrek.exe
    Starcraft 2 preview!.exe
    Starcraft battle.net key generator.exe
    Starcraft ONLINE crack.exe

    W32/Surnova-D will also attempt to send itself to contacts in the infected user's Messenger contact list. The worm will arrive with one of the following messages:

    Hehe, check this out :)
    Funny, check it out (h)
    LOL!! See this :D
    LOL!! Check this out :)
    Hehe, this is fun :)

    The worm also creates a text file in the Windows folder with a name consisting of randomly generated digits. The text file contains the text:

    W32.Supernova - Ban religion
    -------------------------------------------------------
    Religion = War
    Religion = Based on fairytales
    Wars based on fairytales?
    Ban religion, welcome to the truth
    -------------------------------------------------------

    source: http://www.sophos.com



    Technodrome
     
Thread Status:
Not open for further replies.