TrendMicro: WORM_AHKER.G

Discussion in 'malware problems & news' started by Randy_Bell, Apr 22, 2005.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    WORM_AHKER.G is a non-destructive, memory-resident worm that propagates via email. It arrives as an email attachment that, upon execution, drops a file in the Windows folder. It also has the ability to spread copies of itself via peer-to-peer (P2P) file-sharing applications by dropping copies of itself into certain P2P application shared folders, making the dropped copies available for download to other users within the network. It uses file names that are mostly related to Hollywood stars, to entice users to unknowingly download copies of it. In addition, this worm is capable of terminating running applications on a system. WORM_AHKER.G runs on Windows 95, 98, ME, NT, 2000, and XP.

    Upon execution, it creates the following registry entries to ensure that it automatically executes during every Windows startup:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run
    LSA Shell (Export Version) = "{full path and file name of this worm}"

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\RunServices
    LSA Service = "{full path and file name of this worm}"

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\WindowsUpdate\Auto Update
    Windows auto update = "{full path and file name of this worm}"

    This worm sends copies of itself via emai by using Message Application Protocol Interface (MAPI) functions. The email message that it sends contains the following details:

    From: (any of the following)
    agent@hacker.com
    bazzi@microsoft.com
    billy@hacker.com
    hilton_britgette@ahker.lb
    johnloke@msn.uk
    majortom@fbi.gov
    mariah_hillary@aol.com
    michel_bado@gmail.com
    otacon@konami.jp
    peter_parker@hotmail.com
    sarah_alia@yahoo.com
    seniormanager@byblos.com

    Subject: (varying subjects)

    Message body: (any of the following)
    • Hey buddy,
    • Bad Gateway: The message has been attached.
    • Encrypted message is available.
    • ESMTP [Secure Mail System #334]: Secure message is attached.
    • I have a big list of the websites you surfed.
    • Mail transaction failed. Partial message is available.
    • sendmail daemon reported:
    • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
    • The message contains MIME-encoded graphics and has been sent as a binary attachment.
    • The message contains Unicode characters and has been sent as a binary attachment.
    • There is the password you requested!
    • You have visited illegal websites!!
    • Your credit card was charged for $500 USD. For additional information see the attachment.

    Attachments: (varying attachment file names)

    This worm is also capable of propagating via P2P file sharing networks by dropping copies of itself into certain P2P application shared folders, as follows:

    \BearShare\Shared
    \Edonkey2000\Incoming
    \Grokster\My Grokster
    \KazaA lite\My Shared Folder
    \Kazaa\My Shared Folder
    \KMD\My Shared Folder
    \Morpheus\My Shared Folder
    \My Downloads
    \Shared

    It uses interesting file names to entice other users in the P2P networks, where a copy of itself can be downloaded as the following:

    Britney Spears Naked.exe
    Paris Hilton Naked.exe
    Hotmail Crack v.2.5 by Agent Hacker.exe
    MSN Crack by Agent Hacker.exe
    Hotmail Hack.exe
    Britney Spears XXX.exe
    Christina Aguilera XXX.exe
    Paris_Hilton_Free_Sex_Clip.exe
    Process Termination

    This worm terminates several system processes and also disables applications on an affected system. In addition, the worm adds several entries in the system's HOSTS file, preventing the user from accessing certain Web sites, mostly related to antivirus and security companies.

    If you would like to scan your computer for WORM_AHKER.G or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

    WORM_AHKER.G is detected and cleaned by Trend Micro pattern file #2.591.04 and above.
     
Thread Status:
Not open for further replies.