Name: W32/Blinkom-A Aliases: WORM_BLINKOM.A, Worm.P2P.Blinkom, W32/Blinkom, Win32/Blinkom.worm, Win32/Venzu.Worm, Win32.Venzu.A Type: Win32 worm Date: 19 September 2002 At the time of writing Sophos has received just one report of this worm from the wild. Description W32/Blinkom-A is a worm which attempts to spread via SMTP, IRC channels, KaZaA peer-to-peer shared folders, ICQ shared folders and by copying itself to drive A:. Emails may arrive with messages in either English or Spanish and have one of the following sets of characteristics: Subject line: Los mejores chistes de Bin Laden Message text: A todos mis amigos. Los mejores chistes que me enviaron, stos son los mejores. Attached file: BinLadilla.pif Subject line: HISPASEC Message text: Esta es la prueba de que HISPASEC roba importantes bases de datos de muchas compa as, incluso hotmail. (los campos en blanco son algunos datos omitidos por razones de anonimato y seguridad). Attached file: Noticia45.Txt.pif Subject line: Base de datos. Carnivore. Message text: BO2K publica parte de la base de datos recopilada por Carnivore. Attached file: CarnivoreStory.Pif Subject line: VAN A VENDER HOTMAIL Message text: parece que los de microsoft no se la pudieron, prefirieron dedicarle tiempo al windows, amenazan con borrar las cuentas, pero se puede evitar siguiendo unos estatuts que ellos ponen a disposicin. leelos o no tendras mas cuenta. chao. Attached file: Estatutos.Pif Subject line: HISPASEC Message text: This is the probe that HISPASEC steals important databases of many companies (the fields in blank_target are some data omitted by security and anonimity reasons) Attached file: NewsHS.Txt.pif Subject line: Carnivore databases Message text: BO2K publish pieces of database gathered by Carnivore. Attached file: CarnivoreStory.Pif W32/Blinkom-A may drop copies of itself to the following folders and drives: C:\Windows\Blink 182.scr C:\Windows\RaZor.scr C:\Windows\Cloud Strife.scr C:\Windows\Kuasanagui.scr C:\Windows\\182.exe C:\Windows\HOKO.scr C:\Windows\ErGrone.scr C:\Windows\Jtag.scr C:\Windows\XpLOaD.scr C:\Windows\NERFIX.scr C:\Windows\NEMESIZZ.scr C:\Windows\Tom.scr C:\Windows\Marc.scr C:\Windows\Travis.scr C:\Windows\BOX CAR RACER.scr C:\Windows\Take Off Youre Pants And Youre Jacket.scr C:\Windows\Damm You!.scr C:\Windows\ENEMA.scr C:\Windows\DUDE RANCH.scr C:\Windows\Cheshire Cat.scr C:\Windows\Guitar.scr C:\Windows\Punk Power!.scr C:\Program Files\KaZaA\My Shared Folder\Blink 182.scr C:\Program Files\KaZaA\My Shared Folder\Box Car Racer.scr C:\Program Files\KaZaA\My Shared Folder\Blink 182 All Videos.exe C:\Program Files\KaZaA\My Shared Folder\KaZaA UpDate.exe C:\Program Files\KaZaA\My Shared Folder\Songs.scr C:\Program Files\KaZaA\My Shared Folder\Anna Kournikova.scr C:\Program Files\KaZaA\My Shared Folder\ All The Small Things All Screen Video.scr C:\Program Files\KaZaA\My Shared Folder\My Screen Saver.scr C:\Program Files\KaZaA\My Shared Folder\Telephone Numbers The Video.scr C:\Program Files\KaZaA\My Shared Folder\Fun Screen.scr C:\Program Files\KaZaA\My Shared Folder\MeGa CiBer ScReeN SavEr.scr C:\Program Files\KaZaA\My Shared Folder\Osama The King.scr C:\Program Files\KaZaA\My Shared Folder\Marc Tom And Travis.scr C:\Program Files\ICQ\shared files\ICQ Power Edition.exe C:\Program Files\ICQ\shared files\ICQ SMS Plus.exe C:\Program Files\ICQ\shared files\ICQ Screen Saver.scr C:\Program Files\ICQ\shared files\ICQ Millenium Screen.scr C:\Program Files\ICQ\shared files\ICQ Fire Screen.scr C:\Program Files\ICQ\shared files\ICQ Ice Screen.scr C:\Program Files\ICQ\shared files\ICQ Natural Screen.scr A:\Nude Screen.scr A:\SeX ScReen Saver.scr A:\Playboy Screen Saver.scr A:\Shakira Screen Saver.scr The worm also attempts to disable certain firewall programs (ZoneAlarm, BlackIce, Tiny and Sygate), delete files related to anti-virus software, disable registry settings related to macro security within Microsoft Office and run itself on system restart by adding an entry to SYSTEM.INI. W32/Blinkom-A attempts to add the following entries to the registry: HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles\avpfolder = "Blink Folder" HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles\avpfolder\ VEDataFilePath = "The Blink Path" HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles\avpfolder\ VEIndexFilePath = "The Plink, the Blink, the Oink" HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles\avpfolder\MainDir = "Blink virus & the Batch company" HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles\avpfolder\Folder = "Plink it's the Blink guitarrist yeeeeeh!" HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Options\ EnableMacroVirusProtection = "0" HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Options\ EnableMacroVirusProtection = "0" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RegisteredOwner ="Blink" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RegisteredOwnerRegisteredOrganization = "The Blink company inc." More information about W32/Blinkom-A can be found at http://www.sophos.com/virusinfo/analyses/w32blinkoma.html
The Norton 9/19/02 virus list contains no hits for either "blinkom" or "venzu". Unless there are other aliases not listed in FanJ's post, NAV does not detect this worm. Thankfully, it isn't a big threat, if Sophos has received just one report of this worm from the wild. Hopefully, if it does grow as a threat, the various vendors will get detection.
Hi Randy, Here is the Symantec link: W32.Venzu.Worm http://securityresponse.symantec.com/avcenter/venc/data/w32.venzu.worm.html [hr] Discovered on: August 2, 2002 Last Updated on: August 12, 2002 08:20:46 PM PDT W32.Venzu.Worm is a mass-mailing worm that is written in the Borland Delphi programming language and compressed with UPX. It uses SMTP to send itself to email addresses that it finds in the MSN Messenger Service list. The email message has the following characteristics, Subject: The subject can be one of the following: Los mejores chistes de Bin Laden HISPASEC Carnivore databases Base de datos. Carnivore. VAN A VENDER HOTMAIL Attachment: The attachment can be one of the following: BinLadilla.pif Noticia45.Txt.pif NewsHS.Txt.pif CarnivoreStory.Pif Estatutos.Pif W32.Venzu.Worm also tries to spread through KaZaA, ICQ, mIRC, and floppy disk. Type: Zoo Worm Infection Length: 176,640 bytes Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me Systems Not Affected: Macintosh, Unix, Linux Virus Definitions (Intelligent Updater) * August 5, 2002 Virus Definitions (LiveUpdate™) ** August 7, 2002 When W32.Venzu.Worm runs, it does the following: It displays a message that has these characteristics: Title: Blink Worm By RaZor/GEDZAC Text: Hecho En Venezuela Barquisimento Estado Lara. The worm creates many copies of itself on the hard drive, the KaZaA shared folder, the ICQ shared folder, and on the floppy disk so that it can spread through the KaZaA peer-to-peer network, ICQ, and floppy disk. Here are some samples: Blink 182.scr C:\ThE MegA BlINk BaT.bat C:\Windows\Blink 182.scr C:\Windows\BOX CAR RACER.scr C:\Windows\%system%\182.exe C:\Program Files\KaZaA\My Shared Folder\Blink 182.scr C:\Program Files\KaZaA\My Shared Folder\KaZaA UpDate.exe C:\Program Files\KaZaA\My Shared Folder\All The Small Things All Screen Video.scr C:\Program Files\ICQ\shared files\ICQ Power Edition.exe C:\Program Files\ICQ\shared files\ICQ Ice Screen.scr A:\Nude Screen.scr The worm adds the values avpfolder Blink Folder VEDataFilePath The Blink Path VEIndexFilePath The Plink, the Blink, the Oink MainDir Blink virus & the Batch company Folder Plink it's the Blink guitarrist yeeeeeh! to the registry key HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles It adds the value EnableMacroVirusProtection 0 to the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Options This disables the macro virus protection option of Microsoft Office. It also adds the values RegisteredOwner Blink RegisteredOrganization The Blink company inc. to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion The worm overwrites C:\archiv~1\perav\*.dat with copies of itself and deletes the following files if they exist: C:\Archiv~1\Pandas~1\Pandaa~1.0\*.dll C:\Archiv~1\McAfee\McAfee~1\*.dll C:\Archiv~1\Norton~1\NAVDX.EXE C:\Archiv~1\Norton~1\V325SCAN.dll C:\Archiv~1\Norton~1\NAVP.VXD It searches the registry to determine the locations of the working folders of some firewall products, such as ZoneAlarm, BlackIce, Tiny, and Sygate. It deletes all of the files in these folders. The worm creates two clean files: C:\Dammit.txt. C:\Wallpaper1.html It then changes the wallpaper to C:\Wallpaper1.html. NOTE: Symantec AntiVirus Products do not detect those two files. If the computer is infected with W32.Venzu.Worm, delete the files manually. The worm modifies C:\mIRC\Script.ini in an attempt to send a copy of itself through mIRC. The worm file name is Blink 182.scr. It overwrites the text of the C:\Program Files\Yahoo!\Messenger\ymsgr.ini file to create links on the Yahoo! Messenger/Tools/Inside Yahoo! menu. It overwrites the text of C:\Windows\Win.ini with the following line: Estas Infectado Por Blink!! It overwrites the text of C:\Windows\Winstart.bat with the following lines: CLS @ECHO Estas Infectado Por Blink!! pause It appends the following section to the C:\Autoexec.bat file: @attrib +h +r c:\blink.bat cls @ECHO --------------------- @ECHO [ Blink virus. ] @ECHO [ RaZor ] @ECHO [ Gedzac Labs 2002. ] @choice "" /c:12 /n /t:1,5 @if errorlevel 1 goto fin :fin It inserts the following section into C:\Windows\System.ini so that the copy of the worm runs when you restart Windows: [boot] shell=Explorer.exe 182.exe The worm uses SMTP to send itself to email addresses that it finds in the MSN Messenger Service list. The email message is one of the following: Subject: Los mejores chistes de Bin Laden Message: A todos mis amigos. Los mejores chistes que me enviaron, stos son los mejores. Attachment: BinLadilla.pif Subject: HISPASEC Message: Esta es la prueba de que HISPASEC roba importantes bases de datos de muchas compaas, incluso hotmail. (los campos en blanco son algunos datos omitidos por razones de anonimato y seguridad). Attachment:Noticia45.Txt.pif Subject: HISPASEC Message: This is the probe that HISPASEC steals important databases of many companies (the fields in blank_target are some data omitted by security and anonimity reasons) Attachment:NewsHS.Txt.pif Subject: Carnivore databases Message: BO2K publish pieces of database gathered by Carnivore. Attachment:CarnivoreStory.pif Subject: Base de datos. Carnivore. Message: BO2K publica parte de la base de datos recopilada por Carnivore. Attachment:CarnivoreStory.pif Subject: VAN A VENDER HOTMAIL Message: parece que los de microsoft no se la pudieron, prefirieron dedicarle tiempo al windows,amenazan con borrar las cuentas, pero se puede evitar siguiendo unos estatuts que ellos ponen a disposicin. leelos o no tendras mas cuenta. chao. Attachment:Estatutos.pif The worm attempts to make some voice phone calls to Colombia, Spain, Puerto Rico, and Mexico. It also attempts to make a phone call to Academia (USA). NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines. Delete all files that are detected as W32.Venzu.Worm, and re-enable the security value that the worm disabled in the registry. For details on how to do this, read the following instructions. To scan for and delete the infected files: 1. Obtain the most recent virus definitions. ...snip... 2. Start your Symantec antivirus program, and make sure that it is configured to scan all files. Norton AntiVirus Consumer products: Read the document How to configure Norton AntiVirus to scan all files. Symantec Enterprise antivirus products: Read the document How to verify a Symantec Corporate antivirus product is set to scan All Files. 3. Run a full system scan. 4. If any files are detected as infected by as W32.Venzu.Worm, click Delete. To change the value in the registry: CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions. 1. Click Start, and click Run. The Run dialog box appears. 2. Type regedit and then click OK. The Registry Editor opens. 3. Navigate to the key HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Options 4. In the right pane, change the value of EnableMacroVirusProtection 0 so that it is EnableMacroVirusProtection 1 5. Exit the Registry Editor.