© 2008 System-Protector.com All Rights Reserved.
Bit Defender | Kaspersky | ESET NOD32 | AVG Antivirus | F-Secure Antivirus | Trend Micro | McAfee VirusScan | Norton antivirus | CA Antivirus | Norman Antivirus | G DATA Antivirus | Panda Antivirus | AVAST Antivirus | F-Prot antivirus | PC Tools Antivirus | Webroot Antivirus | ViRobot
Latest in trend:
» viruses
W32/Xirtem@MM
What is W32/Xirtem@MM?
Discovered on 3rd December 2008, W32/Xirtem@MM is a mass mailing worm that also spreads through removable media using autorun.inf, and also by copying itself to Shared folders of Peer-2-Peer applications.
Aliases
- Trojan-Banker.Win32.Banker.abbi (Kaspersky)
- VirTool:Win32/CeeInject.gen!J Microsoft)
- W32.Degnax@mm (Symantec)
- W32/Autorun-RI (Sophos)
This worm spreads by copying itself into any removable media connected to the system and creates an "autorun.inf" file to execute itself whenever the device is connected to another system.
It also has mass mailing capabilities. The worm sends e-mails, attached with a copy of itself to harvested E-mail addresses on the system. It uses the following "Subject", "Attachment Name" and "From address" combinations for these E-mails.
Subject of E-mail | Attachment name | From Address
--------------------------------------------------------------------------------------------------------------------
You've received A Hallmark E-Card! | postcard.zip | postcards@hallmark.com
Coca Cola is proud to announce our new Christmas Promotion. | promotion.zip | noreply@coca-cola.com
Mcdonalds wishes you Merry Christmas! | coupon.zip | giveaway@mcdonalds.com
This worm also spreads by copying itself into the shared folders of Peer-2-Peer Applications using the following file names:
(Generally, the file names used are of popular applications and their cracks/keygens)
Absolute Video Converter 6.2.exe
Acker DVD Ripper 2009.exe
Ad-aware 2008.exe
Adobe Acrobat Reader keygen.exe
Adobe Photoshop CS4 crack.exe
Alcohol 120 v1.9.7.exe
BitDefender AntiVirus 2009 Keygen.exe
CleanMyPC Registry Cleaner v6.02.exe
Daemon Tools Pro 4.11.exe
Divx Pro 6.8.0.19 + keymaker.exe
Download Accelerator Plus v8.7.5.exe
Download Boost 2.0.exe
FOOTBALL MANAGER 2009.exe
G-Force Platinum v3.7.5.exe
Google Earth Pro 4.2. with Maps and crack.exe
Half life 3 preview 10 minutes gameplay video.exe
Internet Download Manager V5.exe
Joannas Horde Leveling Guide TBC Woltk.exe
Kaspersky Internet Security 2009 keygen.exe
K-Lite codec pack 4.0 gold.exe
LimeWire Pro v4.18.3.exe
Microsoft Visual Studio 2008 KeyGen.exe
Motorola, nokia, ericsson mobil phone tools.exe
Myspace theme collection.exe
Nero 8 Ultra Edition 8.0.3.0 Full Retail.exe
Norton Anti-Virus 2009 Enterprise Crack.exe
Opera 10 cracked.exe
Password Cracker.exe
Perfect keylogger family edition with crack.exe
Power ISO v4.2 + keygen axxo.exe
Red Alert 3 keygen and trainer.exe
Silkroad Online guides and wallpapers.exe
Smart Draw 2008 keygen.exe
Sophos antivirus updater bypass.exe
Super Utilities Pro 2009 11.0.exe
TCN ISO cable modem hacking tools.exe
TCN ISO SigmaX2 firmware.bin.exe
Tuneup Ultilities 2008.exe
Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe
Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe
Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe
Ultimate xxx password generator 2009.exe
VmWare keygen.exe
Winamp.Pro.v6.53.PowerPack.Portable [XmaS edition].exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
Windows XP PRO Corp SP3 valid-key generator.exe
WinRAR v3.x keygen RaZoR.exe
Wow WoLTk keygen generator-sfx.exe
xbox360 flashing tools and guide including bricked drive fix.exe
Youtube Music Downloader 1.0.exe
How does it affect your PC?
W32/Xirtem@MM is a mass mailing worm that also spreads through removable media using autorun.inf, and also by copying itself to Shared folders of Peer-2-Peer applications.
Upon execution, this worm displays the following picture, to trick the user to believe that this is a harmless image file.
Meanwhile, the worm connects to "Whatismyip.com" to get the victim's IP address.
It then copies itself to the following location
- %WinDir%\system32\vxworks.exe
It injects itself into multiple running processes.
It also drops the following file.
- WinDir%\system32\qnx.exe
It then launches an instance of Iexplore.exe in the background and uses it to log keystrokes to a file at the following location.
- %WinDir%\drm.ocx
This instance of iexplore.exe communicates with ip-68-226-[removed]-235.tc.ph.cox.net
The following registry keys are added:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\XMAS
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\XMAS
The following registry Values are created to load the worm at system startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "QnX"
Data: %WinDir%\system32\qnx.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "QnX"
Data: %WinDir%\system32\qnx.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ActiveSetup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U} "StubPath"
Data: "%WinDir%\system32\qnx.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Wind River Systems"
Data: %WinDir%\system32\vxworks.exe
Adds the following registry entires as part of its payload.
HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Download "RunInvalidSignatures"
Data: no
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper "bsd"
Data: 03
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper "free"
Data: 12
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes"
Data: .zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.bat;.cmd;.pif;.scr;.mov;.mp3;.wav
It adds the following registry key to add itself to the Firewall's Authorised applications list.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
StandardProfile\AuthorizedApplications\List "C:\WINDOWS\system32\vxworks.exe"
Data: %WinDir%\system32\vxworks.exe:*:Enabled:Explorer
The following registry values are modified.
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures"
Old data: yes
New data: 01, 00, 00, 00 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden"
Old data: 00, 00, 00, 00
New data: 01, 00, 00, 00
How to remove W32/Xirtem@MM?
It is recommended to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations