||||
Symantec.com > Security Response > Threats and Risks > W32.Spex.B.Worm
PRINT THIS PAGE

W32.Spex.B.Worm

Risk Level 1: Very Low

Printer Friendly Page

Discovered: November 26, 2003
Updated: February 13, 2007 12:14:21 PM
Also Known As: Worm.P2P.Specx [Kaspersky]
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When W32.Spex.B.Worm is executed, it performs the following actions:
  1. Attempts to terminate processes with the following names:
    • regedit.exe
    • msconfig.exe
    • netstat.exe
    • zonealarm.exe
    • zapro.exe
    • avp.exe
    • avpm.exe
    • avpcc.exe
    • avp32.exe
    • blackice.exe
    • blackd.exe
    • _avp.exe
    • _avpm.exe
    • _avpcc.exe
    • _avp32.exe
    • frw.exe
    • pcfwallicon.exe
    • cfinet.exe
    • cfinet32.exe
    • cfiaudit.exe
    • cfiadmin.exe
    • iamapp.exe
    • iamserv.exe
    • smc.exe
    • persfw.exe
    • lookout.exe
    • espwatch.exe
    • mpftray.exe
    • serv95.exe
    • nisum.exe
    • nmain.exe
    • serv95.exe

  2. Copies itself as %System%\iexplore32.exe.

    Note: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  3. Adds the value:

    "IELoader32"="%System%\iexplore32.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you start Windows.

  4. Displays a message box with the following caption:

    "Window Explorer Error"

    and the following text:

    "Execution error ( incompatible kernel )."

  5. Makes 389 copies of itself in %System%\Drivers32 folder.

    Note: For a complete list of the added files, refer to the Additional Information section.

  6. Modifies the value:

    "Dir0"="012345:C:\WINNT\System32\drivers32"

    in the registry keys:
    • HKEY_CURRENT_USER\Software\KAZAA\LocalContent\
    • HKEY_CURRENT_USER\Software\iMesh\Client\LocalContent

      which shares the Drivers32 folder through the KaZaA and iMesh file-sharing networks.

  7. Attempts to steal CD keys from the following computer games:
    • Soldier of Fortune II - Double Helix
    • Neverwinter Nights
    • Rainbow Six III RavenShield
    • Battlefield 1942 - The Road to Rome
    • Project IGI 2
    • Counter-Strike
    • Unreal Tournament 2003
    • Half-Life

  8. Connects to a predetermined IRC channel and informs an attacker that the computer has been infected. The attacker can then perform commands on the infected computer.


Writeup By: Fergal Ladley
Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS