W32.Friendgreet.worm

Printer Friendly Page

Discovered: October 25, 2002
Updated: February 13, 2007 11:41:02 AM
Also Known As: Friendgreetings, WORM_FRIENDGRT.A [Trend], WORM_FRIENDGRT.B [Trend], Friend Greeting application [M, Friend Greeting application (I
Systems Affected: Windows


In October 2002, an electronic greeting card (e-card) that appeared to have the characteristics of a worm, was sent to thousands of email addresses.

Based on requests from Symantec's corporate customers, Security Response provided definitions that detect and block this program.

The installation of software associated with the e-card requires your permission for it to perform its mass-mailing functions. If you cancel the installation of the software, worm-like activities will not be performed.

As of January 2004, the original Web site, www.friendgreetings.com, to which the e-card is linked appears to be unavailable.




The following Web sites have been reported to host the installation package for W32.Friendgreet.worm. Security Response has not confirmed this. Also, other similarly named sites may exist.

    • www.friendcard.com
    • www.friendcard.net
    • www.friendcards.com
    • www.friendcards.net
    • www.friend-card.com
    • www.friend-card.net
    • www.friend-cards.com
    • www.friend-cards.net
    • www.cool-download.com
    • www.cool-download.net
    • www.cool-downloads.com
    • www.cool-downloads.net
    • www.friend-greet.com
    • www.friend-greeting.com
    • www.friend-greeting.net
    • www.friend-greetings.com
    • www.friend-greetings.net
    • www.laugh-mail.com
    • www.hkg3.com
    • surprisecard.net
    • surprisecards.net
    • surprise-card.net
    • surprise-cards.net
    • surprisegreeting.net
    • surprisegreetings.net
    • surprise-greeting.net
    • surprise-greetings.net
    • net2.net-downloads.com
    • net3.net-downloads.com
    • pv1.us-downloads.com
    • 64.191.7.4
    • 65.240.226.240
    • 65.240.226.241
    • 65.240.226.242
    • 207.21.232.104

System Restore option in Windows Me/XP
If your Symantec antivirus product continues to detect this threat in the Windows Me and Windows XP System Restore folders, temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. When a computer is infected with a virus, worm, or Trojan, it is possible that the virus, worm, or Trojan could be backed up by System Restore. By default, Windows prevents System Restore from being modified by outside programs. As a result, there is the possibility that you could accidentally restore an infected file, or that online scanners would detect the threat in that location. For instructions on how to turn off System Restore, read your Windows documentation or one of the following articles:
For additional information and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder , Article ID: Q263455.

Antivirus Protection Dates

  • Initial Rapid Release version October 28, 2002
  • Latest Rapid Release version August 08, 2016 revision 023
  • Initial Daily Certified version October 28, 2002
  • Latest Daily Certified version August 09, 2016 revision 001
  • Initial Weekly Certified release date October 28, 2002

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Discovered: October 25, 2002
Updated: February 13, 2007 11:41:02 AM
Also Known As: Friendgreetings, WORM_FRIENDGRT.A [Trend], WORM_FRIENDGRT.B [Trend], Friend Greeting application [M, Friend Greeting application (I
Systems Affected: Windows


The e-card has the following characteristics:

Subject:  %recipient% you have an E-Card from %sender%.
Message:
Greetings!

%sender% has sent you an E-Card -- a virtual postcard from FriendGreetings.com. You
can pickup your E-Card at the FriendGreetings.com by clicking on the link
below.

http:/ /www.friendgreetings.com/pickup/pickup.aspx?<extra content removed>

Message:
------------------------------------------------------------
%recipient%
I sent you a greeting card. Please pick it up.
%sender%
------------------------------------------------------------

If you click the link, you are asked whether you want to download software so that you can view the e-card:




The installer package requires that you accept two End User License Agreements (EULA) to complete the installation. The following EULA explicitly states that, by accepting the agreement, you are authorizing the software to send an email to all the contacts in the Microsoft Outlook contact list.




  • If you do not accept the agreement, the software is not installed, and an e-card is not sent.
  • If you accept the agreement, the software is installed, and it sends the previously described e-card to all the contacts in the Microsoft Outlook contact list.


If you install this software, it does the following:
  • Adds the following registry keys:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    explorer\Browser Helper Objects\{7011471D-3F74-498E-88E1-C0491200312D}

    HKEY_LOCAL_MACHINE\Software\CLASSES\IEEvtCatcher.IEEvtCatcherObj.1

    HKEY_LOCAL_MACHINE\Software\CLASSES\IEEvtCatcher.IEEvtCatcherObj

    HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{3972ADCE-8737-45DE-A6E2-A253348E5A1E}

    HKEY_LOCAL_MACHINE\Software\CLASSES\Interface\{059D8C85-A00F-40AF-8078-7692A0A79F19}

    HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{7011471D-3F74-498E-88E1-C0491200312D}

    HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{7677C920-9CC3-4621-AF8C-AD45402DC2FD}

    HKEY_LOCAL_MACHINE\Software\CLASSES\IEMsgSvr.IEMsgSvrObj

    HKEY_LOCAL_MACHINE\Software\CLASSES\IEMsgSvr.IEMsgSvrObj.1

  • Adds these values:
    DisplayName WinSrv Reg

    UninstallString C:\Program Files\Common Files\Media\UNINSTAL.EXE C:\Program Files\Common Files\Media\INSTALL.LOG WinSrv Reg Uninstall

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Uninstall\WinSrv Reg
  • Adds the value:
    PMedia C:\Program Files\Common Files\Media\winsrvc.exe

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • The installer also creates the following files:
    • C:\Program Files\Common Files\Media\Install.log
    • C:\Program Files\Common Files\Media\Otdock.dll
    • C:\Program Files\Common Files\Media\Otglove.dll
    • C:\Program Files\Common Files\Media\Otms.exe
    • C:\Program Files\Common Files\Media\Otupdate.exe
    • C:\Program Files\Common Files\Media\Uninstal.exe
    • C:\Program Files\Common Files\Media\Winsrvc.dat
    • C:\Program Files\Common Files\Media\Winsrvc.exe
    • C:\Program Files\Common Files\Media\NewBinary2.exe
    • C:\Program Files\Common Files\Media\NewBinary3.exe
    • C:\Program Files\Common Files\Media\NewBinary4.exe

NewBinary4.exe contains the worm's mass-mailing routine that is performed via MAPI commands. First, it looks for a file named C:\Progra~1\Common~1\As.ini.

NewBinary4.exe performs its mass-mailing routine only if the file does not exist. After it performs the mass-mailing, it creates C:\Progra~1\Common~1\As.ini,
which is zero bytes in length.

Discovered: October 25, 2002
Updated: February 13, 2007 11:41:02 AM
Also Known As: Friendgreetings, WORM_FRIENDGRT.A [Trend], WORM_FRIENDGRT.B [Trend], Friend Greeting application [M, Friend Greeting application (I
Systems Affected: Windows



These instructions pertain to all the current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

  1. Update the virus definitions.
  2. Restart the computer in Safe mode.
  3. Configure Windows to show all files.
  4. Remove the "WinSrv Reg" program and the "Friend Greetings" or "FG" program by using the Add/Remove Programs applet in the Control Panel.
  5. Run a full system scan, and delete all the files detected as W32.Friendgreet.worm.
  6. Delete the other files that the program added to the system.
  7. Reverse the changes that the program made to the registry.
For details on how to do this, read the following instructions.

1. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
  • Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
  • Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

    The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

2. Restarting the computer in Safe mode
All the Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode ."

3. Configuring Windows to show all files
  1. Start Windows Explorer.
  2. Click the View menu (Windows 95/98/NT) or the Tools menu (Windows Me/2000/XP), and then click Options or Folder options.
  3. Click the View tab.
  4. Uncheck "Hide file extensions for known file types."
  5. Do one of the following:
    • Windows 95/NT: Click "Show all files."
    • Windows 98: In the Advanced settings box, under the "Hidden files" folder, click Show all files.
    • Windows Me/2000/XP: Uncheck "Hide protected operating system files," and under the "Hidden files" folder click "Show hidden files and folders."
  6. Click Apply, and then click OK.

4. Removing the "WinSrv Reg" and "Friend Greetings" programs
Uninstall the "WinSrv Reg" and/or the "Friend Greetings" and/or the "FG" program using the Add/Remove Programs applet in the Control Panel.

NOTE: The exact sequence of mouse clicks and button names vary depending on the version of Windows you are running. These instructions are for Windows 98. If you have questions about how to do this in other versions of Windows, read your Windows documentation.
  1. Click Start, point to Settings, and then click Control Panel.
  2. Double-click Add/Remove Programs.
  3. In the list, select "WinSrv Reg."
  4. Click Add/Remove, and follow the prompts.
  5. If "Friend Greetings" or "FG" is present in the list, select it, and then repeat step 4.

5. Scanning for and deleting the detected files
  1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
  2. Run a full system scan.
  3. If any files are detected as infected with W32.Friendgreet.Worm, click Delete.

NOTES:
  • There have been reports of this program leaving files in the Temporary Internet Files folder. If, after removing the program, your Symantec antivirus program continues to detect W32.Friendgreet.Worm, but cannot delete or quarantine it, we suggest that you delete the contents of the Web browser's Temporary Internet Files folder. See your Web browser documentation for instructions.
  • If you are using Windows Me or XP and your Symantec antivirus product continues to detect W32.Friendgreet.worm in the System Restore folder, read the "System Restore option in Windows Me/XP" instructions in the Additional Information section at the end of this document.

6. Deleting the other files the program added to the system
Use Windows Explorer to locate and delete these files:
  • C:\Program Files\Common Files\Media\Install.log
  • C:\Program Files\Common Files\Media\Otdock.dll
  • C:\Program Files\Common Files\Media\Otglove.dll
  • C:\Program Files\Common Files\Media\Otms.exe
  • C:\Program Files\Common Files\Media\Otupdate.exe
  • C:\Program Files\Common Files\Media\Uninstal.exe
  • C:\Program Files\Common Files\Media\Winsrvc.dat
  • C:\Program Files\Common Files\Media\Winsrvc.exe

7. Reversing the changes the program made to the registry

NOTE: Many, if not all, of these keys and values should have been removed when you uninstalled the program using Add/Remove Programs. This information is provided in the event that the uninstallation procedure failed. Even if this is the case, it is necessary to only remove the value that was added to the Run key (step 3); the other registry changes can be ignored.

CAUTION : Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit, and then click OK. (The Registry Editor opens.)
  3. Navigate to the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  4. In the right pane, delete the following value:

    PMedia C:\Program Files\Common Files\Media\winsrvc.exe

  5. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Uninstall\WinSrv Reg

  6. Navigate to and delete the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Uninstall\Friend Greetings

  7. In the right pane, delete the following values:

    DisplayName WinSrv Reg

    UninstallString C:\Program Files\Common Files\Media\UNINSTAL.EXE C:\Program Files\
    Common Files\Media\INSTALL.LOG WinSrv Reg Uninstall

  8. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\explorer\Browser Helper Objects

  9. In the left pane, delete the following key:

    {7011471D-3F74-498E-88E1-C0491200312D}

  10. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\CLASSES

  11. In the left pane, delete the following keys:

    IEEvtCatcher.IEEvtCatcherObj.1

    IEEvtCatcher.IEEvtCatcherObj

    IEMsgSvr.IEMsgSvrObj.1

    IEMsgSvr.IEMsgSvrObj

  12. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID

  13. In the left pane, delete the following keys:

    {7011471D-3F74-498E-88E1-C0491200312D}
    {7677C920-9CC3-4621-AF8C-AD45402DC2FD}

  14. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\CLASSES\Interface

  15. In the left pane, delete the following key:

    {059D8C85-A00F-40AF-8078-7692A0A79F19}

  16. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib

  17. In the left pane, delete the following key:

    {3972ADCE-8737-45DE-A6E2-A253348E5A1E}

  18. Exit the Registry Editor.