Surnova worm takes liking to peer-to-peer, IM networks |
 |
By Edward Hurley, News Writer
31 Jul 2002 | SearchSecurity |
|
|
A new worm is circulating, using popular peer-to-peer and instant messaging networks.
W32/Surnova-B (and similar variants called Win32.Supova.F) disguises itself as enticing applications such as a Windows XP key generator on Kazaa. When a Kazaa user downloads and executes the file, the worm tries to spread itself using MSN Messenger and through Kazaa.
"It baits the hook, like a big scrumptious worm to a fish," said Ian Hameroff, director of security solutions for Computer Associates. CA has rated the worm a low risk as it doesn't do any real damage to the system except copy itself, he said. The company has had only a handful of reports of it in the wild.
Surnova is the latest in a series of worms that use peer-to-peer sharing to spread. Last May, Worm.Kazaa.Benjamin made its way around the Kazaa network.
"Virus creators use what works," Hameroff said. E-mail is still the prevalent choice as it's still a very effective way to spread viruses. He recommends users of peer-to-peer networks take an extra step or two and scan all downloaded files for viruses and worms.
According to Sophos, when initially executed, Surnova copies itself to the Windows directory with one of the following filenames:
- Alles-ist-vorbei.exe
- Desktop-shooting.exe
- Hello-Kitty.exe
- BigMac.exe
- Cheese-Burger.exe
- Blaargh.exe
When Windows is run, Surnova displays a bogus error message: "Application attempted to read memory at 0xFFFFFFFFh Terminating application."
It then tries to copy itself to the folder used for sharing files on the Kazaa network. If the infected system doesn't have the folder then it copies itself to the Windows Media folder (usually C:Media).
Surnova copies itself 38 times to the folder using such enticing file names as:
- Windows XP key generator.exe
- Windows XP serial generator.exe
- Key generator for all windows XP versions.exe
- Warcraft 3 ONLINE key generator.exe
- Half-life ONLINE key generator.exe
- Quake 4 BETA.exe
- Grand theft auto 3 CD1 crack.exe
- GTA3 crack.exe
- Battle.net key generator (WORKS!!).exe
- Warcraft 3 battle.net serial generator.exe
- Half-life WON key generator.exe
- Star wars episode 2 downloader.exe
- Winzip 8.0 + serial.exe
- Winrar + crack.exe
- Britney spears nude.exe
- Macromedia MX key generator (all products).exe
- KaZaA media desktop v2.0 UNOFFICIAL.exe
- Microsoft key generator, works for ALL microsoft products!!.exe
- Microsoft Windows XP crack pack.exe
- Hack into any computer!!.exe
- DivX codec v6.0.exe
- DivX newest version.exe
- DivX.exe
- DivX pro key generator.exe
- Key generator for over 1,000 applications (really!).exe
- DivX patch - Increases quality.exe
- KaZaA spyware remover.exe
- Age of empires 2 crack.exe
- Norton antivirus 2002.exe
- XBOX emulator (WORKS!!).exe
- Macromedia Dreamweaver MX Key Generator.exe
- Macromedia Flash MX Key Generator.exe
- Microsoft Office XP (english) key generator.exe
- Microsoft Office XP.iso.exe
- CloneCD + crack.exe
- CloneCD all-versions key generator.exe
- Gamecube Emulator (WORKS!!).exe
- Xbox.info.exe
Additionally, Surnova also tries to spread itself to all the contacts in MSN Messenger contact list using one of the following messages:
- Hehe, check this out :-)
- Funny, check it out (h)
- LOL!! See this :D
- LOL!! Check this out :)
- Hehe, this is fun :-)
The worm also drops a harmless text file in the Windows folder which says:
W32.Supernova - Ban religion
Patch the leaks or the ship will sink
|
|
|
|
