McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This detection covers a group of worms packed with a PE packer named Krypton. There are several subvariants in existence that differ in size because of random bytes added at the end of the binary image (possibly to fool some AV products that rely on MD5 detection).

This P2P worm uses IRC channels to provide backdoor and keylogging functionality.

Backdoor commands include:

auth
info
passwords
threads
kill
thread
startkeylogger
stopkeylogger
listprocesses
killprocess
disconnect
reconnect
server
quit
reboot
xxUninstall
httpserver
redirect
raw
spoofdsyn
list
delete
rename
execute
makedir
spy
stopspy
redirectspy
stopredirectspy
opencmd
cmd
get
sendto
scan
kazaa
backupfiles

Through an opened backdoor the attacker can retrieve the following information - CPU speed, RAM amount, disk space (total and used), Windows version (and build number), system uptime, local date/time, current user name, hostname, windir and systemdir.

Symptoms

• This group of worms is normally detected under the "W32/Spybot.worm.gen.h" name.
• Presence of "Mscorp32.exe" in %windir%\system32 folder
• Outgoing traffic on TCP port 6667 (IRC)
• Presence of the following files in %windir%\system32\kazaabackup folder:

zoneallarm_pro_crack.exe
AVP_Crack.exe
Porn.exe
Battlefield1942_bloodpatch.exe
Unreal2_bloodpatch.exe
UT2003_bloodpatch.exe
AquaNox2 Crack.exe
NBA2003_crack.exe
FIFA2003 crack.exe
C&C Generals_crack.exe
Windows XP Home Activation Crack.exe
Windows XP Pro Activation Crack
Windows XP Keygen.exe
Microsoft Visual Studios Crack.exe
Musicmatch crack.exe
DivX Crack.exe
Crack.exe
Winamp crack.exe
Nero5.5 crack.exe
DVD Copy Plus crack.exe
adaptec easy cd creator crack.exe
roxy's easy cd creator crack.exe

• After execution of the worm there will be some additional keys created in the Registry. On Windows2000 systems they may look like this:
  
  - HKEY_LOCAL_MACHINE\Software\Krypton\C-WINNT-SYSTEM32-
  Mscorp32.exe
  - HKEY_LOCAL_MACHINE\Software\KAZAA
  - HKEY_LOCAL_MACHINE\Software\KAZAA\LocalContent
  - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
  RunOnce "NETD WIN32" with "Mscorp32.exe" reference

Method of Infection

When executed the worm copies itself to the system folder under the Mscorp32.exe name, launches, and deletes itself. The Mscorp32.exe file tries to access several IRC servers to report successful infection via a built-in IRC channel.

The worm creates copies of itself in the "kazaabackup" folder (folder is created if it did not exist) under a series of enticing names (see above). When somebody downloads the worm through a Kazaa-compatible file-sharing network and executes the copy of the worm the cycle will repeat.

It also has an ability to copy itself to computers already compromised by Backdoor-Sub7 or W95/Kuang2.svr.

Removal

All Users :
Use specified engine and DAT files for detection and removal.

If you are using P2P software (Kazaa, Gnotella, Bearshare, Morpheus, eDonkey, eMule, etc.) be very careful with downloaded executable files.

Please make sure that scanning of compressed files is enabled. Always scan downloaded files with the latest DATs in program heuristic mode.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This detection covers a group of worms packed with a PE packer named Krypton. There are several subvariants in existence that differ in size because of random bytes added at the end of the binary image (possibly to fool some AV products that rely on MD5 detection).

This P2P worm uses IRC channels to provide backdoor and keylogging functionality.

Backdoor commands include:

auth
info
passwords
threads
kill
thread
startkeylogger
stopkeylogger
listprocesses
killprocess
disconnect
reconnect
server
quit
reboot
xxUninstall
httpserver
redirect
raw
spoofdsyn
list
delete
rename
execute
makedir
spy
stopspy
redirectspy
stopredirectspy
opencmd
cmd
get
sendto
scan
kazaa
backupfiles

Through an opened backdoor the attacker can retrieve the following information - CPU speed, RAM amount, disk space (total and used), Windows version (and build number), system uptime, local date/time, current user name, hostname, windir and systemdir.

Symptoms

Symptoms -

• This group of worms is normally detected under the "W32/Spybot.worm.gen.h" name.
• Presence of "Mscorp32.exe" in %windir%\system32 folder
• Outgoing traffic on TCP port 6667 (IRC)
• Presence of the following files in %windir%\system32\kazaabackup folder:

zoneallarm_pro_crack.exe
AVP_Crack.exe
Porn.exe
Battlefield1942_bloodpatch.exe
Unreal2_bloodpatch.exe
UT2003_bloodpatch.exe
AquaNox2 Crack.exe
NBA2003_crack.exe
FIFA2003 crack.exe
C&C Generals_crack.exe
Windows XP Home Activation Crack.exe
Windows XP Pro Activation Crack
Windows XP Keygen.exe
Microsoft Visual Studios Crack.exe
Musicmatch crack.exe
DivX Crack.exe
Crack.exe
Winamp crack.exe
Nero5.5 crack.exe
DVD Copy Plus crack.exe
adaptec easy cd creator crack.exe
roxy's easy cd creator crack.exe

• After execution of the worm there will be some additional keys created in the Registry. On Windows2000 systems they may look like this:
  
  - HKEY_LOCAL_MACHINE\Software\Krypton\C-WINNT-SYSTEM32-
  Mscorp32.exe
  - HKEY_LOCAL_MACHINE\Software\KAZAA
  - HKEY_LOCAL_MACHINE\Software\KAZAA\LocalContent
  - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
  RunOnce "NETD WIN32" with "Mscorp32.exe" reference

Method of Infection

Method of Infection -

When executed the worm copies itself to the system folder under the Mscorp32.exe name, launches, and deletes itself. The Mscorp32.exe file tries to access several IRC servers to report successful infection via a built-in IRC channel.

The worm creates copies of itself in the "kazaabackup" folder (folder is created if it did not exist) under a series of enticing names (see above). When somebody downloads the worm through a Kazaa-compatible file-sharing network and executes the copy of the worm the cycle will repeat.

It also has an ability to copy itself to computers already compromised by Backdoor-Sub7 or W95/Kuang2.svr.

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal.

If you are using P2P software (Kazaa, Gnotella, Bearshare, Morpheus, eDonkey, eMule, etc.) be very careful with downloaded executable files.

Please make sure that scanning of compressed files is enabled. Always scan downloaded files with the latest DATs in program heuristic mode.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A