Content

W32/Derdero.a@MM

Type
Virus
SubType
E-mail
Discovery Date
02/18/2005
Length
270,336
Minimum DAT
4430 (02/18/2005)
Updated DAT
4438 (03/02/2005)
Minimum Engine
5.1.00
Description Added
02/18/2005
Description Modified
02/18/2005 6:15 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a mass-mailing virus that bears the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • infects file by prepending itself

The virus is proactively detected as New Malware.b with DATs 4232 or higher when heuristic scanning is enabled.

When run, the virus displays a fake error message box "Runtime error '4': String out of bounds".

The virus creates the following files in the Windows system32 directory:

  • detroit.txt
  • exe64.sys
  • SysHeal.exe
  • thunk32.exe
  • zip64.sys

It creates the following registry key in order to load itself at Windows startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "32-bit Thunking service" = "%SysDir%\thunk32.exe "

It copies itself to folder contains "shar" string using the following filenames:

  • Nero ACID new cd burning and p2p.exe
  • Internet Explorer 7.exe
  • Nero ACID new cd burning and p2p.exe
  • Snood new version.exe
  • Tits.mpeg                                                .scr
  • Visual Studio.NET.FULL.rar                                                   .exe
  • WinAmp 5 Crack.exe
  • Windows XP crack.zip                                              .exe
  • Windows XP Pro SP2.pif
  • Young teen gets reamed.mpg       

It creates files with long blank file name with ".exe", ".pif" extension.

The virus harvests email addresses from files on local machine, uses its own SMTP engine to send mail.  The email sent has the following characteristics:

From: (one of the following sender name)@(collected addresses)

  • administration
  • management
  • service
  • userhelp

Subject: (one of the following)

  • Urgent Update!
  • Server Error
  • AHKER.C Alert
  • URGENT PLEASE READ!
  • Detailed Information
  • User Information
  • New Worm Alert
  • Malware Avoidance tips

Body: (one of the following )

  • Our Email system has received reports of your account flooding email servers. There is more information on this matter in the attachment
  • Our server is experiencing some latency in our email service. The attachment contains details on how your account will be affected.
  • Please run the urgent patch attached to protect yourself from a new worm
  • There is urgent information in the attachment regarding your Email account
  • Your Email account information has been removed from the system due to inactivity. To renew your account information refer to the attachment
  • We regret to inform you that your account has been hijacked and used for illegal purposes. The attachment has more information about what has happened.
  • Due to recent internet attacks, your Email account security is being upgraded. The attachment contains more details
  • A new worm is circulating around. To protect yourself, read the attached document
  • As a service to our users, we have attached a note on avoiding malware.

Attachment: (one of the following file names)

  • Update
  • Details
  • Information
  • Gift
  • Word_Document
  • Account_Information
  • Malware_prevention_tips
  • Patch

with the following extension:

  • .bmp.cmd
  • .cmd
  • .doc.pif
  • .exe
  • .pif
  • .scr
  • .txt.exe
  • zip

The virus searches executable files on local machine.  It prepends itself to any files found.

The virus terminates a list of antivirus application processes.

Symptoms

Existence of the registry key and files mentioned above.

Method of Infection

The virus propagates via SMTP mail and file sharing.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • PE_DERDERO.A (Trend)
  • W32.Derdero.A@mm (Symantec)
  • Win32.HLLP.Dermedo (Dr.Web)

Characteristics

Characteristics -

This is a mass-mailing virus that bears the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • infects file by prepending itself

The virus is proactively detected as New Malware.b with DATs 4232 or higher when heuristic scanning is enabled.

When run, the virus displays a fake error message box "Runtime error '4': String out of bounds".

The virus creates the following files in the Windows system32 directory:

  • detroit.txt
  • exe64.sys
  • SysHeal.exe
  • thunk32.exe
  • zip64.sys

It creates the following registry key in order to load itself at Windows startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "32-bit Thunking service" = "%SysDir%\thunk32.exe "

It copies itself to folder contains "shar" string using the following filenames:

  • Nero ACID new cd burning and p2p.exe
  • Internet Explorer 7.exe
  • Nero ACID new cd burning and p2p.exe
  • Snood new version.exe
  • Tits.mpeg                                                .scr
  • Visual Studio.NET.FULL.rar                                                   .exe
  • WinAmp 5 Crack.exe
  • Windows XP crack.zip                                              .exe
  • Windows XP Pro SP2.pif
  • Young teen gets reamed.mpg       

It creates files with long blank file name with ".exe", ".pif" extension.

The virus harvests email addresses from files on local machine, uses its own SMTP engine to send mail.  The email sent has the following characteristics:

From: (one of the following sender name)@(collected addresses)

  • administration
  • management
  • service
  • userhelp

Subject: (one of the following)

  • Urgent Update!
  • Server Error
  • AHKER.C Alert
  • URGENT PLEASE READ!
  • Detailed Information
  • User Information
  • New Worm Alert
  • Malware Avoidance tips

Body: (one of the following )

  • Our Email system has received reports of your account flooding email servers. There is more information on this matter in the attachment
  • Our server is experiencing some latency in our email service. The attachment contains details on how your account will be affected.
  • Please run the urgent patch attached to protect yourself from a new worm
  • There is urgent information in the attachment regarding your Email account
  • Your Email account information has been removed from the system due to inactivity. To renew your account information refer to the attachment
  • We regret to inform you that your account has been hijacked and used for illegal purposes. The attachment has more information about what has happened.
  • Due to recent internet attacks, your Email account security is being upgraded. The attachment contains more details
  • A new worm is circulating around. To protect yourself, read the attached document
  • As a service to our users, we have attached a note on avoiding malware.

Attachment: (one of the following file names)

  • Update
  • Details
  • Information
  • Gift
  • Word_Document
  • Account_Information
  • Malware_prevention_tips
  • Patch

with the following extension:

  • .bmp.cmd
  • .cmd
  • .doc.pif
  • .exe
  • .pif
  • .scr
  • .txt.exe
  • zip

The virus searches executable files on local machine.  It prepends itself to any files found.

The virus terminates a list of antivirus application processes.

Symptoms

Symptoms -

Existence of the registry key and files mentioned above.

Method of Infection

Method of Infection -

The virus propagates via SMTP mail and file sharing.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A