Worm.Serflog
Category: Trojan
Risk:
Severe Risk
* Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine.
Description: Worm.Serflog is a worm that spreads through file-sharing networks and MSN Messenger. This worm also lowers security settings and blocks access to security-related Web sites and terminates security-related programs. Once executed, W32.Serflog.A performs the following actions: Closes Windows that contain the following strings in their titles: ADWARE ALERTS ANTI AUTOSTARTED Avg BENIGN BLOCKER BUG BULLGUARD BUSTER CENTER -CILLIN CLEANER CMD Command DESTROY DETECTION DOCTOR EARTHLINK EDITOR ELIMINATE EYE FIGHT Filter FIREWALL FIX FIXING HEAL HELP HUNTER KERIO Kill LABS LIVEUPDATE MALWARE MALWHERE MCAFEE NETCOP NOD32 NORTON PANDA PROMPT PROTECTOR REGISTRY REMOVAL RESTORE SANDBOX SCAN SECURE SECURITY SOPHOS SPY SPYBOT SPYWARE STOPPER SWEEPER TASK TOOL TREND Update VCATCH VIRUS WATCH WORM Which may result in the following functions being disabled: Registry editing programs Command line Process monitoring programs Task manager Creates the following hidden copies of itself: %System%\formatsys.exe %System%\serbw.exe %Windir%\msmbw.exe %SystemDrive%\Crazy frog gets killed by train!.pif %SystemDrive%\Annoying crazy frog getting killed.pif %SystemDrive%\See my lesbian friends.pif %SystemDrive%\LOL that ur pic!.pif %SystemDrive%\My new photo!.pif %SystemDrive%\Me on holiday!.pif %SystemDrive%\The Cat And The Fan piccy.pif %SystemDrive%\How a Blonde Eats a Banana...pif %SystemDrive%\Mona Lisa Wants Her Smile Back.pif %SystemDrive%\Topless in Mini Skirt! lol.pif %SystemDrive%\Fat Elvis! lol.pif %SystemDrive%\Jennifer Lopez.scr %SystemDrive%\lspt.exe %UserProfile%\Local Settings\Application Data\Microsoft\CD Burning\autorun.exe Drops following hidden files: %SystemDrive%\British National Party.jpg %SystemDrive%\Crazy-Frog.Html %SystemDrive%\Message to n00b LARISSA.txt Deletes the following file, if it exists: %SystemDrive%\MESSAGE_TO_BROPIA.txt Adds the value: "[Value]" = "[File name]" to the registry subkeys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersionRunServices HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies \Explorer\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies \Explorer\Run so that the worm is executed every time Windows starts. Where [Value] is one of the following: serpe ltwob avnort and where [File name] is one of the following: %System%\formatsys.exe %System%\serbw.exe %Windir%\msmbw.exe Sends a copy of itself to all the contacts in MSN Messenger using one of the following file names: Crazy frog gets killed by train!.pif Annoying crazy frog getting killed.pif See my lesbian friends.pif My new photo!.pif Me on holiday!.pif The Cat And The Fan piccy.pif How a Blonde Eats a Banana...pif Mona Lisa Wants Her Smile Back.pif Topless in Mini Skirt! lol.pif Fat Elvis! lol.pif Jennifer Lopez.scr Copies itself to the following folders, which are used by various file-sharing applications: %SystemDrive%\My Shared Folder %UserProfile%\Shared %ProgramFiles%\Program Files\eMule\Incoming The worm copies itself to the above folders using the following file names: Messenger Plus! 3.50.exe MSN all version polygamy.exe MSN nudge bomb.exe Adds the text: OPEN=autorun.exe to the following file: %SystemDrive%\Documents and Setting\[Username]\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf
Alias: W32.Serflog.A
Signatures:
process: serbw.exe: MD5 Hash: 4f9bbfc2edf99bccf05..
Copyright @2006 THR Computer Solutions: Worm.Serflog