Virus

W32/Shower

Analysis

  • Virus is 32bit with a file size of 65,536 bytes and was coded using Visual Basic 6 – virus has a dependency on MSVBVM60.DLL
  • Virus searches the registry for the sharing folder of Morpheus and Kazaa; both are peer-to-peer file sharing applications. If the directories are found for either, the virus may create a new folder called “Shared files” into the Windows\System folder and then copy itself to that location in an effort to be shared with other users and be inadvertently downloaded based on file name search criteria (aka social engineering)
  • The files created may be the following –

    c:\WINDOWS\SYSTEM\Shared Files\!!!.exe
    c:\WINDOWS\SYSTEM\Shared Files\3-d.exe
    c:\WINDOWS\SYSTEM\Shared Files\666.exe
    c:\WINDOWS\SYSTEM\Shared Files\AdvZip Recovery.exe
    c:\WINDOWS\SYSTEM\Shared Files\AIM Pass stealer.exe
    c:\WINDOWS\SYSTEM\Shared Files\aimcracker.exe
    c:\WINDOWS\SYSTEM\Shared Files\aimhacker.exe
    c:\WINDOWS\SYSTEM\Shared Files\ain't it funny.exe
    c:\WINDOWS\SYSTEM\Shared Files\Alicia Keys.exe
    c:\WINDOWS\SYSTEM\Shared Files\Alicia Silverstone Payboy Nude.exe
    c:\WINDOWS\SYSTEM\Shared Files\AMI BIOS Cracker.exe
    c:\WINDOWS\SYSTEM\Shared Files\anastasia_anal.exe
    c:\WINDOWS\SYSTEM\Shared Files\anastasia_naked.exe
    c:\WINDOWS\SYSTEM\Shared Files\anastasia_nude.exe
    c:\WINDOWS\SYSTEM\Shared Files\Angeline.exe
    c:\WINDOWS\SYSTEM\Shared Files\Anneke girl.exe
    c:\WINDOWS\SYSTEM\Shared Files\Art.exe
    c:\WINDOWS\SYSTEM\Shared Files\Autocad 2002 Crack.exe
    c:\WINDOWS\SYSTEM\Shared Files\avi.exe
    c:\WINDOWS\SYSTEM\Shared Files\Bach.exe
    c:\WINDOWS\SYSTEM\Shared Files\Backstreet Boys.exe
    c:\WINDOWS\SYSTEM\Shared Files\Band.exe
    c:\WINDOWS\SYSTEM\Shared Files\bat.exe
    c:\WINDOWS\SYSTEM\Shared Files\Beat.exe
    c:\WINDOWS\SYSTEM\Shared Files\Beethoven.exe
    c:\WINDOWS\SYSTEM\Shared Files\Best of.exe
    c:\WINDOWS\SYSTEM\Shared Files\Best.exe
    c:\WINDOWS\SYSTEM\Shared Files\Brad Pitt body.exe
    c:\WINDOWS\SYSTEM\Shared Files\Brad Pitt.exe
    c:\WINDOWS\SYSTEM\Shared Files\Britney Spears Dance Beat.exe
    c:\WINDOWS\SYSTEM\Shared Files\buttman.exe
    c:\WINDOWS\SYSTEM\Shared Files\bye bye bye.exe
    c:\WINDOWS\SYSTEM\Shared Files\catherine_zeta_jones_anal.exe
    c:\WINDOWS\SYSTEM\Shared Files\catherine_zeta_jones_naked.exe
    c:\WINDOWS\SYSTEM\Shared Files\catherine_zeta_jones_nude.exe
    c:\WINDOWS\SYSTEM\Shared Files\Cinema.exe
    c:\WINDOWS\SYSTEM\Shared Files\Classic.exe
    c:\WINDOWS\SYSTEM\Shared Files\Collection.exe
    c:\WINDOWS\SYSTEM\Shared Files\Counter Strike_CD_Keygen.exe
    c:\WINDOWS\SYSTEM\Shared Files\crack.exe
    c:\WINDOWS\SYSTEM\Shared Files\Dance.exe
    c:\WINDOWS\SYSTEM\Shared Files\Death.exe
    c:\WINDOWS\SYSTEM\Shared Files\Delphi 5 Keygen.exe
    c:\WINDOWS\SYSTEM\Shared Files\Delphi 6 Keygen.exe
    c:\WINDOWS\SYSTEM\Shared Files\Destiny's Child.exe
    c:\WINDOWS\SYSTEM\Shared Files\Dido.exe
    c:\WINDOWS\SYSTEM\Shared Files\Digimon.exe
    c:\WINDOWS\SYSTEM\Shared Files\divx_fix.exe
    c:\WINDOWS\SYSTEM\Shared Files\divx_repair.exe
    c:\WINDOWS\SYSTEM\Shared Files\dll.exe
    c:\WINDOWS\SYSTEM\Shared Files\Doom patch.exe
    c:\WINDOWS\SYSTEM\Shared Files\dracule.exe
    c:\WINDOWS\SYSTEM\Shared Files\Dream.exe
    c:\WINDOWS\SYSTEM\Shared Files\Driver.exe
    c:\WINDOWS\SYSTEM\Shared Files\edonkey_serverlist.exe
    c:\WINDOWS\SYSTEM\Shared Files\Eminem gun.exe
    c:\WINDOWS\SYSTEM\Shared Files\Exe.exe
    c:\WINDOWS\SYSTEM\Shared Files\fake.exe
    c:\WINDOWS\SYSTEM\Shared Files\Fire.exe
    c:\WINDOWS\SYSTEM\Shared Files\Free Mpegs.exe
    c:\WINDOWS\SYSTEM\Shared Files\ftp_cracker.exe
    c:\WINDOWS\SYSTEM\Shared Files\ftp_hacker.exe
    c:\WINDOWS\SYSTEM\Shared Files\Gathering.exe
    c:\WINDOWS\SYSTEM\Shared Files\get the party started.exe
    c:\WINDOWS\SYSTEM\Shared Files\God.exe
    c:\WINDOWS\SYSTEM\Shared Files\Greek.exe
    c:\WINDOWS\SYSTEM\Shared Files\hack.exe
    c:\WINDOWS\SYSTEM\Shared Files\Half_life Cd keygen.exe
    c:\WINDOWS\SYSTEM\Shared Files\Harry Poter.exe
    c:\WINDOWS\SYSTEM\Shared Files\Hell on earth.exe
    c:\WINDOWS\SYSTEM\Shared Files\hey baby.exe
    c:\WINDOWS\SYSTEM\Shared Files\host_faker.exe
    c:\WINDOWS\SYSTEM\Shared Files\host_spoofer.exe
    c:\WINDOWS\SYSTEM\Shared Files\Hotmail Hacker.exe
    c:\WINDOWS\SYSTEM\Shared Files\hotmail_account_sniffer.exe
    c:\WINDOWS\SYSTEM\Shared Files\hotmailcracker.exe
    c:\WINDOWS\SYSTEM\Shared Files\hotmailhacker.exe
    c:\WINDOWS\SYSTEM\Shared Files\ICQ_Hackingtools.exe
    c:\WINDOWS\SYSTEM\Shared Files\icqcracker.exe
    c:\WINDOWS\SYSTEM\Shared Files\icqhacker.exe
    c:\WINDOWS\SYSTEM\Shared Files\ident_faker.exe
    c:\WINDOWS\SYSTEM\Shared Files\ident_spoofer.exe
    c:\WINDOWS\SYSTEM\Shared Files\IIS_shellbind_exploit.exe
    c:\WINDOWS\SYSTEM\Shared Files\invisible_IP.exe
    c:\WINDOWS\SYSTEM\Shared Files\ip_faker.exe
    c:\WINDOWS\SYSTEM\Shared Files\ip_spoofer.exe
    c:\WINDOWS\SYSTEM\Shared Files\Irc Client.exe
    c:\WINDOWS\SYSTEM\Shared Files\Iron-Maiden.exe
    c:\WINDOWS\SYSTEM\Shared Files\James Bond.exe
    c:\WINDOWS\SYSTEM\Shared Files\Jennifer Lopez body.exe
    c:\WINDOWS\SYSTEM\Shared Files\John.exe
    c:\WINDOWS\SYSTEM\Shared Files\Join.exe
    c:\WINDOWS\SYSTEM\Shared Files\jpeg.exe
    c:\WINDOWS\SYSTEM\Shared Files\jpg.exe
    c:\WINDOWS\SYSTEM\Shared Files\Julia Roberts.exe
    c:\WINDOWS\SYSTEM\Shared Files\Kama Sutra.exe
    c:\WINDOWS\SYSTEM\Shared Files\kazaa.exe
    c:\WINDOWS\SYSTEM\Shared Files\Kill.exe
    c:\WINDOWS\SYSTEM\Shared Files\Kiss.exe
    c:\WINDOWS\SYSTEM\Shared Files\kmd151_en.exe
    c:\WINDOWS\SYSTEM\Shared Files\linux_root.exe
    c:\WINDOWS\SYSTEM\Shared Files\Linux_rootaccess.exe
    c:\WINDOWS\SYSTEM\Shared Files\Load.exe
    c:\WINDOWS\SYSTEM\Shared Files\Lord of the Rings.exe
    c:\WINDOWS\SYSTEM\Shared Files\Love.exe
    c:\WINDOWS\SYSTEM\Shared Files\Madonna.exe
    c:\WINDOWS\SYSTEM\Shared Files\Mail.exe
    c:\WINDOWS\SYSTEM\Shared Files\Mama.exe
    c:\WINDOWS\SYSTEM\Shared Files\Matrix.exe
    c:\WINDOWS\SYSTEM\Shared Files\Metal.exe
    c:\WINDOWS\SYSTEM\Shared Files\Michael Jackson.exe
    c:\WINDOWS\SYSTEM\Shared Files\Michael.exe
    c:\WINDOWS\SYSTEM\Shared Files\Money.exe
    c:\WINDOWS\SYSTEM\Shared Files\Movie.exe
    c:\WINDOWS\SYSTEM\Shared Files\Mozart.exe
    c:\WINDOWS\SYSTEM\Shared Files\mp3.exe
    c:\WINDOWS\SYSTEM\Shared Files\mpeg.exe
    c:\WINDOWS\SYSTEM\Shared Files\msn_IP_finder.exe
    c:\WINDOWS\SYSTEM\Shared Files\msncracker.exe
    c:\WINDOWS\SYSTEM\Shared Files\msnhacker.exe
    c:\WINDOWS\SYSTEM\Shared Files\MTV live.exe
    c:\WINDOWS\SYSTEM\Shared Files\Music.exe
    c:\WINDOWS\SYSTEM\Shared Files\Nirvana.exe
    c:\WINDOWS\SYSTEM\Shared Files\Office key Gen.exe
    c:\WINDOWS\SYSTEM\Shared Files\Office XP Crack.exe
    c:\WINDOWS\SYSTEM\Shared Files\OfficeXP_Keygen.exe
    c:\WINDOWS\SYSTEM\Shared Files\Pack.exe
    c:\WINDOWS\SYSTEM\Shared Files\pamela_anderson_anal.exe
    c:\WINDOWS\SYSTEM\Shared Files\pamela_anderson_naked.exe
    c:\WINDOWS\SYSTEM\Shared Files\pamela_anderson_nude.exe
    c:\WINDOWS\SYSTEM\Shared Files\Peace.exe
    c:\WINDOWS\SYSTEM\Shared Files\Pink.exe
    c:\WINDOWS\SYSTEM\Shared Files\Pokemon.exe
    c:\WINDOWS\SYSTEM\Shared Files\Pop.exe
    c:\WINDOWS\SYSTEM\Shared Files\porn_account_cracker.exe
    c:\WINDOWS\SYSTEM\Shared Files\porn_account_hacker.exe
    c:\WINDOWS\SYSTEM\Shared Files\Portishead.exe
    c:\WINDOWS\SYSTEM\Shared Files\Pray.exe
    c:\WINDOWS\SYSTEM\Shared Files\PS1 BootCD.exe
    c:\WINDOWS\SYSTEM\Shared Files\PS2 BootCD.exe
    c:\WINDOWS\SYSTEM\Shared Files\PS2_emulator_bleem.exe
    c:\WINDOWS\SYSTEM\Shared Files\Quake.exe
    c:\WINDOWS\SYSTEM\Shared Files\Requiem.exe
    c:\WINDOWS\SYSTEM\Shared Files\Ricky Martin's body.exe
    c:\WINDOWS\SYSTEM\Shared Files\Robert Redford.exe
    c:\WINDOWS\SYSTEM\Shared Files\Rock.exe
    c:\WINDOWS\SYSTEM\Shared Files\Rotting Christ.exe
    c:\WINDOWS\SYSTEM\Shared Files\sandra_bullock_naked.exe
    c:\WINDOWS\SYSTEM\Shared Files\sandra_bullock_nude.exe
    c:\WINDOWS\SYSTEM\Shared Files\sarah_michelle_gellar_naked.exe
    c:\WINDOWS\SYSTEM\Shared Files\sarah_michelle_gellar_nude.exe
    c:\WINDOWS\SYSTEM\Shared Files\Satan.exe
    c:\WINDOWS\SYSTEM\Shared Files\Shakira Dancing.exe
    c:\WINDOWS\SYSTEM\Shared Files\shakira_a -sf - -ked.exe
    c:\WINDOWS\SYSTEM\Shared Files\shakira_anal.exe
    c:\WINDOWS\SYSTEM\Shared Files\shakira_naked.exe
    c:\WINDOWS\SYSTEM\Shared Files\shakira_nude.exe
    c:\WINDOWS\SYSTEM\Shared Files\shakira_paparazzi_collection.exe
    c:\WINDOWS\SYSTEM\Shared Files\Sleep.exe
    c:\WINDOWS\SYSTEM\Shared Files\Smoke.exe
    c:\WINDOWS\SYSTEM\Shared Files\Soldier Of Fortune 2 Mutiplayer Serial Hack.exe
    c:\WINDOWS\SYSTEM\Shared Files\Sound.exe
    c:\WINDOWS\SYSTEM\Shared Files\Soundtrack.exe
    c:\WINDOWS\SYSTEM\Shared Files\Spider.exe
    c:\WINDOWS\SYSTEM\Shared Files\Spiderman.exe
    c:\WINDOWS\SYSTEM\Shared Files\Spielberg.exe
    c:\WINDOWS\SYSTEM\Shared Files\Star.exe
    c:\WINDOWS\SYSTEM\Shared Files\Sting.exe
    c:\WINDOWS\SYSTEM\Shared Files\Stone.exe
    c:\WINDOWS\SYSTEM\Shared Files\Sub7_masterpwd.exe
    c:\WINDOWS\SYSTEM\Shared Files\Suicide.exe
    c:\WINDOWS\SYSTEM\Shared Files\Superman.exe
    c:\WINDOWS\SYSTEM\Shared Files\Supermodels.exe
    c:\WINDOWS\SYSTEM\Shared Files\Title.exe
    c:\WINDOWS\SYSTEM\Shared Files\Tom Cruise.exe
    c:\WINDOWS\SYSTEM\Shared Files\tripod_cracker.exe
    c:\WINDOWS\SYSTEM\Shared Files\tripod_hacker.exe
    c:\WINDOWS\SYSTEM\Shared Files\Tsalikis.exe
    c:\WINDOWS\SYSTEM\Shared Files\U2.exe
    c:\WINDOWS\SYSTEM\Shared Files\Vimpire.exe
    c:\WINDOWS\SYSTEM\Shared Files\War.exe
    c:\WINDOWS\SYSTEM\Shared Files\win2k_pass_decryptor.exe
    c:\WINDOWS\SYSTEM\Shared Files\Win2k_reboot_exploit.exe
    c:\WINDOWS\SYSTEM\Shared Files\win2k_serial.exe
    c:\WINDOWS\SYSTEM\Shared Files\Windows_Keygen_allver.exe
    c:\WINDOWS\SYSTEM\Shared Files\winxp_crack.exe
    c:\WINDOWS\SYSTEM\Shared Files\winxp_cracker.exe
    c:\WINDOWS\SYSTEM\Shared Files\winxp_hacker.exe
    c:\WINDOWS\SYSTEM\Shared Files\WinXP_Keygen.exe
    c:\WINDOWS\SYSTEM\Shared Files\winxphack.exe
    c:\WINDOWS\SYSTEM\Shared Files\Winzip_Pass_Cracker.exe
    c:\WINDOWS\SYSTEM\Shared Files\Wolfenstein.exe
    c:\WINDOWS\SYSTEM\Shared Files\Word_Pass_Cracker.exe
    c:\WINDOWS\SYSTEM\Shared Files\xbox_emulator_beta.exe
    c:\WINDOWS\SYSTEM\Shared Files\XP DVD Plugin.exe
    c:\WINDOWS\SYSTEM\Shared Files\XP ScreenSaver.exe
    c:\WINDOWS\SYSTEM\Shared Files\XP_Box_emulator.exe
    c:\WINDOWS\SYSTEM\Shared Files\XP_keygen.exe
    c:\WINDOWS\SYSTEM\Shared Files\XXX.exe
    c:\WINDOWS\SYSTEM\Shared Files\yahoo_cracker.exe
    c:\WINDOWS\SYSTEM\Shared Files\yahoo_hacker.exe
    c:\WINDOWS\SYSTEM\Shared Files\Yahoo_mail_cracker.exe

  • Virus creates a file called “kagra.jpg” also in that folder – it is a text file and may contain a list of email addresses found on the computer

  • Virus may write itself to the Windows folder as “Win32system.exe” and modify the registry to load this file at Windows startup –
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    WinUpdate = C:\Windows\Win32system.exe

  • Virus contains the string “shareworm” in its code