Well, I have first hand experience with this worm/bot and can tell you it does some weird things, but it relatively benign and easy to remove.
One of my clients got it on the 18th, and after trying to find out why their server was going crazy for several hours, they finally called me at about 3am on the 19th. It only took a few minutes to find since 'explorer.scr' sits at, or close to, the top of the task list sorted by CPU utilization. But the part that I found interesting was the distribution system. Not only is it your system that distributes it, but the person receiving the worm actually chose to do so from your computer. In addition, the ~2000 internal filenames allows the worm to appeal to a broad range of victims while allowing it to merely produce variable sized copies of itself with new names on the source drive. This is then forced to be shared by Kazaa.
Although there have been those whose have suggested this might be an RIAA plot, it doesn't target audio files such as.mp3, although considering the way it processes filename strings, I'm surprised the author did not figure out how to do so. It would be a simple task to create a file with a apparent.mp3 extension that would execute like a.exe or.scr file. And no, this worm has nothing to do with the adware included with the full verses Lite version. The both are subject to this worm. My client was running Kazaa-Lite.
Originally it was falsely unidentified as 'TROJ_FILLHDD.A' and 'GT Bot (Global Threat)' due to the 'explorer.scr' filename, but the operation was considerably different. It was brand new, and was not properly identified by virus scanners for this reason. My client who got it runs the Corporate version of Symantec's virus protection, but it just didn't know about it. To this date the new defs do not fully protect against this worm IMO (updated 25 min ago and tested on a closed system).
One of their employees decided it would be a good idea to install Kazaa on one of the servers (yes, I have now tightened up the group policy so they can't do this again), and the rest is history. Needless to say, he's not in the good graces of his employer right now.
Although this was originally designed to be a method of distributing advertisements (and a damned stupid one at that. Wow, you just gave me a worm and filled by drive with shit. Sure, I'll buy your product (porn or not)!), I think it may now do a bit more.
I have found that it does not just contact 209.182.61.132 (xww.de), but also contacts 66.218.71.113:0 (w2.rc.scd.yahoo.com), each time it is loaded. It also contacts various other IP numbers (one specific IP# per run) that might be stored internally. Here are a few I have sniffed besides the two above:
64.239.122.20 (ns1.macrohost.de [Dialtone Internet])
63.209.70.227 (an unknown address at Level3.net)
217.69.237.132 (an unknown address at PIXELHIT1-NET [Poland])
Anyway, it doesn't do much/any damage unless it cause your system to crash from too little space left on the system drive, and it's easy to completely remove, but currently it needs to be manually removed. For one, Symantec Anti-Virus 2002 and the Corporate version will not remove the registry entries or stop the running process. If you have it, or know someone who does, take a look at:
How it works: http://groups.google.com/groups?hl=en&lr=& frame=ri ght&rnum=11&thl=1066366998,1066307103,1066303080,1 066150858,1066138013,1066056211,1065940874,1065917 702,1065701808,1065699348,1065574296,1065568930&se ekm=38c0e426.0205170649.873ce8%40posting.google.co m#link20
Slashdot Mirror
Well, I have first hand experience with this worm/bot and can tell you it does some weird things, but it relatively benign and easy to remove.
.mp3, although considering the way it processes filename strings, I'm surprised the author did not figure out how to do so. It would be a simple task to create a file with a apparent .mp3 extension that would execute like a .exe or .scr file. And no, this worm has nothing to do with the adware included with the full verses Lite version. The both are subject to this worm. My client was running Kazaa-Lite.
& frame=ri ght&rnum=11&thl=1066366998,1066307103,1066303080,1 066150858,1066138013,1066056211,1065940874,1065917 702,1065701808,1065699348,1065574296,1065568930&se ekm=38c0e426.0205170649.873ce8%40posting.google.co m#link20
& lr=&frame=ri ght&rnum=31&thl=1022186493,1022097445,0&seekm=2868 c408.0205220308.674ac3f1%40posting.google.com#link 31
One of my clients got it on the 18th, and after trying to find out why their server was going crazy for several hours, they finally called me at about 3am on the 19th. It only took a few minutes to find since 'explorer.scr' sits at, or close to, the top of the task list sorted by CPU utilization. But the part that I found interesting was the distribution system. Not only is it your system that distributes it, but the person receiving the worm actually chose to do so from your computer. In addition, the ~2000 internal filenames allows the worm to appeal to a broad range of victims while allowing it to merely produce variable sized copies of itself with new names on the source drive. This is then forced to be shared by Kazaa.
Although there have been those whose have suggested this might be an RIAA plot, it doesn't target audio files such as
Originally it was falsely unidentified as 'TROJ_FILLHDD.A' and 'GT Bot (Global Threat)' due to the 'explorer.scr' filename, but the operation was considerably different. It was brand new, and was not properly identified by virus scanners for this reason. My client who got it runs the Corporate version of Symantec's virus protection, but it just didn't know about it. To this date the new defs do not fully protect against this worm IMO (updated 25 min ago and tested on a closed system).
One of their employees decided it would be a good idea to install Kazaa on one of the servers (yes, I have now tightened up the group policy so they can't do this again), and the rest is history. Needless to say, he's not in the good graces of his employer right now.
Although this was originally designed to be a method of distributing advertisements (and a damned stupid one at that. Wow, you just gave me a worm and filled by drive with shit. Sure, I'll buy your product (porn or not)!), I think it may now do a bit more.
I have found that it does not just contact 209.182.61.132 (xww.de), but also contacts 66.218.71.113:0 (w2.rc.scd.yahoo.com), each time it is loaded. It also contacts various other IP numbers (one specific IP# per run) that might be stored internally. Here are a few I have sniffed besides the two above:
64.239.122.20 (ns1.macrohost.de [Dialtone Internet])
63.209.70.227 (an unknown address at Level3.net)
217.69.237.132 (an unknown address at PIXELHIT1-NET [Poland])
Anyway, it doesn't do much/any damage unless it cause your system to crash from too little space left on the system drive, and it's easy to completely remove, but currently it needs to be manually removed. For one, Symantec Anti-Virus 2002 and the Corporate version will not remove the registry entries or stop the running process. If you have it, or know someone who does, take a look at:
How it works:
http://groups.google.com/groups?hl=en&lr=
Removal:
http://groups.google.com/groups?hl=en
John - ard@d30.info