spam, email and spam filter Information

. sending email

Logo My BitDefender

| Contact Us | Forum | My Shopping Cart Cart Go Company Home/Home Office Business Partners Downloads Defense Center Store Overview Leadership Strategic Relationship Technology Awards Press Center Careers Products Comparison Chart Downloads Support Store. reading email

Solutions Service Providers Evaluate Support Store Partner Benefits Types of Partners Partner Locator Partners Portal Home/Home Office Business Virus Encyclopedia Free Removal Tools Real-Time Virus Reporting Security News Home/Home Office Business Renewal Spreading:

medium Damage: medium Size: varies Discovered: 2004 Oct 05 SYMPTOMS: There are no visible symptoms (slightly higher memory usage) TECHNICAL DESCRIPTION: A heuristic detection of B-HAVE commonly encountered on Bots, Droppers and some Worms. Removal instructions: Please send this file for analysis. ANALYZED BY: BitDefender Research Team. storing email

Quick Links New Game Safe Renew License Free Customer Support Free Online Scanner Press Center 2008 BITDEFENDER SiteMap | Legal Terms | Site Feedback | Contact Us | Global Sites | Privacy Policy . email software

Anti-virusfirewall is disabledFile LIEN VAN DE KELDERRR.EXE in the Windows System32 directoryFile HOSTS overwritten to disable some antivirus sites access

. antispam software

• Anti-virus/firewall is disabled fight spam

• File: LIEN VAN DE KELDERRR.EXE in the Windows System32 directory stoping spam

• File: HOSTS overwritten to disable some antivirus sites access block spam

TECHNICAL DESCRIPTION: The worm comes by mail with the following characteristics: From: spoofed Subject: one of the following: spam emails

• Notice: **Last Warning** email account

• *DETECTED* Online User Violation sending email

• Your Email Account is Suspended For Security Reasons reading email

• Account Alert storing email

• Important Notification email software

• *WARNING* Your Email Account Will Be Closed antispam software

• Security measures fight spam

• Email Account Suspension stoping spam

• Notice of account limitation block spam

• Once you have completed the form in the attached file, your account records will not be interrupted and will continue as normal. spam emails

• The original message has been included as an attachment. email account

• We regret to inform you that your account has been suspended due to the violation of our site policy, more info is attached. sending email

• We attached some important information regarding your account. reading email

• Please read the attached document and follow it s instructions. storing email

Attachment:

one of the following: email software

• email-info antispam software

• email-doc fight spam

• information stoping spam

• account-details block spam

• document spam emails

• INFO email account

• instructions sending email

• info-text reading email

• information storing email

with an executable extension (EXE, PIF or SCR). The worm also has a backdoor behaviour using the IRC protocol. email software

Removal instructions: Let BitDefender delete all files found infected with this worm. ANALYZED BY: BitDefender Virus Research Team antispam software

Intelligence Report Archives

Quick Links New Game Safe Renew License Free Customer Support Free Online Scanner Press Center. fight spam

BitDefender provides details of naming conventions used to describe various types of viruses, worms, events, actions, etc.

. stoping spam

• BitDefender Launches Blog for Unix Users
• BitDefender points out a new mix of spam techniques
• Malware Nets Major U.S. Air Carriers

-the presence of the following filesnbsp windirJammer2nd.exe the worm, executabla formnbsp windirpkzipalg.log the worm, zippednbsp windirpkzip1.log, pkzip2.log, ..., pkzip8.log the archive in base64 format-the presence of the following registry keynbsp nbspnbsp windirJammer2nd.exe-firewall warning for an application trying to listen on port 665TCP-firewall warning for an application trying to connect to the following addressesnbsp www.nibis.denbsp www.medinfo.ufl.edunbsp www.educa.ch

. block spam

Spreading:

high Damage: low Size: 22016 bytes (packed) Discovered: 2004 Apr 21 SYMPTOMS: -the presence of the following files: %windir%\\Jammer2nd.exe (the worm, executabla form) %windir%\\pk_zip_alg.log (the worm, zipped) %windir%\\pk_zip1.log, pk_zip2.log, ..., pk_zip8.log (the archive in base64 format) -the presence of the following registry key: spam emails

HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Jammer2nd = %windir%\\Jammer2nd.exe -firewall warning for an application trying to listen on port 665/TCP -firewall warning for an application trying to connect to the following addresses: www.nibis.de www.medinfo.ufl.edu www.educa.ch TECHNICAL DESCRIPTION: The worm will copy itself in %windir%\\Jammer2nd.exe and will create a registry key to make sure it will be run after the next restart. Then, it will create in %windir% folder the following files: email account

pk_zip_alg.log (the worm, zipped), pk_zip1.log, pk_zip2.log, ..., pk_zip8.log (the archive in base64 format). The worm spreads by e-mail. It searches for e-mail addresses in files having extensions: .cfg .mbx .mdx .htm .html .asp .wab .doc .eml .txt .php .vbs .rtf .uin .shtm .cgi .dhtm .ods .stm .xls .adb .tbb .dbx .mht .mmf .nch .sht .oft .msg .jsp .wsh .xml .ppt The e-mails it sents have the following characteristics: sending email

Subject: Important Document Hello Information Hi Message body: Important details! Important notice! Important document! Important bill! Important data! Important! Important textfile! Important informations! The e-mail contains the worm in a zip archive having one of the following names: Details.zip Notice.zip Important.zip Bill.zip Data.zip Part-2.zip Textfile.zip Informations.zip The worm can perform a Denial Of Service (DoS) attack on the following sites: reading email

www.educa.ch The worm listens on port 665/TCP. It will accept connections, write the data received in a file %N%.exe and will execute that file (where %N% is a random number). Removal instructions: Kill the following process: %windir%\\Jammer2nd.exe Delete the following files: %windir%\\pk_zip_alg.log %windir%\\pk_zip1.log, pk_zip2.log, ..., pk_zip8.log Delete the following registry key: HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Jammer2nd. storing email

Presence of following files FVPROTECT.EXE and USERCONFIG9X.DLL in Windows folder. Presence of following registry keys holding the value Norton Antivirus AV WINDIRFVPROTECT.EXE

. email software

Win32.Netsky.P@mm

( I-Worm.Netsky.q, WORM_NETSKY.P, Win32.HLLM.Netsky.35328 ) antispam software

Spreading:

high Damage: low Size: 29 KB Discovered: 2000 Jan 01 SYMPTOMS: Presence of following files: FVPROTECT.EXE and USERCONFIG9X.DLL in Windows folder. Presence of following registry keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run holding the value: Norton Antivirus AV = %WINDIR%\FVPROTECT.EXE TECHNICAL DESCRIPTION: The worm spreads by e-mail, with a header like: fight spam

From: (fake e-mail address) Subject: one of the following: * Re: Encrypted Mail * Re: Extended Mail * Re: Status * Re: Notify * Re: SMTP Server * Re: Mail Server * Re: Delivery Server * Re: Bad Request * Re: Failure * Re: Thank you for delivery * Re: Test * Re: Administration * Re: Message Error * Re: Error * Re: Extended Mail System * Re: Secure SMTP Message * Re: Protected Mail Request * Re: Protected Mail System. stoping spam

* Re: Protected Mail Delivery * Re: Secure delivery * Re: Delivery Protection * Re: Mail Authentification Message body can be one of the following: * Please confirm my request. * ESMTP [Secure Mail System #334]: Secure message is attached. * Partial message is available. * Waiting for a Response. Please read the attachment. * First part of the secure mail is available. * For more details see the attachment. block spam

* For further details see the attachment. * Your requested mail has been attached. * Protected Mail System Test. * Secure Mail System Beta Test. * Forwarded message is available. * Delivered message is attached. * Encrypted message is available. * Please read the attachment to get the message. * Follow the instructions to read the message. * Please authenticate the secure message. * Protected message is attached. spam emails

* Waiting for authentification. * Protected message is available. * Bad Gateway: The message has been attached. * SMTP: Please confirm the attached message. * You got a new message. * Now a new message is available. * New message is available. * You have received an extended message. Please read the instructions. * Your details. * Your document. * I have received your document. The corrected document is attached. email account

* I have attached your document. * Your document is attached to this mail. * Authentication required. * Requested file. * See the file. * Please read the important document. * Please confirm the document. * Your file is attached. * Please read the document. * Your document is attached. * Please read the attached file! * Please see the attached file for details. The message body may contain a notice that it was scanned by an AV program and that no virus was found. sending email

Attachment: a file containing some of the following: * file * your_document * about_you * document04 * msg * all_doc01 * document * approved * improved * corrected The attachment may have a double extension: a document extension (.doc, .txt) followed by several blanks and then by an executable extension (.pif, .exe, .scr). Also, the attachment may be a zip file containing a packed file with a double extension. reading email

The worm may also spread via P2P clients, under one of the following names: * The Sims 4 beta.exe * Lightwave 9 Update.exe * Ulead Keygen 2004.exe * Smashing the stack full.rtf.exe * Internet Explorer 9 setup.exe * Opera 11.exe * DivX 8.0 final.exe * WinAmp 13 full.exe * Cracks Warez Archiv.exe * Visual Studio Net Crack all.exe * ACDSee 10.exe * MS Service Pack 6.exe * Clone DVD 6.exe * Magix Video Deluxe 5 beta.exe. storing email

* Star Office 9.exe * Partitionsmagic 10 beta.exe * Gimp 1.8 Full with Key.exe * Norton Antivirus 2005 beta.exe * Windows 2000 Sourcecode.doc.exe * Keygen 4 all new.exe * 3D Studio Max 6 3dsmax.exe * 1001 Sex and more.rtf.exe * RFC compilation.doc.exe * Dictionary English 2004 - France.doc.exe * Win Longhorn re.exe * WinXP eBook newest.doc.exe * Learn Programming 2004.doc.exe * How to hack new.doc.exe. email software

* Doom 3 release 2.exe * E-Book Archive2.rtf.exe * netsky source code.scr * Ahead Nero 8.exe * Full album all.mp3.pif * Screensaver2.scr * Serials edition.txt.exe * Microsoft Office 2003 Crack best.exe * XXX hardcore pics.jpg.exe * Dark Angels new.pif * Porno Screensaver britney.scr * Best Matrix Screensaver new.scr * Adobe Photoshop 10 full.exe * Adobe Premiere 10.exe * Teen Porn 15.jpg.pif * Microsoft WinXP Crack full.exe. antispam software

* Adobe Photoshop 10 crack.exe * Windows XP crack.exe * Windows 2003 crack.exe * Arnold Schwarzenegger.jpg.exe * Saddam Hussein.jpg.exe * Cloning.doc.exe * American Idol.doc.exe * Eminem Poster.jpg.exe * Altkins Diet.doc.exe * Eminem blowjob.jpg.exe * Ringtones.doc.exe * Eminem sex xxx.jpg.exe * Ringtones.mp3.exe * Eminem Spears porn.jpg.exe * Eminem full album.mp3.exe * Eminem Sexy archive.doc.exe. fight spam

* Eminem Song text archive.doc.exe * Britney Spears.mp3.exe * Eminem.mp3.exe * Britney Spears full album.mp3.exe * Britney Spears Song text archive.doc.exe * Matrix.mpg.exe * Britney Spears and Eminem porn.jpg.exe * Harry Potter 5.mpg.exe * Britney Spears.jpg.exe * Harry Potter game.exe * Britney Spears fuck.jpg.exe * Harry Potter.doc.exe * Britney Spears cumshot.jpg.exe * Harry Potter e book.doc.exe. stoping spam

* Britney Spears blowjob.jpg.exe * Harry Potter 1-6 book.txt.exe * Britney sex xxx.jpg.exe * Harry Potter all e.book.doc.exe * Britney Spears porn.jpg.exe * Kazaa new.exe * Britney Spears Sexy archive.doc.exe * Kazaa Lite 4.0 new.exe When executed, the worm creates some files in the system directory: FVPROTECT.EXE copy of worm body USERCONFIG9X.DLL worm dll BASE64.TMP base64 encoded worm executable. block spam

ZIPPED.TMP ziped worm executable ZIP1, 2, 3.TMP zipped base64 encoded worm executable On the 24th of March 2004, the worm will send itself to addresses harvested from the infected system, using its own SMTP engine. The following types of files are scanned for addresses: * .xml * .wsh * .jsp * .msg * .oft * .sht * .dbx * .tbb * .adb * .dhtm * .cgi * .shtm * .uin * .rtf * .vbs * .doc. spam emails

* .wab * .asp * .php * .txt * .eml * .html * .htm The worm will not send itself to addresses that include one of the following strings: * reports@ * spam@ * noreply@ * @viruslis * ntivir * @sophos * @freeav * @pandasof * @skynet * @messagel * abuse@ * @fbi * @norton * @f-pro * @kaspersky * @mcafee * @norman * @bitdefender * @f-secur * @avp * @spam * @symantec * @antivi * @microsof The worm will attempt to erase registry keys used by Bagle, Welchia and Mydoom viruses. email account

The presence of a file named sysformat.exe in the windows system directory.The presence of a task named sysformat in the process list if the machine is running Windows 95 98 Me, this process is cloaked and is invisible.The windows firewall and security center in case the machine is running Windows XP Service Pack 2 is disabled.Security software anti-viruses, firewalls... on the machine are disabled and can not be started.The host file in the System32Driversetc subdirectory of the windows directory is of size 1, 771 and contains only entries which begin with 127.0.0.1 and sites belonging to antivirus vendors.

. sending email

Spreading:

medium Damage: low Size: 19, 524 (packed) Discovered: 2006 Feb 02 SYMPTOMS: The presence of a file named sysformat.exe in the windows system directory. The presence of a task named sysformat in the process list (if the machine is running Windows 95 / 98 / Me, this process is cloaked and is invisible). The windows firewall and security center (in case the machine is running Windows XP Service Pack 2) is disabled. reading email

Security software (anti-viruses, firewalls...) on the machine are disabled and can not be started. The host file in the System32\Drivers\etc subdirectory of the windows directory is of size 1, 771 and contains only entries which begin with 127.0.0.1 and sites belonging to antivirus vendors. TECHNICAL DESCRIPTION: This is a mass mailer / downloader malware. It arrives in the form of an archive which contains two files: an executable and an other one containing random characters. The executable has a similar icon with a text document and when first executed it copies itself in the system directory with the name sysformat.exe and then launches notepad.exe. storing email

It drops a hosts file in the System32\Drivers subdirectory of the windows directory of size 1, 771 which disables the access to certain anti-virus related sites. This can result in the anti-virus beeing unable to perform an update. email software

It disables the built-in firewall and security center on machines running Windows XP Service Pack 2. It kills several security (anti-virus and firewall) products. It tries to download files from a predefined list of sites and to execute them. It searches the available hard-disks (removable media or network drives won t be searched) for files having the extension: .wab .txt .msg .htm .shtm .stm. antispam software

.xml .dbx .mbx .mdx .eml .nch .mmf .ods .cfg .asp .php .pl .wsh .adb .tbb .sht .xls .oft .uin .cgi .mht .dhtm .jsp These files will be searched for e-mail addresses and the worm will send itself to these addresses if they don t contain one of the following substrings: @microsoft rating@ f-secur news update anyone@ bugs@ contract@ feste gold-certs@ help@ info@ nobody@ noone@ kasp admin icrosoft. fight spam

support ntivi unix bsd linux listserv certific sopho @foo @iana free-av @messagelab winzip google winrar samples abuse panda cafee spam pgp @avp. noreply local root@ postmaster@ The worm will also search the hard drives for folders which contain the substring shar in them (for example My Shared Documents ) and will copy itself there under these names: 1.exe 2.exe 3.exe 4.exe. stoping spam

5.scr 6.exe 7.exe 8.exe 9.exe 10.exe Ahead Nero 7.exe Windown Longhorn Beta Leak.exe Opera 8 New!.exe XXX hardcore images.exe WinAmp 6 New!.exe WinAmp 5 Pro Keygen Crack Update.exe Adobe Photoshop 9 full.exe Matrix 3 Revolution English Subtitles.exe ACDSee 9.exe The subject of the sent mail contains the following words: price February price pricelst pricelist price_lst new_price February_price 21_price. block spam

monebaggasse