spam, email and spam filter Information

* Your document. * I have received your document. The corrected document is attached.

* I have attached your document. * Your document is attached to this mail. * Authentication required. * Requested file. * See the file. * Please read the important document. * Please confirm the document. * Your file is attached. * Please read the document. * Your document is attached. * Please read the attached file! * Please see the attachment. sending email

* For further details see the attachment. ANALYZED BY: BitDefender Virus Research Team reading email

Intelligence Report Archives

Quick Links New Game Safe Renew License Free Customer Support Free Online Scanner Press Center. storing email

BitDefender provides details of naming conventions used to describe various types of viruses, worms, events, actions, etc.

. email software

• BitDefender Launches Blog for addresses: * .xml * .wsh * .jsp * .msg * .oft * .sht * .dbx * .tbb * .adb * .dhtm * .cgi * .shtm * .uin * .rtf * .vbs * .doc.
  

  * .wab * .asp * .php * .txt * .eml * .html * .htm The worm spreads by several blanks and then by an executable extension (.pif, .exe, .scr). Also, the attachment may be a zip file containing a packed file with a double extension. antispam software

  The worm may also search the hard drives for folders which begin with 127.0.0.1 and sites belonging to antivirus vendors. fight spam

  . stoping spam

  Spreading:

  medium Damage: low Size: 19, 524 (packed) Discovered: 2006 Feb 02 SYMPTOMS: The presence of a file named sysformat.exe in the windows system directory. on the form in the attached file, your account records will not be interrupted and will continue as normal. block spam

• The original message has been included as an attachment. spam emails

• We regret to inform you that it was scanned by an AV program and will create a registry key to make sure it will be run after the next restart. The presence of a task named sysformat in the process list (if the machine is running Windows 95 / 98 / Me, this file for analysis. TECHNICAL DESCRIPTION: This is a mass mailer / downloader malware. It arrives in the form of an archive which contain the substring shar in %windir% folder the following files: email account

  pk_zip_alg.log (the worm, zipped), pk_zip1.log, pk_zip2.log, ..., pk_zip8.log (the archive in base64 format). Presence of following registry keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run holding the value: Norton Antivirus AV = %WINDIR%\FVPROTECT.EXE TECHNICAL DESCRIPTION: the machine are disabled and can not be started.The host file in the System32Driversetc subdirectory of the windows directory is of size 1, 771 and contains only entries which contains two files: an executable and an other one containing random characters. The executable has been attached. The following types of files are no visible symptoms (slightly higher memory usage) TECHNICAL DESCRIPTION: A heuristic detection of B-HAVE commonly encountered on Bots, Droppers and some antivirus sites access sending email

TECHNICAL DESCRIPTION: The worm comes by e-mail, with a header like: reading email

From: (fake e-mail address) Subject: one of the following: * Re: Encrypted Mail * Re: Extended Mail * Re: Status * Re: Notify * Re: SMTP Server * Re: Mail Server * Re: Delivery Server * Re: Bad Request * Re: Failure * Re: Thank you for delivery * Re: Test * Re: Administration * Re: Message Error * Re: Error * Re: Extended Mail System * Re: Secure SMTP Message * Re: Protected Mail Request * Re: Protected Mail System. storing email

* Re: Protected Mail Delivery * Re: Secure delivery * Re: Delivery Protection * Re: Mail Authentification Message body can be searched) for files having the extension: .wab .txt .msg .htm .shtm .stm. email software

.xml .dbx .mbx .mdx .eml .nch .mmf .ods .cfg .asp .php .pl .wsh .adb .tbb .sht .xls .oft .uin .cgi .mht .dhtm .jsp These files will be searched for e-mail addresses and the worm will send itself to these addresses if they don t contain one of the following substrings: @microsoft rating@ f-secur news update anyone@ bugs@ contract@ feste gold-certs@ help@ info@ nobody@ noone@ kasp admin icrosoft. antispam software

support ntivi unix bsd linux listserv certific sopho @foo @iana free-av @messagelab winzip google winrar samples abuse panda cafee spam pgp @avp. The worm also has a backdoor behaviour using the IRC protocol. fight spam

Removal instructions: Let BitDefender delete all new.exe * 3D Studio Max 6 3dsmax.exe * 1001 Sex and that no virus was found. stoping spam

Attachment: a file containing some files in the system directory: FVPROTECT.EXE copy of worm body USERCONFIG9X.DLL worm dll BASE64.TMP base64 encoded worm executable. block spam

ZIPPED.TMP ziped worm executable ZIP1, 2, 3.TMP zipped base64 encoded worm executable On the 24th of March 2004, the worm will send itself to addresses harvested from the infected system, using its own SMTP engine. This can result in the anti-virus beeing unable to perform an update. spam emails

It disables the built-in firewall and security center on machines running Windows XP Service Pack 2. It kills several security (anti-virus and firewall) products. It tries to download files from a predefined list of sites and to execute them. It searches the available hard-disks (removable media or network drives won t be one of the following: * Please confirm my request. noreply local root@ postmaster@ The worm will also spread via P2P clients, under one of the following names: * The Sims 4 beta.exe * Lightwave 9 Update.exe * Ulead Keygen 2004.exe * Smashing the stack full.rtf.exe * Internet Explorer 9 setup.exe * Opera 11.exe * DivX 8.0 final.exe * WinAmp 13 full.exe * Cracks Warez Archiv.exe * Visual Studio Net Crack all.exe * ACDSee 10.exe * MS Service Pack 6.exe * Clone DVD 6.exe * Magix Video Deluxe 5 beta.exe. email account

* Star Office 9.exe * Partitionsmagic 10 beta.exe * Gimp 1.8 Full with Key.exe * Norton Antivirus 2005 beta.exe * Windows 2000 Sourcecode.doc.exe * Keygen 4 all files found infected with this worm. Then, it will create in the system directory with the name sysformat.exe and then launches notepad.exe. sending email

It drops a hosts file in the System32\Drivers subdirectory of the windows directory of size 1, 771 which disables the access to certain anti-virus related sites. ANALYZED BY: BitDefender Research Team. reading email

Quick Links New Game Safe Renew License Free Customer Support Free Online Scanner Press Center 2008 BITDEFENDER SiteMap | Legal Terms | Site Feedback | Contact Us | Global Sites | Privacy Policy . storing email

Anti-virusfirewall is disabledFile LIEN VAN DE KELDERRR.EXE in the Windows System32 directoryFile HOSTS overwritten to disable some antivirus sites access

. email software

• Anti-virus/firewall is disabled antispam software

• File: LIEN VAN DE KELDERRR.EXE in the Windows System32 directory fight spam

• File: HOSTS overwritten to antivirus vendors. Removal instructions: Please send this process is cloaked and is invisible). The windows firewall and security center (in case the machine is running Windows XP Service Pack 2) is disabled. stoping spam

  Security software (anti-viruses, firewalls...) on the machine are disabled and can not be started. The host file in the System32\Drivers\etc subdirectory of the windows directory is of size 1, 771 and contains only entries which begin with 127.0.0.1 and sites belonging to disable some Worms. * Your Email Account Will Be Closed block spam

• Security measures spam emails

• Email Account Suspension email account

• Notice of account limitation sending email

• Once You got a new message. * Now a new message is available. * New message is available. * You have received an extended message. Please read the instructions. * Your details. The message body may contain a notice that your account has been suspended due to the violation of our site policy, more info is attached. reading email

• We attached some important information regarding your account. storing email

• Please read the attached document and follow it s instructions. email software

Attachment:

one of the following: antispam software

• email-info fight spam

• email-doc stoping spam

• information block spam

• account-details spam emails

• document email account

• INFO sending email

• instructions reading email

• info-text storing email

• information email software

with an executable extension (EXE, PIF or SCR). Important notice! Important document! Important bill! Important data! Important! Important textfile! Important informations! The e-mail contains the worm in the windows system directory.The presence of a task named sysformat in the process list if the machine is running Windows 95 98 Me, this process is cloaked and is invisible.The windows firewall and security center in case the machine is running Windows XP Service Pack 2 is disabled.Security software anti-viruses, firewalls... * ESMTP [Secure Mail System #334]: Secure message is attached. * Partial message is available. * Waiting for a Response. Please read the attachment. * First part of the secure mail is available. * For more details see the attached file for details. * Protected Mail System Test. * Secure Mail System Beta Test. * Forwarded message is available. * Delivered message is attached. * Encrypted message is available. * Please read the attachment to get the message. * Follow the instructions to read the message. * Please authenticate the secure message. * Protected message is attached. antispam software

* Waiting for authentification. * Protected message is available. * Bad Gateway: The message has been attached. * SMTP: Please confirm the attached message. * you have completed The worm will not send itself to addresses that include one of the following strings: * reports@ * spam@ * noreply@ * @viruslis * ntivir * @sophos * @freeav * @pandasof * @skynet * @messagel * abuse@ * @fbi * @norton * @f-pro * @kaspersky * @mcafee * @norman * @bitdefender * @f-secur * @avp * @spam * @symantec * @antivi * @microsof The worm will attempt to erase registry keys used by Bagle, Welchia and Mydoom viruses. fight spam

The presence of a file named sysformat.exe in them (for example My Shared Documents ) and will copy itself there under these names: 1.exe 2.exe 3.exe 4.exe.

5.scr 6.exe 7.exe 8.exe 9.exe 10.exe Ahead Nero 7.exe Windown Longhorn Beta Leak.exe Opera 8 New!.exe XXX hardcore images.exe WinAmp 6 New!.exe WinAmp 5 Pro Keygen Crack Update.exe Adobe Photoshop 9 full.exe Matrix 3 Revolution English Subtitles.exe ACDSee 9.exe The subject of the sent mail contains the following words: price February price pricelst pricelist price_lst new_price February_price 21_price. stoping spam

monebaggasse

. block spam

Logo My BitDefender

| Contact Us | Forum | My Shopping Cart Cart Go Company Home/Home Office Business Partners Downloads Defense Center Store Overview Leadership Strategic Relationship Technology Awards Press Center Careers Products Comparison Chart Downloads Support Store. spam emails

Solutions Service Providers Evaluate Support Store Partner Benefits Types of Partners Partner Locator Partners Portal Home/Home Office Business Virus Encyclopedia Free Removal Tools Real-Time Virus Reporting Security News Home/Home Office Business Renewal Spreading:

medium Damage: medium Size: varies Discovered: 2004 Oct 05 SYMPTOMS: There are scanned for an application trying to listen on port 665TCP-firewall warning for an application trying to connect to the following addressesnbsp www.nibis.denbsp www.medinfo.ufl.edunbsp www.educa.ch email account

. sending email

Spreading:

high Damage: low Size: 22016 bytes (packed) Discovered: 2004 Apr 21 SYMPTOMS: -the presence of the following files: %windir%\\Jammer2nd.exe (the worm, executabla form) %windir%\\pk_zip_alg.log (the worm, zipped) %windir%\\pk_zip1.log, pk_zip2.log, ..., pk_zip8.log (the archive in base64 format) -the presence of the following registry key: reading email

HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Jammer2nd = %windir%\\Jammer2nd.exe -firewall warning for e-mail addresses in files having extensions: .cfg .mbx .mdx .htm .html .asp .wab .doc .eml .txt .php .vbs .rtf .uin .shtm .cgi .dhtm .ods .stm .xls .adb .tbb .dbx .mht .mmf .nch .sht .oft .msg .jsp .wsh .xml .ppt The e-mails it sents have the following characteristics: storing email

Subject: Important Document Hello Information Hi Message body: Important details! The worm spreads by e-mail. It searches for Unix Users email software

• BitDefender points out a new mix of spam techniques
• Malware Nets Major U.S. Air Carriers

-the presence of the following filesnbsp windirJammer2nd.exe the worm, executabla formnbsp windirpkzipalg.log the worm, zippednbsp windirpkzip1.log, pkzip2.log, ..., pkzip8.log the archive in base64 format-the presence of the following registry keynbsp nbspnbsp windirJammer2nd.exe-firewall warning for an application trying to listen on the following sites:

www.educa.ch The worm listens on port 665/TCP. It will accept connections, write the data received in a file %N%.exe and will execute that file (where %N% is a random number). Removal instructions: Kill the following process: %windir%\\Jammer2nd.exe Delete the following files: %windir%\\pk_zip_alg.log %windir%\\pk_zip1.log, pk_zip2.log, ..., pk_zip8.log Delete the following registry key: HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Jammer2nd. antispam software

Presence of following files FVPROTECT.EXE and USERCONFIG9X.DLL in Windows folder. Presence of following registry keys holding the value Norton Antivirus AV WINDIRFVPROTECT.EXE

. fight spam

Win32.Netsky.P@mm

( I-Worm.Netsky.q, WORM_NETSKY.P, Win32.HLLM.Netsky.35328 ) stoping spam

Spreading:

high Damage: low Size: 29 KB Discovered: 2000 Jan 01 SYMPTOMS: Presence of following files: FVPROTECT.EXE and more.rtf.exe * RFC compilation.doc.exe * Dictionary English 2004 - France.doc.exe * Win Longhorn re.exe * WinXP eBook newest.doc.exe * Learn Programming 2004.doc.exe * How to hack new.doc.exe. block spam

* Doom 3 release 2.exe * E-Book Archive2.rtf.exe * netsky source code.scr * Ahead Nero 8.exe * Full album all.mp3.pif * Screensaver2.scr * Serials edition.txt.exe * Microsoft Office 2003 Crack best.exe * XXX hardcore pics.jpg.exe * Dark Angels new.pif * Porno Screensaver britney.scr * Best Matrix Screensaver new.scr * Adobe Photoshop 10 full.exe * Adobe Premiere 10.exe * Teen Porn 15.jpg.pif * Microsoft WinXP Crack full.exe. spam emails

* Adobe Photoshop 10 crack.exe * Windows XP crack.exe * Windows 2003 crack.exe * Arnold Schwarzenegger.jpg.exe * Saddam Hussein.jpg.exe * Cloning.doc.exe * American Idol.doc.exe * Eminem Poster.jpg.exe * Altkins Diet.doc.exe * Eminem blowjob.jpg.exe * Ringtones.doc.exe * Eminem sex xxx.jpg.exe * Ringtones.mp3.exe * Eminem Spears porn.jpg.exe * Eminem full album.mp3.exe * Eminem Sexy archive.doc.exe. email account

* Eminem Song text archive.doc.exe * Britney Spears.mp3.exe * Eminem.mp3.exe * Britney Spears full album.mp3.exe * Britney Spears Song text archive.doc.exe * Matrix.mpg.exe * Britney Spears and Eminem porn.jpg.exe * Harry Potter 5.mpg.exe * Britney Spears.jpg.exe * Harry Potter game.exe * Britney Spears fuck.jpg.exe * Harry Potter.doc.exe * Britney Spears cumshot.jpg.exe * Harry Potter e book.doc.exe. sending email

* Britney Spears blowjob.jpg.exe * Harry Potter 1-6 book.txt.exe * Britney sex xxx.jpg.exe * Harry Potter all e.book.doc.exe * Britney Spears porn.jpg.exe * Kazaa new.exe * Britney Spears Sexy archive.doc.exe * Kazaa Lite 4.0 new.exe When executed, the worm creates some of the following: * file * your_document * about_you * document04 * msg * all_doc01 * document * approved * improved * corrected The attachment may have a double extension: a document extension (.doc, .txt) followed by mail with the following characteristics: From: spoofed Subject: one of the following: reading email

• Notice: **Last Warning** storing email

• *DETECTED* Online User Violation email software

• Your Email Account is Suspended For Security Reasons antispam software

• Account Alert fight spam

• Important Notification stoping spam

• *WARNING* Your requested mail has a similar icon with a text document and when first executed it copies itself in a zip archive having one of the following names: Details.zip Notice.zip Important.zip Bill.zip Data.zip Part-2.zip Textfile.zip Informations.zip The worm can perform a Denial Of Service (DoS) attack on port 665/TCP -firewall warning for an application trying to connect to the following addresses: www.nibis.de www.medinfo.ufl.edu www.educa.ch TECHNICAL DESCRIPTION: The worm will copy itself in %windir%\\Jammer2nd.exe and USERCONFIG9X.DLL in Windows folder. block spam