Virus Information

The worm exploits the Microsoft LSASS Windows vulnerability for spreading. http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx Once run, the worm will do the following: 1. Attempts to delete Go.exe from current location 2. Creates the mutexes: variant A: r10, rocket10 variant B: r10, u2, uterm5 3. Checks if the [HKLM \SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"WinUpdate"] entry exists If the key exists: Attempts to delete the registry entry: [HKLM\Software\Microsoft\Wireless\"Server"] If the key doesnt exist, it attempts to create it: [HKLM\Software\Microsoft\Wireless\"Server"="1"] 4. Creates a randomly named copy of the worm in %SYSTEM% folder, as ????????.exe where ? may be any letter. 5. Creates the registry entry [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"WinUpdate"="%SYSTEM%\????????.exe"] in order to run at startup. 6. Executes the copy of the worm and terminates the current process. 7. Starts many threads, and enters an infinite loop, preventing the system from shutting down. 8. Opens ports: 113, 3067, 2041, allowing remote connection and for sending the worm, scans random IP addresses in order to infect unpatched systems. Also opens port 6667, as it attempts to connect to a list of IRC servers where it listens for commands

For disinfection, download and run our free eScan Anti-Virus Toolkit. The utility checks your computer, system registry, and running processes for malicious programs, illegal dialers, and sniffer tools. Note: This tool does not protect your PC in real time.

You can download the eScan Anti-Virus Toolkit utility from the MicroWorld Web site.

Alternatively, you can install MicroWorld’s Internet Security Suite which has real time detection capabilities.
You can download and install the product from our eScan download page.