W32/Derdero-A is a virus that spreads via email and common file sharing networks. The virus also attempts to infect all files with an .EXE extension on drive C:
When the worm runs for the first time it displays the message box with the text "Runtime error '4': String out of bounds".
W32/Derdero-A changes the Windows HOSTS file so that the user cannot access a number of anti-virus related sites.
W32/Derdero-A is a virus that spreads via email and common file sharing networks. The virus also attempts to infect all files with an .EXE extension on drive C:
When the worm runs for the first time it displays the message box with the text "Runtime error '4': String out of bounds".
In order to run automatically when Windows starts up W32/Derdero-A copies itself to the files
SysHeal.exe and
thunk32.exe
in the Windows system folder and adds the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\32-bit Thunking service
=
<windows_system>\thunk32.exe
The worm collects email addresses from the Windows address book.
The emails sent by the worm have the following characteristics:
Sender email address is spoofed.
Subject line (one of):
Server Error
AHKER.C Alert
URGENT PLEASE READ!
Detailde Information
User Information
New Worm Alert
Malware Avoidance tips
Body text:
Chosen from:
There is urgent information in the attachment regarding your Email account
Your Email account information has been removed from the system due to inactivity. To renew your account information refer to the attachment.
We regret to inform you that your account has been hijacked and used for illegal purposes. The attachment has more information about what has happened.
Our Email system has recived repoorts of your account flooding email servers. There is more on this matter in the attachment.
Due to recent internet attacks, your Email account security is being upgraded. The attachment contains more details.
Our server is experiencing some latency in our email service. The attachment contains details on how your account will be affected.
A new worm is circulating around. To protect yourself, read the attached document.
Please run the urgent patch attached to protect yourself from a new worm.
As a service to our users, we have attached a note on avoiding malware.
Attached file:
combined from one of the file names
Details
Information
Gift
Word_document
Account_Information
Malware_prevention_tips
Patch
and extensions
zip
scr
pif
cmd
exe
doc.pif
txt.exe
bmp.cmd
W32/Derdero-A copies itself to filesharing folders of popular P2P applications. The worm uses the following filenames:
Britney spears naked Playboy.jpeg[spaces].pif
DVD Copier.exe
Visual Studio.NET.FULL.rar[blank].exe
Nero ACID new cd burning and p2p.exe
Adobe Photoshop 6 Full Version.exe
Windows Longhorn BETA.iso[spaces].exe
WinAmp 5 Crack.exe
WinRAR.exe
Windows XP Pro SP2.pif
Young teen gets reamed.mpg[spaces].pif
jenna jameson screensver.scr
Internet Explorer 7.exe
Snood new version.exe
Tits.mpeg[blank spaces].scr
Norton AntiVirus 2006 BETA.exe
Battlefield 1942.exe
NETSKY SOURCE CODE.zip[spaces].exe
Kazaa Lite 2005 Edition.zip[spaces].pif
Windows XP crack.zip[spaces].exe
Hot Teen Porn.mpeg[spaces].exe
W32/Derdero-A changes the Windows HOSTS file so that the user cannot access a number of anti-virus related sites.