W32/Surnova-C is a worm that spreads using the KaZaA network software installation and the MSN instant messenger utility. The worm will initially copy itself to the Windows folder as Alles-ist-vorbei.exe, Desktop-shooting.exe, Hello-Kitty.exe, BigMac.exe, Hellokitty.exe or Cheese-Burger.exe.
The value HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Supernova is added to the registry and points to the new copy of the worm so that the worm is run when Windows starts up.
The fake error message "Application attempted to read memory at 0xFFFFFFFFh Terminating application" will be displayed by the worm when first executed.
The worm queries the registry entry HKLM\Software\KaZaA\LocalContent for a folder that is shared across the KaZaA network. If a value is not found then the folder C:\<Windows>\Media is used. Twenty copies of the worm are created in this folder with the following filenames:
Battle.net key generator (WORKS!!).exe
Britney spears nude.exe
DivX codec.exe
DivX optimizer.exe
DivX.exe
GTA3 crack.exe
Half-life WON key generator.exe
KaZaA media desktop v2.0 UNOFFICIAL.exe
Key generator for all windows XP versions.exe
Macromedia key generator (all products).exe
Microsoft key generator, works for ALL microsoft products!!.exe
Microsoft Windows XP crackpack.exe
Nuke program.exe
Star wars episode 2 downloader.exe
Warcraft 3 battle.net serial generator.exe
Warcraft 3 ONLINE key generator.exe
Windows XP key generator.exe
Windows XP serial generator.exe
Winrar + crack.exe
Winzip 8.0 + serial.exe
W32/Surnova-C will also attempt to send itself to contacts in the infected user's Messenger contact list. The worm will arrive with one of the following messages:
Hehe, check this out :-)
Funny, check it out (h)
LOL!! See this :D
LOL!! Check this out :)
The worm creates a text file in the Windows folder with a name consisting of randomly generated digits. The text file contains the text "W32.Supernova Patch the leaks or the ship will sink".