W32/Ahker-E

Aliases	WORM_AHKER.E Email-Worm.Win32.Anker.e
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments Chat programs Peer-to-peer
Affected operating systems	Windows
Protection available since	23 February 2005 16:57:28 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Ahker-E is a mass-mailing and P2P worm.

W32/Ahker-E will mail itself out to email addresses found on an infected computer.

W32/Ahker-E will arrive as a ZIP attachment to an email. The characteristics of the email will be as follows:

Attachment name: "Removal Tool.zip"

Subject lines include:
Please READ!
You are infected!
Read this to remove the infection!
World's most dangerous Internet Worm!
Read it!
READ! HURRY! BEFORE It's too late!
Read this TWICE!
Ahker.E is infecting 100 of PC/min
Microsoft's Worst Fear!
Read this for your PC safety!

From: securityresponse@symantec.com
Body:
We have been informed that you are one of the victims of the latest worm: Ahker, the E variant.
You're computer is infected with this worm!
Ahker.E uses FULL STEALTH METHOD to fool the user and the system!
Ahker.E infects the system without the knowledge of the user which is bad!
Security Response suggests you to download the removal tool for this threat located in the attachment.
This tool will scan your system in order to find the worm then removes it.
Please hurry before the worm mutates!

Good luck!

From: security@microsoft.com
Body:
We have been informed that you are one of the victims of the latest worm: Ahker, the E variant.
You're computer is infected with this worm!
Ahker.E uses FULL STEALTH METHOD to fool the user and the system!
Ahker.E infects the system without the knowledge of the user which is bad!
Microsoft suggests you to download the removal tool for this threat located in the attachment.
This tool will scan your system in order to find the worm then removes it.
Please hurry before the worm mutates!

Good luck!

From: security@trendmicro.com
Body:
We have been informed that you are one of the victims of the latest worm: Ahker, the E variant.
You're computer is infected with this worm!
Ahker.E uses FULL STEALTH METHOD to fool the user and the system!
Ahker.E infects the system without the knowledge of the user which is bad!
Trend Micro suggests you to download the removal tool for this threat located in the attachment.
This tool will scan your system in order to find the worm then removes it.
Please hurry before the worm mutates!

Good luck!

W32/Ahker-E will attempt to spread through P2P file sharing networks by copying itself to shared folders with the following filenames:

Britney_porno.exe
Celeb uncensord.exe
Naked Britney.exe
Naked Celebrity.exe
Naked WWE Divas.exe
Nude Britney.exe
PamelaAnderson.exe
Paris-Hilton.exe
Paris Hilton.exe
parishilton.exe
Porn.exe
Porn_Celeb.exe
PORNO.exe
Sex.exe
SUCK.exe
wwedivas.exe
XXX.exe

When first run, W32/Ahker-E will copy itself to the user's Startup folder as BADO.EXE and MICHO.EXE. The worm will also copy itself to the Windows folder as BAZZI.EXE. In order to run automatically each time a user logs in, W32/Ahker-E will set the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Generic Host Process for Win32 Services
bazzi.exe

W32/Ahker-E will associate itself with the opening of text files by setting the following registry entry:

HKCR\txtfile\Shell\open\command
(Default)
bazzi.exe %1

W32/Ahker-E will download a ZIP copy of itself from a website in order to send out via email. W32/Ahker-E will also download and run an executable file, currently also detected as W32/Ahker-E. This file will be copied to the user's Startup folder.

W32/Ahker-E will attempt to change the computer name to "Agent Hacker"

W32/Ahker-E will attempt to terminate the following processes:

bbeagle.exe
ccApp.exe
d3dupdate.exe
i11r54n4.exe
irun4.exe
msblast.exe
MSBLAST.exe
mscvb32.exe
navapw32.exe
navw32.exe
netstat.exe
outpost.exe
PandaAVEngine.exe
Penis32.exe
rate.exe
ssate.exe
sysinfo.exe
SysMonXP.exe
taskmon.exe
teekids.exe
wincfg32.exe
winsys.exe
winupd.exe
zapro.exe
zonealarm.exe

W32/Ahker-E will append the following lines to the HOSTS file in order to deny access to certain websites:

127.0.0.1 avp.com
127.0.0.1 ca.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 grisoft.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.com
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com

W32/Ahker-E will set the following registry entries:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\systemrestore
DisableSR
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DisallowRun
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer \DisallowRun
1
regedit.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer \DisallowRun
2
notepad.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer \DisallowRun
3
wordpad.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer \DisallowRun
4
write.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer \DisallowRun
5
wuauclt.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer \DisallowRun
6
wupdmgr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer \DisallowRun
7
msnmsgr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer \DisallowRun
8
LUALL.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer \DisallowRun
9
AUPDATE.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer \DisallowRun
10
ALUNOTIFY.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer \DisallowRun
13
DAP.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKCU\Software\Microsoft\security center
FirewallDisableNotify
1

HKCU\Software\Microsoft\security center
UpdatesDisableNotify
1

HKCU\Software\Microsoft\security center
AntiVirusDisableNotify
1

HKCU\Software\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
1

HKCU\Software\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
1

HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1

HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
Windows auto update
bazzi.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runservices-
Win32 Service
bazzi.exe

HKLM\SOFTWARE\Microsoft\security center
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\security center
UpdatesDisableNotify
1

HKLM\SOFTWARE\Microsoft\security center
AntiVirusDisableNotify
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
1

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1

W32/Ahker-E will set the following registry entries, depending on the current state of the worm:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer \DisallowRun
11
micho.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer \DisallowRun
12
bado.exe

W32/Ahker-E will attempt a Denial of Service (DOS) attack against www.windowsupdate.microsoft.com

Periodically, W32/Ahker-E will attempt to shut down the computer.

W32/Ahker-E will append a number of system files with vanity text:

<Windows system folder>\firewall.dll with "Agent Hacker rules!"

<Windows system folder>\hal.dll with: "Genes don't contain any record of humain history, you'll NEVER catch me!(Agent Hacker - Bazzi)"

<Windows system folder>\svcpack.dll with a URL

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Ahker-E

Summary

Action

More Information