W32/Ahker-F

Please follow the instructions for removing worms.

Please contact technical support.

W32/Ahker-F is a mass-mailing and P2P worm. W32/Ahker-F may also attempt to spread via Mirc.

W32/Ahker-F will download a ZIP copy of itself from a website in order to send out via email.

W32/Ahker-F will attempt a Denial of Service (DOS) attack against www.windowsupdate.microsoft.com and www.rohitab.com

W32/Ahker-F will append lines to the HOSTS file in order to deny access to certain websites.

W32/Ahker-F will attempt to terminate a predefined list of processes. W32/Ahker-F is a mass-mailing and P2P worm. W32/Ahker-F may also attempt to spread via Mirc.

W32/Ahker-F will mail itself out to email addresses found on an infected computer.

W32/Ahker-F will arrive as a ZIP attachment to an email. The characteristics of the email will be as follows:

Attachment name: "Clip.zip"

Subject:

Service pack 2 update!
Read this for your own good!:
Service pack 2 bug!
Read! hurry! before it's too late!
Microsoft windows service pack 2 bug!:
Microsoft's worst mistake!
Read this for your PC safety!
Please READ!
Nice!
...HOT!!
Free!
Read it!
Read this TWICE!
Believe it or not!
Oh hell its true!
RATED 21!

From: Administrator@worldsex.com
Body:
Hey buddy,

Check out this new porn clip of Britney Sprers!
Very Short but HOT!!
DOWNLOAD IT and WATCH IT!

Adminstrator

From: owner@xxxceleb.com
Body:
Hello!

Paris Hilton new SEX TAPE has been released!
In the attachment you will find some short quick scenes(HOT!!) that I liked the most!!

Download it! I know its SHORT but at least youve watched the HOTTEST parts of it!

Owner

From: Clip@celebporno.com
Body:
Hi...

Watch this and tell me what you think!
Download it! Its short but its VERY HOT!

Clip Owner

From: Admin@fuckcelebrity.com
Body:
Hell yeah...it's Pam!

Watch this latest clip of Pamela Anderson!
You will find the clip in the attachment! Enjoy!

Admin

From: cought@worldporn.com
Body:
Hi,

Watch Angelina Jolie and Brad Pitt cought on TAPE!
SEXY CLIP! WATCH IT!

Admin and Owner

W32/Ahker-F will attempt to spread through P2P file sharing networks by copying itself to shared folders with the following filenames:

Paris-Hilton.exe
Britney_porno.exe
PamelaAnderson.exe
wwedivas.exe
Porn_Celeb.exe
parishilton.exe
Sex.exe
Porn.exe
Paris Hilton.exe
PORNO.exe
XXX.exe
Naked WWE Divas.exe
Naked Britney.exe
Naked Celebrity.exe
Celeb uncensord.exe
SUCK.exe
Nude Britney.exe

W32/Ahker-F will attempt to spread as NUDE BRITNEY.EXE via Mirc by modifing mirc.ini

When first run, W32/Ahker-F will copy itself to the user's Startup folder as SVCHOST-.EXE. The worm will also copy itself to %HOMEDRIVE%\LSASS.EXE. In order to run automatically each time a user logs in, W32/Ahker-F will set the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LSA Shell (Export Version)
%HOMEDRIVE%\LSASS.exe

W32/Ahker-F will associate itself with the opening of text files by setting the following registry entry:

HKCR\txtfile\Shell\open\command
@
%HOMEDRIVE%\LSASS.exe %1

W32/Ahker-F will download a ZIP copy of itself from a website in order to send out via email. W32/Ahker-F will also download and run an executable file, currently also detected as W32/Ahker-F. This file will be copied to the user's Startup folder.

W32/Ahker-F will attempt to change the computer name to "Agent Hacker"

W32/Ahker-F will attempt to terminate the following processes:

i11r54n4.exe
irun4.exe
d3dupdate.exe
rate.exe
ssate.exe
winsys.exe
ccApp.exe
winupd.exe
SysMonXP.exe
bbeagle.exe
Penis32.exe
teekids.exe
MSBLAST.exe
mscvb32.exe
sysinfo.exe
PandaAVEngine.exe
taskmon.exe
wincfg32.exe
outpost.exe
zonealarm.exe
navapw32.exe
navw32.exe
zapro.exe
msblast.exe
netstat.exe
dap.exe

W32/Ahker-F will append the following lines to the HOSTS file in order to deny access to certain websites:

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 www.nai.com
127.0.0.1 nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 grisoft.com
127.0.0.1 windowsupdate.microsoft.com

W32/Ahker-F will set the following registry entries:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\systemrestore
DisableSR
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DisallowRun
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
1
regedit.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
2
notepad.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
3
wordpad.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
4
write.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
5
wuauclt.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
6
wupdmgr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
7
msnmsgr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
8
LUALL.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
9
AUPDATE.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
10
ALUNOTIFY.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
12
DAP.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKCU\Software\Microsoft\security center
FirewallDisableNotify
1

HKCU\Software\Microsoft\security center
UpdatesDisableNotify
1

HKCU\Software\Microsoft\security center
AntiVirusDisableNotify
1

HKCU\Software\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
1

HKCU\Software\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
1

HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1

HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1

HKLM\SOFTWARE\Microsoft\security center
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\security center
UpdatesDisableNotify
1

HKLM\SOFTWARE\Microsoft\security center
AntiVirusDisableNotify
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
1

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1

HKLM\SOFTWARE\speedBit\Download Accelerator
BrowserIntegration
0

W32/Ahker-F will set the following registry entries, depending on the current state of the worm:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
11
svchost-.exe

W32/Ahker-F will attempt a Denial of Service (DOS) attack against www.windowsupdate.microsoft.com and www.rohitab.com

Periodically, W32/Ahker-F will attempt to shut down the computer.

W32/Ahker-F will create a file named C:\Ahker.F.dat with the following text:

Don't blame me, Agent Hacker for creating these worms. BLAME www.rohitab.com!

W32/Ahker-F will append a number of system files with vanity text:

%SYSTEM%\firewall.dll with "Agent Hacker rules!"

%SYSTEM%\hal.dll with: "Genes don't contain any record of humain history, you'll NEVER catch me!(Agent Hacker - Bazzi)"

%SYSTEM%\svcpack.dll with a URL