W32/Blinkom-A

Aliases	WORM_BLINKOM.A Worm.P2P.Blinkom W32/Blinkom Win32/Blinkom.worm Win32/Venzu.Worm Win32.Venzu.A
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Please read the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Blinkom-A is a worm which attempts to spread via SMTP, IRC channels, KaZaA peer-to-peer shared folders, ICQ shared folders and by copying itself to drive A:.

Emails may arrive with messages in either English or Spanish and have one of the following sets of characteristics:

Subject line: Los mejores chistes de Bin Laden
Message text: A todos mis amigos. Los mejores chistes que me enviaron, stos son los mejores.
Attached file: BinLadilla.pif

Subject line: HISPASEC
Message text: Esta es la prueba de que HISPASEC roba importantes bases de datos de muchas compa as, incluso hotmail. (los campos en blanco son algunos datos omitidos por razones de anonimato y seguridad).
Attached file: Noticia45.Txt.pif

Subject line: Base de datos. Carnivore.
Message text: BO2K publica parte de la base de datos recopilada por Carnivore.
Attached file: CarnivoreStory.Pif

Subject line: VAN A VENDER HOTMAIL
Message text: parece que los de microsoft no se la pudieron, prefirieron dedicarle tiempo al windows, amenazan con borrar las cuentas, pero se puede evitar siguiendo unos estatuts que ellos ponen a disposicin. leelos o no tendras mas cuenta. chao.
Attached file: Estatutos.Pif

Subject line: HISPASEC
Message text: This is the probe that HISPASEC steals important databases of many companies (the fields in blank_target are some data omitted by security and anonimity reasons)
Attached file: NewsHS.Txt.pif

Subject line: Carnivore databases
Message text: BO2K publish pieces of database gathered by Carnivore.
Attached file: CarnivoreStory.Pif

W32/Blinkom-A may drop copies of itself to the following folders and drives:

C:\Windows\Blink 182.scr
C:\Windows\RaZor.scr
C:\Windows\Cloud Strife.scr
C:\Windows\Kuasanagui.scr
C:\Windows\\182.exe
C:\Windows\HOKO.scr
C:\Windows\ErGrone.scr
C:\Windows\Jtag.scr
C:\Windows\XpLOaD.scr
C:\Windows\NERFIX.scr
C:\Windows\NEMESIZZ.scr
C:\Windows\Tom.scr
C:\Windows\Marc.scr
C:\Windows\Travis.scr
C:\Windows\BOX CAR RACER.scr
C:\Windows\Take Off Youre Pants And Youre Jacket.scr
C:\Windows\Damm You!.scr
C:\Windows\ENEMA.scr
C:\Windows\DUDE RANCH.scr
C:\Windows\Cheshire Cat.scr
C:\Windows\Guitar.scr
C:\Windows\Punk Power!.scr
C:\Program Files\KaZaA\My Shared Folder\Blink 182.scr
C:\Program Files\KaZaA\My Shared Folder\Box Car Racer.scr
C:\Program Files\KaZaA\My Shared Folder\Blink 182 All Videos.exe
C:\Program Files\KaZaA\My Shared Folder\KaZaA UpDate.exe
C:\Program Files\KaZaA\My Shared Folder\Songs.scr
C:\Program Files\KaZaA\My Shared Folder\Anna Kournikova.scr
C:\Program Files\KaZaA\My Shared Folder\
All The Small Things All Screen Video.scr
C:\Program Files\KaZaA\My Shared Folder\My Screen Saver.scr
C:\Program Files\KaZaA\My Shared Folder\Telephone Numbers The Video.scr
C:\Program Files\KaZaA\My Shared Folder\Fun Screen.scr
C:\Program Files\KaZaA\My Shared Folder\MeGa CiBer ScReeN SavEr.scr
C:\Program Files\KaZaA\My Shared Folder\Osama The King.scr
C:\Program Files\KaZaA\My Shared Folder\Marc Tom And Travis.scr
C:\Program Files\ICQ\shared files\ICQ Power Edition.exe
C:\Program Files\ICQ\shared files\ICQ SMS Plus.exe
C:\Program Files\ICQ\shared files\ICQ Screen Saver.scr
C:\Program Files\ICQ\shared files\ICQ Millenium Screen.scr
C:\Program Files\ICQ\shared files\ICQ Fire Screen.scr
C:\Program Files\ICQ\shared files\ICQ Ice Screen.scr
C:\Program Files\ICQ\shared files\ICQ Natural Screen.scr
A:\Nude Screen.scr
A:\SeX ScReen Saver.scr
A:\Playboy Screen Saver.scr
A:\Shakira Screen Saver.scr

The worm also attempts to disable certain firewall programs (ZoneAlarm, BlackIce, Tiny and Sygate), delete files related to anti-virus software, disable registry settings related to macro security within Microsoft Office and run itself on system restart by adding an entry to SYSTEM.INI.

W32/Blinkom-A attempts to add the following entries to the registry:

HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles\avpfolder
= "Blink Folder"
HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles\avpfolder\
VEDataFilePath = "The Blink Path"
HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles\avpfolder\
VEIndexFilePath = "The Plink, the Blink, the Oink"
HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles\avpfolder\MainDir
= "Blink virus & the Batch company"
HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles\avpfolder\Folder
= "Plink it's the Blink guitarrist yeeeeeh!"
HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Options\
EnableMacroVirusProtection = "0"
HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Options\
EnableMacroVirusProtection = "0"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RegisteredOwner ="Blink"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RegisteredOwnerRegisteredOrganization = "The Blink company inc."

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Sophos blogs

W32/Blinkom-A

Summary

Action

More Information