high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 7 April 2004 16:02:19 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please contact technical support.
More Information
W32/Cazdeg-C is a large VBScript worm that exhibits a great deal of functionality when executed.
W32/Cazdeg-C exploits users of common peer-to-peer networks by dropping multiple copies of itself to the following folders in ZIP files with misleading names.
The worm looks for the following folders in C:\program Files:
Applejuice\incoming
eDonkey2000\incoming
Gnucleus\Downloads
Grokster\my Grokster
ICQ\shared files
Kazaa\My Shared Folder
Kazaa Lite\My Shared Folder
LineWire\Shared
Morpheus\my Shared Folder
Overnet\incoming
Shareaza\Downloads\
Swaptor\Download
WinMX\My Shared Folder
3Tesla\Files
XoloX\Downloads
Rapigator\Share
KMD\My Shared Folder
BearShare\Shared
W32/Cazdeg-C will also attempt to drop zipped copies of itself to the folders C:\My Downloads and C:\My Shared Folder should they exist.
The file Sendi.exe will be dropped and run in the background providing email functionality for the worm, possibly as an SMTP server used to send information about infected systems back to the author.
W32/Cazdeg-C will drop an IRC backdoor that will listen in the background for instructions from a remote attacker.
W32/Cazdeg-C will also attempt to copy itself to the floppy drive after intervals of inactivity.
W32/Cazdeg-C will attempt to modify the global template of Microsoft Office such that opening a Word or Excel file will cause a copy of the worm to be dropped in the Windows\temp folder.
W32/Cazdeg-C will create a file called regsrv.exe that will run in the backgound and attempt to stop any anti-virus or security-related software from running.
Upon execution W32/Cazdeg-C will display a picture of singer Avril Lavigne.
W32/Cazdeg-C has a number of date-related payloads listed below.
- On the 3rd of the month W32/Cazdeg-C will run an HTA page called Estigma.hta that displays the following text in red on a black background - ****************GEDZAC LABS**************** VBS/Israfel by MachineDramon/GEDZAC Hecho en el Peru ,Calidad Mundial Libertad a Palestina, Iraq y Afganistan - Muerte al Imperialismo de eeuu! GEDZAC LABS 2003.
- On the 29th of the month W32/Cazdeg-C will open the URL www.avril-lavigne.com
- On the 19th of the month W32/Cazdeg-C will display the message box "19/12/2003 - Saludos a Cienciano campeon 2003 de la Copa Sudamericana"
- On the 11th and 26th of the month W32/Cazdeg-C will display a long paragraph of Spanish dialogue.
W32/Cazdeg-C exploits users of common peer-to-peer networks by dropping multiple copies of itself to the following folders in ZIP files with misleading names.
The worm looks for the following folders in C:\program Files:
Applejuice\incoming
eDonkey2000\incoming
Gnucleus\Downloads
Grokster\my Grokster
ICQ\shared files
Kazaa\My Shared Folder
Kazaa Lite\My Shared Folder
LineWire\Shared
Morpheus\my Shared Folder
Overnet\incoming
Shareaza\Downloads\
Swaptor\Download
WinMX\My Shared Folder
3Tesla\Files
XoloX\Downloads
Rapigator\Share
KMD\My Shared Folder
BearShare\Shared
W32/Cazdeg-C will also attempt to drop zipped copies of itself to the folders C:\My Downloads and C:\My Shared Folder should they exist.
W32/Cazdeg-C will attempt to spread via email by copying itself to the file C:\Program files\Common Files\Microsoft Shared\Stationary\Template.htm with an HTML wrapper and setting the following related registry entries:
HKCU\Software\Microsoft\Office\10.0\Common\Mail Settings\New Stationary
= Template
HKCU\Software\Microsoft\Windows Messaging Subsystem\Profiles\
Microsoft Outlook Internet Settings\
0a0d020000000000c000000000000046\001e0360 = Template
HKCU\Software\Microsoft\WindowsNT\Current Version\
Windows Messaging Subsystem\Profiles\
Microsoft Outlook Internet Settings\
0a0d020000000000c000000000000046\001e0360 = Template
HKCU\Identities\<Default user ID>\Software\Microsoft\Outlook Express\
5.0\Mail\Compose Use Stationary = 1
HKCU\Identities\<Default user ID>\Software\Microsoft\Outlook Express\
5.0\Mail\Message Send HTML = 1
HKCU\Identities\<Default user ID>\Software\Microsoft\Outlook Express\
5.0\Mail\Stationary Name = C:\Windows\System\Template.htm
HKCU\Identities\<Default user ID>\Software\Microsoft\Outlook Express\
5.0\Mail\Wide Stationary Name = C:\Windows\System\Template.htm
HKCU\Software\Microsoft\Office\8.0\Outlook\Options\Mail\
EditorPreference = 131072
HKCU\Software\Microsoft\Office\9.0\Outlook\Options\Mail\
EditorPreference = 131072
HKCU\Software\Microsoft\Office\10.0\Outlook\Options\Mail\
EditorPreference = 131072
The file Sendi.exe will be dropped and run in the background providing email functionality for the worm, possibly as an SMTP server used to send information about infected systems back to the author.
W32/Cazdeg-C will drop an IRC backdoor that will listen in the background for instructions from a remote attacker.
W32/Cazdeg-C will also attempt to copy itself to the floppy drive after intervals of inactivity.
W32/Cazdeg-C will attempt to modify the global template of Microsoft Office such that opening a Word or Excel file will cause a copy of the worm to be dropped in the Windows\temp folder.
W32/Cazdeg-C will create a file called regsrv.exe that will run in the backgound and attempt to stop any anti-virus or security-related software from running.
W32/Cazdeg-C will create registry entries under the following registry entry to point to copies of the worm, ensuring that it will be executed on system restart.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
W32/Cazdeg-C will also set the registry entries below in an attempt to stop the registry of compromised systems being cleaned up and to disable security levels on those systems that include Microsoft Word and Excel:
HKCU\Software\Microsoft\Office\9.0\Word\Security\level = 1
HKCU\Software\Microsoft\Office\9.0\Excel\Security\level = 1
HKCU\Software\Microsoft\Office\10.0\Word\Security\level = 1
HKCU\Software\Microsoft\Office\10.0\Excel\Security\level = 1
HKCU\Software\Microsoft\Office\10.0\Word\Security\AccessVBOM = 1
HKCU\Software\Microsoft\Office\10.0\Excel\Security\AccessVBOM = 1
HKCU\Software\Microsoft\Windows\Current Version\policies\
DisableRegistryTools = 1
HKCU\Software\Microsoft\WindowsNT\Current Version\policies\
DisableRegistryTools = 1
Upon execution W32/Cazdeg-C will display a picture of singer Avril Lavigne.
W32/Cazdeg-C has a number of date-related payloads listed below.
- On the 3rd of the month W32/Cazdeg-C will run an HTA page called Estigma.hta that displays the following text in red on a black background - ****************GEDZAC LABS**************** VBS/Israfel by MachineDramon/GEDZAC Hecho en el Peru ,Calidad Mundial Libertad a Palestina, Iraq y Afganistan - Muerte al Imperialismo de eeuu! GEDZAC LABS 2003.
- On the 29th of the month W32/Cazdeg-C will open the URL www.avril-lavigne.com
- On the 19th of the month W32/Cazdeg-C will display the message box "19/12/2003 - Saludos a Cienciano campeon 2003 de la Copa Sudamericana"
- On the 11th and 26th of the month W32/Cazdeg-C will display a long paragraph of Spanish dialogue.
|
