W32/Derdero-A

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email messages Infected files
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	21 February 2005 09:19:04 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\32-bit Thunking service
=
<windows_system>\thunk32.exe

and delete it if it exists.

Close the registry editor.

More Information

Summary
Action
More Information

W32/Derdero-A is a virus that spreads via email and common file sharing networks. The virus also attempts to infect all files with an .EXE extension on drive C:

When the worm runs for the first time it displays the message box with the text "Runtime error '4': String out of bounds".

W32/Derdero-A changes the Windows HOSTS file so that the user cannot access a number of anti-virus related sites. W32/Derdero-A is a virus that spreads via email and common file sharing networks. The virus also attempts to infect all files with an .EXE extension on drive C:

When the worm runs for the first time it displays the message box with the text "Runtime error '4': String out of bounds".

In order to run automatically when Windows starts up W32/Derdero-A copies itself to the files

SysHeal.exe and
thunk32.exe

in the Windows system folder and adds the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\32-bit Thunking service
=
<windows_system>\thunk32.exe

The worm collects email addresses from the Windows address book.

The emails sent by the worm have the following characteristics:

Sender email address is spoofed.

Subject line (one of):

Server Error
AHKER.C Alert
URGENT PLEASE READ!
Detailde Information
User Information
New Worm Alert
Malware Avoidance tips

Body text:
Chosen from:

There is urgent information in the attachment regarding your Email account

Your Email account information has been removed from the system due to inactivity. To renew your account information refer to the attachment.

We regret to inform you that your account has been hijacked and used for illegal purposes. The attachment has more information about what has happened.

Our Email system has recived repoorts of your account flooding email servers. There is more on this matter in the attachment.

Due to recent internet attacks, your Email account security is being upgraded. The attachment contains more details.

Our server is experiencing some latency in our email service. The attachment contains details on how your account will be affected.

A new worm is circulating around. To protect yourself, read the attached document.

Please run the urgent patch attached to protect yourself from a new worm.

As a service to our users, we have attached a note on avoiding malware.

Attached file:
combined from one of the file names

Details
Information
Gift
Word_document
Account_Information
Malware_prevention_tips
Patch

and extensions

zip
scr
pif
cmd
exe
doc.pif
txt.exe
bmp.cmd

W32/Derdero-A copies itself to filesharing folders of popular P2P applications. The worm uses the following filenames:

Britney spears naked Playboy.jpeg[spaces].pif
DVD Copier.exe
Visual Studio.NET.FULL.rar[blank].exe
Nero ACID new cd burning and p2p.exe
Adobe Photoshop 6 Full Version.exe
Windows Longhorn BETA.iso[spaces].exe
WinAmp 5 Crack.exe
WinRAR.exe
Windows XP Pro SP2.pif
Young teen gets reamed.mpg[spaces].pif
jenna jameson screensver.scr
Internet Explorer 7.exe
Snood new version.exe
Tits.mpeg[blank spaces].scr
Norton AntiVirus 2006 BETA.exe
Battlefield 1942.exe
NETSKY SOURCE CODE.zip[spaces].exe
Kazaa Lite 2005 Edition.zip[spaces].pif
Windows XP crack.zip[spaces].exe
Hot Teen Porn.mpeg[spaces].exe

W32/Derdero-A changes the Windows HOSTS file so that the user cannot access a number of anti-virus related sites.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Derdero-A

Summary

Action

More Information