W32/Fightrub-A

Please follow the instructions for removing worms.

W32/Fightrub-A is a mass mailing worm that can also spread via file sharing networks.

W32/Fightrub-A can arrive with a variety of email subjects and file attachments, and is capable of spoofing the from address of the email.

On execution the worm creates the folder C:\SYSNET2 and copies itself there as RUBY14.EXE before setting the following registry entry so that it runs automatically when Windows starts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Ruby14

Additionally W32/Fightrub-A sets the following registry entries so that the folder is shared by the KaZaA and iMesh file sharing applications if they are installed:

HKCU\Software\Kazaa\LocalContent\
dir0 = "012345:C:\\sysnet2\\"

HKCU\Software\Kazaa\Transfer\
dir0 = "012345:C:\\sysnet2\\"

HKCU\Software\iMesh\Client\LocalContent\
Dir0 = "012345:C:\\sysnet2\\"

To be more enticing the worm also makes copies of itself in this folder with the following file names:

A+ Certification Test.exe
Adobe Photoshop CS and ImageReady CS 8.0 Keygen.exe
Airport Tycoon II - NoCD.exe Crack.exe
All Adobe Products Keygen.exe
All Macromedia Products Keygen.exe
All Microsoft Products Keygen.exe
American Conquest - NoCD.exe Crack.exe
Apache AH-64 Air Assault - NoCD.exe Crack.exe
Battlefield 1942 The Road to Rome - NoCD.exe Crack.exe
Battlefield Vietnam - NoCD.exe Crack.exe
BitDefender Keygen.exe
Borland KeyGens.exe
Bridge Baron 13 NoCD.exe Crack.exe
BurnDvds.exe
Cisco Certification Test.exe
Command and Conquer Generals NoCD.exe Crack.exe
Counter-Strike, Condition Zero - Activation Key.exe
Counterstrike aim hack.exe
Counterstrike hacks.exe
Crack McAfee 7.exe
Crack Norton 3000.exe
Deus Ex - NoCD.exe Crack.exe
Diablo 2 map hack.exe
Diablo 2 no-cd hack.exe
Divx Pro 5.1 Serial.exe
Doom 3 - NoCD.exe Crack.exe
Dvd Plus Crack.exe
Dvd Ripper.exe
Dvd To Vcd.exe
Dvd Wizard Pro Crack.exe
Dvd Xcopy Crack.exe
DvdCopyOne Crack.exe
DvdToVcd Crack.exe
EZ Dvd Ripper.exe
Easy Dvd Ripper.exe
Easy Dvd creator Crack.exe
Eonix Realm Of Hepmia - NoCD.exe Crack.exe
Fetish Fighters - NoCD.exe Crack.exe
Forbidden Siren - NoCD.exe Crack.exe
Freelancer - NoCD.exe Crack.exe
Grom - NoCD.exe Crack.exe
Harry Potter and the Prisoner of Azkaban KeyGen and Serial.exe
Harry Potter und der Gefangene von Askaban NoCD.exe Crack.exe
I Was An Atomic Mutant - NoCD.exe Crack.exe
IGI-2 Covert Strike - NoCD.exe Crack.exe
Impossible Creatures - NoCD.exe Crack.exe
Information.exe
Ipswich Town Official Management Game - NoCD.exe Crack.exe
Jamella´s Diablo 2 hero editor.exe
Kazaa all Crack.exe
MP3 encoder decoder V1.8.exe
MSCE Certification Test.exe
Microsoft Windows XP Professional Keygen.exe
Nascar Racing 2003 Season NoCD.exe Crack.exe
Nero Burning ROM v6.3 Ultra - Enterprise edition key.exe
Nero Burning Rom Crack.exe
Nimo Codec Pack Updater.exe
Nod32 Crack.exe
Norton AntiVirus 2004 Pro Activation Key & Serial.exe
Norton AntiVirus 2005 Serial.exe
Norton Internet Security 2004 Keygen & Serial.exe
Norton Internet Security 2004 Pro Serial.exe
Norton Internet Security 2005 Pro Serial.exe
Office XP Universal Crack.exe
PANDA.AVers.lusers.exe
PANDA.lusers.exe
Private Nurse - NoCD.exe Crack.exe
Robot Arena Design And Destroy - NoCD.exe Crack.exe
Ruby14.exe
Serious Sam - Gold Edition - NoCD.exe Crack.exe
Shadow of Memories - NoCD.exe Crack.exe
Shrek 2 Serial.exe Crack.exe
Sim City 4 - NoCD.exe Crack.exe
Slot City 3 NoCD.exe Crack.exe
SophosCrackAllVersion.exe
Spellforce - Breath of Winter Crack.exe
Spider-Man 2 Crack.exe
Starcraft + Broodwar 1.10 map hack.exe
Starcraft + Broodwar 1.10 no-cd hack.exe
Symantec Antivirus 2005 Serial.exe
Symantec Internet Secutiy 2005 Serial.exe
Test Drive - NoCD.exe Crack.exe
The Campaigns of La Grande Armee - NoCD.exe Crack.exe
The Emperors Mahjong - NoCD.exe Crack.exe
The Frozen Throne map hack.exe
Tom Clancys Splinter Cell - NoCD.exe Crack.exe
Tombstone 1882 - NoCD.exe Crack.exe
Unreal II The Awakening - NoCD.exe Crack.exe
Warcraft 3 Frozen Throne cd-cd hack.exe
Warcraft 3 Frozen Throne map hack.exe
Warcraft 3 map hack.exe
Warcraft 3 no-cd hack.exe
Warcraft 3 stat hack.exe
WinACE Crack.exe
WinRAR 3 Crack.exe
WinZIP 9 Crack.exe
Windows Nt Certification Test.exe
Windows Server 2003 Crack.exe
World Of Outlaws Sprint Car Racing 2002 - NoCD.exe Crack.exe
XBOX X-Fer Ripper and Transfer.exe
Xvid Codec Installer.exe
Zone Alarm 5.0 pro Serial.exe
ebay.exe
icqbomber.exe
internet.exe
provider.exe
visa.exe

After a short delay W32/Fightrub-A will search drives C:, D: and E: for files with extension WAB, DBX, MBX, MBOX, TBB, EML, MAI, HTM, SHT, TXT, DOC and RTF and extract email addresses from these files.

The worm will use the extracted email addresses as both the From: and To: addresses in emails that it sends.

The emails sent will have one of the following characteristics:

Subject:
Message Text:
Attached File: Information.exe

Subject: EBAY Information
Message Text: EBAY Installer...
Attached File: EBAY.exe

Subject: VISA Information
Message Text: Security Tool...
Attached File: VISA.exe

Subject: Provider Information
Message Test: New account data...
Attached File: PROVIDER.EXE

Subject: Your Crack
Message Text: Here is your crack!
With an attached file of either one of those created earlier, or one of the
following game names followed by 'Crack.exe', 'NoCD.exe', 'Serial.exe' or
'Keygen.exe':

Ipswich Town Official Management Game -
American Conquest -
Grom -
Eonix Realm Of Hepmia -
I Was An Atomic Mutant -
Fetish Fighters -
Battlefield 1942 The Road to Rome -
The Campaigns of La Grande Armee -
Unreal II The Awakening -
The Emperors Mahjong -
Sim City 4 -
Private Nurse -
Impossible Creatures -
Test Drive -
Shadow of Memories -
World Of Outlaws Sprint Car Racing 2002 -
Tombstone 1882 -
Airport Tycoon II -
Apache AH-64 Air Assault -
Serious Sam - Gold Edition -
IGI-2 Covert Strike -
Tom Clancys Splinter Cell -
Robot Arena Design And Destroy -
Freelancer -
Battlefield Vietnam -
Deus Ex -
Forbidden Siren -
Doom 3 -
Spider-Man 2
Spellforce - Breath of Winter

W32/Fightrub-A will attempt to terminate the following processes:

_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
AckWin32.exe
ACKWIN32.EXE
AckWin32.exe
ADVXDWIN.EXE
agentw.exe
ALERTSVC.EXE
ALOGSERV.EXE
ALOGSERV.EXE
AMON9X.EXE
ANTI-TROJAN.EXE
ANTS.EXE
apvxdwin.exe
APVXDWIN.EXE
ATCON.EXE
ATUPDATER.EXE
ATWATCH.EXE
AutoDown.exe
AUTODOWN.EXE
AUTODOWN.exe
AutoTrace.exe
AVCONSOL.EXE
AVGCC32.EXE
AVGCC32.EXE
AVGCTRL.EXE
Avgctrl.exe
AvgServ
AVGSERV.EXE
AVGSERV.EXE
AVGSERV9.EXE
AVGW.EXE
avkpop.exe
AvkServ.exe
avkservice.exe
avkwctl9.exe
AVP.EXE
AVP32.EXE
avpm.exe
AVPM.EXE
Avsched32.exe
AvSynMgr
AVSYNMGR.EXE
AVSYNMGR.EXE
AVWINNT.EXE
AVXMONITOR9X.EXE
AVXMONITOR9X.EXE
AVXMONITORNT.EXE
AVXMONITORNT.EXE
AVXQUAR.EXE
AVXQUAR.EXE.EXE
AVXW.EXE
BLACKD.EXE
blackd.exe
BlackICE.exe
ccApp.exe
ccEvtMgr.exe
ccPxySvc.exe
CDP.EXE
CLAW95.EXE
Claw95.exe
Claw95.exe
CLAW95CF.EXE
Claw95cf.exe
cleaner.EXE
cleaner3.EXE
CMGRDIAN.EXE
CONNECTIONMONITOR.EXE
cpd.exe
CTRL.EXE
defalert.exe
defscangui.exe
DEFWATCH.EXE
DOORS.EXE
DOORS.EXE
DVP95.EXE
DVP95_0.EXE
EFPEADM.EXE
EFPEADM.exe
ETRUSTCIPE.exe
ETRUSTCIPE.EXE
EVPN.exe
EVPN.EXE
EXPERT.EXE
F-AGNT95.EXE
F-PROT.EXE
F-PROT95.EXE
F-STOPW.EXE
f-stopw.exe
fameh32.exe
fch32.exe
fih32.exe
fnrb32.exe
FP-WIN.EXE
FRW.EXE
FRW.EXE
fsaa.exe
fsav32.exe
fsgk32.exe
fsm32.exe
fsma32.exe
fsmb32.exe
gbmenu.exe
gbpoll.exe
GBPOLL.EXE
GENERICS.EXE
GUARD.EXE
GUARD.EXE
GUARDDOG.EXE
iamapp.exe
IAMAPP.EXE
IAMAPP.EXE
iamserv.exe
IAMSERV.EXE
IAMSTATS.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IFACE.EXE
IOMON98.EXE
IOMON98.EXE
ISRV95.EXE
JEDI.EXE
KAVPF.exe
LDNETMON.EXE
LDPROMENU.EXE
LDSCAN.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
lockdown2000.exe
LUALL.EXE
LUCOMSERVER.EXE
LUSPT.exe
MCAGENT.EXE
MCMNHDLR.EXE
Mcshield.exe
MCTOOL.EXE
MCUPDATE.EXE
MCVSRTE.EXE
MCVSSHLD.EXE
MGAVRTCL.EXE
MGAVRTE.EXE
MGHTML.EXE
MINILOG.EXE
Monitor.exe
MONITOR.EXE
MOOLIVE.EXE
MPFAGENT.EXE
MPFSERVICE.exe
MPFTRAY.EXE
MWATCH.EXE
MWATCH.exe
NAV Auto-Protect
NAVAP
navapsvc
NAVAPSVC.EXE
navapsvc.exe
NAVAPW32.EXE
NAVENGNAVEX15
NAVLU32.EXE
Navw32.exe
NAVWNT.EXE
NDD32.EXE
NeoWatchLog.exe
NETUTILS.EXE
NISSERV.EXE
NISSERV.EXE
NISUM.EXE
NISUM.EXE
NMAIN.EXE
NORMIST.EXE
NORMIST.EXE
notstart.exe
NPROTECT.EXE
npscheck.exe
NPSSVC.EXE
NSCHED32.EXE
ntrtscan.EXE
NTVDM.EXE
NTXconfig.exe
Nui.EXE
Nupgrade.exe
NVC95.EXE
NVC95.EXE
NVSVC32
NWService.exe
NWTOOL16.EXE
PADMIN.EXE
pavproxy.exe
PAVPROXY.EXE
PCCIOMON.EXE
PCCIOMON.EXE
pccntmon.EXE
pccwin97.EXE
PCCWIN98.EXE
pcscan.EXE
PERSFW.EXE
PERSWF.EXE
POP3TRAP.EXE
POPROXY.EXE
PORTMONITOR.EXE
PROCESSMONITOR.EXE
PROGRAMAUDITOR.EXE
PVIEW95.EXE
rapapp.exe
RAV7.EXE
RAV7WIN.EXE
REALMON.EXE
RESCUE.EXE
Rescue.exe
RTVSCN95.EXE
RULAUNCH.EXE
sbserv.exe
SCAN32.EXE
SCRSCAN.EXE
SMC.EXE
SPHINX.EXE
Sphinx.exe
SPYXX.EXE
SS3EDIT.EXE
SWEEP95.EXE
SweepNet
SWEEPSRV.SYS
SWNETSUP.EXE
SymProxySvc.exe
SYMTRAY.EXE
TAUMON.EXE
TC.EXE
TCA.EXE
TCM.EXE
TDS-3.EXE
TFAK.EXE
vbcmserv.exe
vbcmserv.exe
VbCons.exe
VbCons.exe
VET32.exe
VET32.EXE
VET95.EXE
Vet95.exe
VETTRAY.EXE
VetTray.exe
VIR-HELP.EXE
VPC32.EXE
VPTRAY.EXE
VSCHED.EXE
VSECOMR.EXE
VSECOMR.EXE
VSHWIN32.EXE
vshwin32.exe
VSHWIN32.EXE
VSMAIN.EXE
vsmon.exe
VSMON.EXE
VSSTAT.EXE
VSSTAT.EXE
WATCHDOG.EXE
WEBSCANX.EXE
WEBSCANX.EXE
WEBTRAP.EXE
WGFE95.EXE
WIMMUN32.EXE
WRADMIN.EXE
WrAdmin.exe
WRADMIN.EXE
WRCTRL.EXE
WrCtrl.exe
zapro.exe
zonealarm.exe

Additionally W32/Fightrub-A will attempt to remove the following services:

_AVP32
_AVPCC
_AVPCC
_AVPM
ACKWIN32
AckWin32
AckWin32
ADVXDWIN
ALERTSVC
ALOGSERV
ALOGSERV
AMON9X
ANTI-TROJAN
ANTS
APVXDWIN
apvxdwin
ATCON
ATUPDATER
ATWATCH
AUTODOWN
AUTODOWN
AutoDown
AutoTrace
AVCONSOL
AVGCC32
AVGCC32
Avgctrl
AVGCTRL
AvgServ
AVGSERV
AVGSERV
AVGSERV9
AVGW
avkpop
AvkServ
avkservice
avkwctl9
AVP
AVP32
AVPCC
avpm
AVPM
avpm
Avsched32
AvSynMgr
AVSYNMGR
AVSYNMGR
AVWINNT
AVXMONITOR9X
AVXMONITOR9X
AVXMONITORNT
AVXMONITORNT
AVXQUAR
AVXQUAR
AVXW
BLACKD
blackd
BlackICE
ccEvtMgr
ccPxySvc.exe
CDP
CLAW95
Claw95
Claw95
Claw95cf
CLAW95CF
cleaner
cleaner3
CMGRDIAN
CMGRDIAN
CONNECTIONMONITOR
CPD
cpd
CTRL
defalert
defscangui
DEFWATCH
DOORS
DOORS
DVP95
DVP95_0
EFPEADM
EFPEADM
ETRUSTCIPE
ETRUSTCIPE
EVPN
EVPN
EXPERT
F-AGNT95
F-PROT
F-PROT95
F-STOPW
f-stopw
fameh32
fch32
fih32
fnrb32
FP-WIN
FRW
FRW
fsaa
fsav32
fsgk32
fsm32
fsma32
fsmb32
gbmenu
GBPOLL
gbpoll
GENERICS
GUARD
GUARD
GUARDDOG
iamapp
IAMAPP
IAMAPP
iamserv
IAMSERV
IAMSTATS
ICLOAD95
ICLOADNT
ICLOADNT
ICMON
ICSUPP95
ICSUPP95
ICSUPPNT
IFACE
IOMON98
IOMON98
ISRV95
JEDI
kavpf
LDNETMON
LDPROMENU
LDSCAN
LOCKDOWN
LOCKDOWN2000
lockdown2000
LUALL
LUCOMSERVER
LUSPT
MCAGENT
MCMNHDLR
MCTOOL
MCUPDATE
MCVSRTE
MCVSSHLD
MGAVRTCL
MGAVRTE
MGHTML
MINILOG
MONITOR
Monitor
MOOLIVE
MPFSERVICE
MWATCH
MWATCH
NAV Auto-Protect
NAVAP
navapsvc
navapw32
NAVAPW32
NAVENGNAVEX15
NAVLU32
NAVW32
Navw32
NAVWNT
NDD32
NeoWatchLog
NETUTILS
NISSERV
NISSERV
NISSERV.EXE
NISUM
NISUM
NMAIN
NORMIST
NORMIST
notstart
NPROTECT
npscheck
NPSSVC
NSCHED32
ntrtscan
NTVDM
NTXconfig
Nui
Nupgrade
NVC95
NVC95
NVSVC32
NWService
NWTOOL16
PADMIN
pavproxy
PAVPROXY
PCCIOMON
PCCIOMON
pccntmon
pccwin97
PCCWIN98
pcscan
PERSFW
PERSWF
POP3TRAP
POPROXY
PORTMONITOR
PROCESSMONITOR
PROGRAMAUDITOR
PVIEW95
RAV7
RAV7WIN
REALMON
Rescue
RESCUE
RTVSCN95
RULAUNCH
sbserv
SCAN32
SCRSCAN
SMC
Smc
SPHINX
Sphinx
SPYXX
SS3EDIT
SWEEP95
SweepNet
SWEEPSRV.SYS
SWNETSUP
SymProxySvc
SYMTRAY
TAUMON
TC
TCA
TCM
TDS-3
TFAK
vbcmserv
vbcmserv
VbCons
VbCons
VET32
VET32
VET95
Vet95
VetTray
VETTRAY
VIR-HELP
VPC32
VPTRAY
VSCHED
VSECOMR
VSECOMR
VSHWIN32
vshwin32
VSHWIN32
VSMAIN
vsmon
VSSTAT
VSSTAT
WATCHDOG
WEBSCANX
WEBSCANX
WEBTRAP
WGFE95
WIMMUN32
WRADMIN
WrAdmin
WRADMIN
WrCtrl
WRCTRL
WRCTRL
zapro
zonealarm