W32/Igloo-15

Aliases	Backdoor.Igloo.15.b Win32/BearBritney.A worm WORM_GOOL.A Kazoa.C
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Endpoint Security and Control 9.0
Small business solutions 4.0

Action

Summary
Action
More Information

Please follow the instructions for disinfecting PE executables.

Please read the instructions for removing worms.

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\EXPLORER
= %System%\EXPLORER.EXE

and delete it if it exists.

You may also wish to delete the reference to www.crash.com in this entry:

HKCU\Software\Microsoft\Internet Explorer\Main\RegisteredOrganization
= http://www.crash.com

Close the registry editor.

If you wish to use Kazaa you should uninstall and reinstall it.

More Information

Summary
Action
More Information

W32/Igloo-15 is a backdoor Trojan and internet worm which spreads via file sharing on KaZaA networks and via IRC channels.

When first run W32/Igloo-15 copies itself to the Windows System folder as Explorer.exe and RealWayToHack.exe and creates the following registry entry so that Explorer.exe is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\EXPLORER
= %System%\EXPLORER.EXE

W32/Igloo-15 runs continuously in the background, listening on a port, allowing a remote user (using a client program) to gain access and control over the computer.

The worm creates the folder %Windows%\Sys32 and copies itself to this folder using the filenames:

AdvZip Recovery.jpg.exe
AIM Pass stealer.jpg.exe
aimcracker.jpg.exe
aimhacker.jpg.exe
AMI BIOS Cracker.jpg.exe
anastasia_anal.jpg.exe
anastasia_naked.jpg.exe
anastasia_nude.jpg.exe
Autocad 2002 Crack.jpg.exe
Britney.jpg.exe
buttman.jpg.exe
catherine_zeta_jones_anal.jpg.exe
catherine_zeta_jones_naked.jpg.exe
catherine_zeta_jones_nude.jpg.exe
Counter Strike_CD_Keygen.jpg.exe
Delphi 5 Keygen.jpg.exe
Delphi 6 Keygen.jpg.exe
divx_fix.jpg.exe
divx_repair.jpg.exe
edonkey_serverlist.jpg.exe
ftp_cracker.jpg.exe
ftp_hacker.jpg.exe
Half_life Cd keygen.jpg.exe
host_faker.jpg.exe
host_spoofer.jpg.exe
Hotmail Hacker.jpg.exe
hotmail_account_sniffer.jpg.exe
hotmailcracker.jpg.exe
hotmailhacker.jpg.exe
ICQ_Hackingtools.jpg.exe
icqcracker.jpg.exe
icqhacker.jpg.exe
ident_faker.jpg.exe
ident_spoofer.jpg.exe
IIS_shellbind_exploit.jpg.exe
invisible_IP.jpg.exe
ip_faker.jpg.exe
ip_spoofer.jpg.exe
kazaa.jpg.exe
kmd151_en.jpg.exe
kmd152_en.jpg.exe
kmd153_en.jpg.exe
kmd154_en.jpg.exe
kmd155_en.jpg.exe
kmd156_en.jpg.exe
kmd157_en.jpg.exe
kmd158_en.jpg.exe
kmd159_en.jpg.exe
kmd160_en.jpg.exe
kmd161_en.jpg.exe
kmd162_en.jpg.exe
kmd163_en.jpg.exe
kmd164_en.jpg.exe
kmd165_en.jpg.exe
kmd166_en.jpg.exe
kmd167_en.jpg.exe
kmd168_en.jpg.exe
kmd200_en.jpg.exe
kmd201_en.jpg.exe
kmd202_en.jpg.exe
linux_root.jpg.exe
Linux_rootaccess.jpg.exe
msn_IP_finder.jpg.exe
msncracker.jpg.exe
msnhacker.jpg.exe
Office key Gen.jpg.exe
Office XP Crack.jpg.exe
OfficeXP_Keygen.jpg.exe
pamela_anderson_anal.jpg.exe
pamela_anderson_naked.jpg.exe
pamela_anderson_nude.jpg.exe
porn_account_cracker.jpg.exe
porn_account_hacker.jpg.exe
PS1 BootCD.jpg.exe
PS2 BootCD.jpg.exe
PS2_emulator_bleem.jpg.exe
sandra_bullock_naked.jpg.exe
sandra_bullock_nude.jpg.exe
sarah_michelle_gellar_naked.jpg.exe
sarah_michelle_gellar_nude.jpg.exe
shakira_anal.jpg.exe
shakira_assfucked.jpg.exe
shakira_naked.jpg.exe
shakira_nude.jpg.exe
shakira_paparazzi_collection.jpg.exe
Sub7_masterpwd.jpg.exe
tripod_cracker.jpg.exe
tripod_hacker.jpg.exe
win2k_pass_decryptor.jpg.exe
Win2k_reboot_exploit.jpg.exe
win2k_serial.jpg.exe
Windows_Keygen_allver.jpg.exe
winxp_crack.jpg.exe
winxp_cracker.jpg.exe
winxp_hacker.jpg.exe
WinXP_Keygen.jpg.exe
winxphack.jpg.exe
Winzip_Pass_Cracker.jpg.exe
Word_Pass_Cracker.jpg.exe
xbox_emulator_beta.jpg.exe
XP DVD Plugin.jpg.exe
XP ScreenSaver.jpg.exe
XP_Box_emulator.jpg.exe
XP_keygen.jpg.exe
yahoo_cracker.jpg.exe
yahoo_hacker.jpg.exe

The worm makes the folder %Windows%\sys32 shareable on KaZaA networks by setting the following registry entries:

HKCU\Software\Kazaa\LocalContent\dir0 = 012345:%Windows%\sys32
HKCU\Software\Kazaa\LocalContent\dir1 = 012345:%Windows%\sys32
HKCU\Software\Kazaa\LocalContent\dir2 = 012345:%Windows%\sys32
HKCU\Software\Kazaa\LocalContent\dir3 = 012345:%Windows%\sys32
HKCU\Software\Kazaa\LocalContent\dir4 = 012345:%Windows%\sys32
HKCU\Software\Kazaa\LocalContent\dir5 = 012345:%Windows%\sys32
HKCU\Software\Kazaa\LocalContent\DisableSharing = 0

W32/Igloo-15 also drops and runs %System%\Explorer.vbs, which infects the mIRC initialisation file mirc.ini.

Each time a mIRC session is started mirc.ini is loaded automatically and sends the worm to any users who join any of the current channels.

W32/Igloo-15 may terminate selected anti-virus or firewall applications and also sets the following registry entry:

HKCU\Software\Microsoft\Internet Explorer\Main\RegisteredOrganization
= http://www.crash.com

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Igloo-15

Summary

Action

More Information