high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 24 September 2004 07:56:34 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Ruby13 = c:\sysnet\Ruby13.exe
and delete it if it exists.
Close the registry editor.
More Information
W32/Mexer-E is a peer to peer and email worm for the Windows platform.
When first run, W32/Mexer-E creates a folder called sysnet and copies itself to the new folder using the filename RUBY13.EXE. In order to run on system startup, the worm creates the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Ruby13 = c:\sysnet\Ruby13.exe
The worm then creates numerous copies of itself into the sysnet folder
with the filenames:
A+ Certification Test.exe
Adobe Photoshop CS and ImageReady CS 8.0 Keygen.exe
Airport Tycoon II - NoCD.exe Crack.exe
All Adobe Products Keygen.exe
All Macromedia Products Keygen.exe
All Microsoft Products Keygen.exe
American Conquest - NoCD.exe Crack.exe
Apache AH-64 Air Assault - NoCD.exe Crack.exe
Battlefield 1942 The Road to Rome - NoCD.exe Crack.exe
Battlefield Vietnam - NoCD.exe Crack.exe
BitDefender Keygen.exe
Borland KeyGens.exe
Bridge Baron 13 NoCD.exe Crack.exe
BurnDvds.exe
Cisco Certification Test.exe
Command and Conquer Generals NoCD.exe Crack.exe
Counter-Strike, Condition Zero - Activation Key.exe
Counterstrike aim hack.exe
Counterstrike hacks.exe
Crack McAfee 7.exe
Crack Norton 3000.exe
Deus Ex - NoCD.exe Crack.exe
Diablo 2 map hack.exe
Diablo 2 no-cd hack.exe
Divx Pro 5.1 Serial.exe
Doom 3 - NoCD.exe Crack.exe
Dvd Plus Crack.exe
Dvd Ripper.exe
Dvd To Vcd.exe
Dvd Wizard Pro Crack.exe
Dvd Xcopy Crack.exe
DvdCopyOne Crack.exe
DvdToVcd Crack.exe
EZ Dvd Ripper.exe
Easy Dvd Ripper.exe
Easy Dvd creator Crack.exe
Eonix Realm Of Hepmia - NoCD.exe Crack.exe
Fetish Fighters - NoCD.exe Crack.exe
Forbidden Siren - NoCD.exe Crack.exe
Freelancer - NoCD.exe Crack.exe
Grom - NoCD.exe Crack.exe
Harry Potter and the Prisoner of Azkaban KeyGen and Serial.exe
Harry Potter und der Gefangene von Askaban NoCD.exe Crack.exe
I Was An Atomic Mutant - NoCD.exe Crack.exe
IGI-2 Covert Strike - NoCD.exe Crack.exe
Impossible Creatures - NoCD.exe Crack.exe
Information.exe
Ipswich Town Official Management Game - NoCD.exe Crack.exe
Jamella´s Diablo 2 hero editor.exe
Kazaa all Crack.exe
MP3 encoder decoder V1.8.exe
MSCE Certification Test.exe
Microsoft Windows XP Professional Keygen.exe
Nascar Racing 2003 Season NoCD.exe Crack.exe
Nero Burning ROM v6.3 Ultra - Enterprise edition key.exe
Nero Burning Rom Crack.exe
Nimo Codec Pack Updater.exe
Nod32 Crack.exe
Norton AntiVirus 2004 Pro Activation Key & Serial.exe
Norton AntiVirus 2005 Serial.exe
Norton Internet Security 2004 Keygen & Serial.exe
Norton Internet Security 2004 Pro Serial.exe
Norton Internet Security 2005 Pro Serial.exe
Office XP Universal Crack.exe
PANDA.AVers.lusers.exe
PANDA.lusers.exe
Private Nurse - NoCD.exe Crack.exe
Robot Arena Design And Destroy - NoCD.exe Crack.exe
Ruby13.exe
Serious Sam - Gold Edition - NoCD.exe Crack.exe
Shadow of Memories - NoCD.exe Crack.exe
Shrek 2 Serial.exe Crack.exe
Sim City 4 - NoCD.exe Crack.exe
Slot City 3 NoCD.exe Crack.exe
SophosCrackAllVersion.exe
Spellforce - Breath of Winter Crack.exe
Spider-Man 2 Crack.exe
Starcraft + Broodwar 1.10 map hack.exe
Starcraft + Broodwar 1.10 no-cd hack.exe
Symantec Antivirus 2005 Serial.exe
Symantec Internet Secutiy 2005 Serial.exe
Test Drive - NoCD.exe Crack.exe
The Campaigns of La Grande Armee - NoCD.exe Crack.exe
The Emperors Mahjong - NoCD.exe Crack.exe
The Frozen Throne map hack.exe
Tom Clancys Splinter Cell - NoCD.exe Crack.exe
Tombstone 1882 - NoCD.exe Crack.exe
Unreal II The Awakening - NoCD.exe Crack.exe
Warcraft 3 Frozen Throne cd-cd hack.exe
Warcraft 3 Frozen Throne map hack.exe
Warcraft 3 map hack.exe
Warcraft 3 no-cd hack.exe
Warcraft 3 stat hack.exe
WinACE Crack.exe
WinRAR 3 Crack.exe
WinZIP 9 Crack.exe
Windows Nt Certification Test.exe
Windows Server 2003 Crack.exe
World Of Outlaws Sprint Car Racing 2002 - NoCD.exe Crack.exe
XBOX X-Fer Ripper and Transfer.exe
Xvid Codec Installer.exe
Zone Alarm 5.0 pro Serial.exe
ebay.exe
icqbomber.exe
internet.exe
provider.exe
visa.exe
The worm then shares the sysnet folder by altering registry entries for the P2P application Kazaa. The created/modified registry entries are:
HKCU\Software\Kazaa\LocalContent\
dir0 = "012345:c:\\sysnet\\"
HKCU\Software\Kazaa\Transfer\
dir0 = "012345:c:\\sysnet\\"
HKCU\Software\iMesh\Client\LocalContent\
Dir0 = "012345:c:\\sysnet\\"
W32/Mexer-E also harvests email addresses from files with the following file extensions:
.RTF .DOC .TXT .SHT .HTM .DBX .WAB
The worm sends itself as an attachment to all email addresses found except those containing the following:
supp
webm
viru
newv
kasp
micr
root
admi
host
The email will have a subject line from the following:
EBAY Information
VISA Information
Provider Information
Your Crack
Internet Information
EBAY Installer...
Security Tool...
Here is your crack!
New account data...
|
