W32/Nafbot-A

Please follow the instructions for removing worms.

W32/Nafbot-A is a worm for the Windows platform.

W32/Nafbot-A spreads via file sharing on P2P networks and to other network
computers. W32/Nafbot-A is a worm for the Windows platform.

W32/Nafbot-A spreads via file sharing on P2P networks and to other network
computers.

When first run W32/Nafbot-A copies itself to:

\autoexec.bat
\autoexec.cam
\sex.scr
\sys_recover.pif
<Windows>\Jwintask.com
<Windows>\services.exe
<Windows>\temper\services.exe

and creates the file <Windows>\ouch55.txt. The file ouch55.txt is harmless and
may be safely deleted.

W32/Nafbot-A may also attempt to copy itself into the Shared Folder of many
peer to peer programs such as KaZaa with the following names:

\Metaa\16 Year Old Fuck - Young Girl Takes Huge Dick Secret Film.mov.jpg.exe
\Metaa\Active Sync 3.7 Full Version.exe
\Metaa\Active Sync 4.1 Installer.exe
\Metaa\Adobe keygen.exe
\Metaa\Adobe Photoshop 9 Full.exe
\Metaa\Ahead Nero Buning Rom7.exe
\Metaa\Avi Preview Setup.exe
\Metaa\Bikini Babes 2004 Screensaver.scr
\Metaa\Brintey Spears Naked - NO JOKE.jpg.mov.mp3.exe
\Metaa\Britney sex xxx.jpg.mov.exe
\Metaa\Britney Spears and Eminem porn.jpg.exe
\Metaa\Britney Spears blowjob.jpg.exe
\Metaa\Britney Spears cumshot.jpg.exe
\Metaa\Britney Spears fuck.jpg.exe
\Metaa\Britney Spears full album.mp3.exe
\Metaa\Britney Spears porn.jpg.exe
\Metaa\Britney Spears Sexy archive.doc.exe
\Metaa\Britney Spears Song text archive.doc.exe
\Metaa\Clone CD and DVD 6.exe
\Metaa\Clone CD Setup + crack.exe
\Metaa\DivX 6.0 Bundle final.exe
\Metaa\Divx Bundle 5.exe
\Metaa\Divx Pro Bundle 7.exe
\Metaa\Dress Up Britney Spears Game.jpg.exe
\Metaa\E-Book Archive2.rtf.exe
\Metaa\Eminem and Britney Spears porn.jpg.exe
\Metaa\Eminem blowjob.jpg.exe
\Metaa\Eminem full album.mp3.exe
\Metaa\Eminem Poster.jpg.exe
\Metaa\Eminem Sexy archive.doc.exe
\Metaa\Eminem Song Lyrics archive.txt.exe
\Metaa\Fifa 2004 Crack.exe
\Metaa\Football Game.exe
\Metaa\Full album all.mp3.pif
\Metaa\Future_Dream.mpg.exe
\Metaa\Games Serials 2004.exe
\Metaa\Generic Crack.exe
\Metaa\Gimp 1.8 Full with Key.exe
\Metaa\GTA 4 downloader.exe
\Metaa\GTA3 Full Setup + Crack.pif
\Metaa\GTA3 No CD.exe
\Metaa\Harry Potter Full Movie.mpg.exe
\Metaa\Harry Potter game.exe
\Metaa\Hot Babes 2004.scr
\Metaa\Hotmail Hacker Gold.exe
\Metaa\How to hack new.doc.exe
\Metaa\Internet Download Accelerator Full Setup.exe
\Metaa\Internet Explorer 9 setup.exe
\Metaa\Kazaa Booster.exe
\Metaa\Kazaa Lite 3.0 new.exe
\Metaa\Kazoom Full Setup.exe
\Metaa\Kazoom Setup Full.exe
\Metaa\Learn Programming 2004.doc.exe
\Metaa\Macromedia Keygen.exe
\Metaa\Massive xxx porn pics archive , lesbian blowjob hardcore sex.exe
\Metaa\Microsoft Office 2003 Crack - IT WORKS.exe
\Metaa\Microsoft Office 2003 Crack, Working.exe
\Metaa\Microsoft OfficeXP working Crack, Keygen.exe
\Metaa\Microsoft Windows XP, WinXP Crack,works.exe
\Metaa\Microsoft WinXP Crack full.exe
\Metaa\MicrSoft Service Pack 4.exe
\Metaa\msblast source code.scr
\Metaa\MSN Password Hacker and Stealer.exe
\Metaa\My Ex-Girlfreind Strips then sucks - blowjob movie.mpg.exe
\Metaa\netsky source code.scr
\Metaa\Opera 8 New.exe
\Metaa\Over 20000 Products Keygen.exe
\Metaa\PC Gamer full cheatbook 2004 edition.exe
\Metaa\Photoshop crack.exe
\Metaa\Porno pics arhive xxx.exe
\Metaa\Sabrina Shower Scene 03/12/99.mov.exe
\Metaa\Setup.exe
\Metaa\Sex + BlowJob In car.mov.exe
\Metaa\sexy babes.scr
\Metaa\Sexy Strip Show.scr
\Metaa\Song Lyrcis Update 2004.exe
\Metaa\Super DVD Ripper 7.exe
\Metaa\WindowsXp Crack.pif
\Metaa\Winzip 9 Full Version.exe
\Metaa\Winzip crack, all versions tested on winzip 9.exe
\Metaa\Worms 5 Setup.exe
\Metaa\XXX Archive Updated 2004.exe
\Metaa\xxx harcore babes screensaver.mpg.scr
\Metaa\XXX hardcore sex pics.jpg.exe

W32/Nafbot-A will attempt to spread to network drives and to the machine's
floppy drive.

W32/Nafbot-A may modify the HOSTS file located at <System>\Drivers\etc\HOSTS,
mapping selected websites to the loopback address 127.0.0.1 in an attempt to
prevent access to these sites.

127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 f-secure.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 localsystem
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 v4.windowsupdate.microsoft.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com

The following registry entries are created to run W32/Nafbot-A on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
winsrv3
<Windows>\services.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
upDpacketo
<Windows>\TEMPER\services.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wintask32
<Windows>\Jwintask.com

W32/Nafbot-A changes the Start Page for Microsoft Internet Explorer by setting
the registry entry:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows NT\CurrentVersion
RegisteredOwner
Kyle Dunwin

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableChangePassword
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableLockWorkstation
0