W32/Synapse-A

Aliases	Worm.P2P.gen
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Protection available since	27 February 2004 12:14:11 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

Note: The information contained in this analysis may be considered offensive by some customers.

W32/Synapse-A is a peer-to-peer (P2P) and IRC worm which will copy itself into any shared folders.

The worm uses the following filenames which some users may consider offensive:

Ad-aware Keygen.exe Ad-aware Patch.exe Ad-aware Serial.txt.exe Animal Groupsex Cow and Horse.avi.exe Anna Kournikova Anal Fucking.avi.exe Anna Nicole Smith Fucking.avi.exe Beyonce NUDE fucking XXX.avi.exe Black Horse Cumshot.jpg.exe Britney Spears BlowJob.avi.exe Britney Spears Toxic Nude.avi.exe Brooke Burke Fucking.jpg.exe Christina Aguilera Fucking.jpg.exe Doom 3 Full Leaked.exe Half Life 2 Full Leaked.exe Half Life Crack.exe Half Life WORKING multiplayer serial.txt.exe Janet Jackson Naked 2004.avi.exe Janet Jackson Nippleslip.jpg.exe Janet Jackson Superbowl XXX.avi.exe Jenna Jameson XXX Collection.exe Jennifer Lopez Fucking Nude.jpg.exe Jennifer Lopez Hot Beach Pic.jpg.exe Jessica Simpson Hot fucking.jpg.exe Pam Anderson Anal Hardcore.jpg.exe Pam Anderson Naked.jpg.exe Paris Hilton Fucking.jpg.exe Paris Hilton Naked.avi.exe Paris Hilton XXX Movie FULL.mpg.exe Windows Longhorn Keygen.exe Windows Longhorn Patch.exe Windows Longhorn Serial.txt.exe

This worm will copy itself into the Windows System32 folder using the filenames NETCAT32.EXE and TASKMGR32.EXE. It will also drop the files ERROR404.HTM, HELP.HTM, REG32.VBS and REGEDIT32.BAT into the same folder.

W32/Synapse-A will also set the following registry entries so that it is executed every time that the computer restarts:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TASKMGR
= C:\<Windows System32>\<filename.EXE>

HKLM\Software\Kazaa\InstantMessaging\Ignoreall = 1

HKLM\Software\K++\KazaaStartPage = file://C:\<Windows System32>\HELP.HTM

HKCU\Software\Microsoft\Windows\CurrentVersion\
Policies\System\DisableTaskMgr = 1

W32/Synapse-A may try to disable Task Manager, download some programs from a remote site and delete files with extensions TXT, DOC, EXE, COM, BAT, JPG, BMP, DLL and HLP from the computer.

This worm may also send emails to contacts found in the windows address book with the following characteristics:
Subject line: Hey
Message text: Here is the file you wanted, srry it took some time. Ive been busy latly...

The worm will include a copy of itself as an executable attachment.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Synapse-A

Summary

Action

More Information