Perl/Zoomen-A

Please follow the instructions for removing worms.

Perl/Zoomen-A is an email and P2P worm and IRC backdoor Trojan for the Windows platform. It arrives on the computer as a zipped up perl script.

In order to run on system start, Perl/Zoomen-A creates the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"Zen.A" = <path to worm>

Perl/Zoomen-A creates copies of itself into the following folders:

c:\My Shared Folder\
c:\My Downloads\

Several copies of the worm are created with the following names:

Helo Keygen.exe
Halflife Keygen.exe
Windows XP Keygen.exe
Halflife 2 Keygen.exe
Medal Of Honour Keygen.exe
Windows 2000 Keygen.exe
Windows SP2.exe

Perl/Zoomen-A harvests email addresses from the infected computer by searching through files with the following extensions:

txt
eml
doc
log
htm
php

The emails generated by Perl/Zoomen-A have the following characteristics:

[Subjects]

Amazon.com has successfully received payment of $120 for
"The Lord Of The Rings Trilogy"

Amazon.com account suspended for credit card fraud

Sophos Anti-Virus Automatic Scan Results (Infected)

Important New MicroSoft Secrity Patch

Haha! check this out

thought you might find this funny!

[From]

sales@amazon.com
abuse@amazon.com
support@sophos.com
support@microsoft.com
sara_xxx@yahoo.co.uk
amy23@hotmail.com

[Attachment filename]

Invoice.zip
Report.zip
patch.zip
mspatch.zip
hehehehe.zip
LOLOL.zip

[Body]

Dear Customer,
Your order for 'The Lord Of The Rings Trilogy' has successfully been made
and the cost of $120 has been taken from your account. Your items should be
delivered within the next three days. Please view the attached PDF document
for further details.

Thank You For Your Custom
The Amazon Team
http://www.amazon.com

-OR-

Dear Customer,

You Amazon account has been suspended due to abuse. Investigations are
taking place regarding fraud that occurred 22/09/04. Either you or someone
with your credit card details has been purchasing items in mass to false
address'. For full details please see the attached documentation.

Please ensure your system has no trojans or virus' that could be logging your
passwords. We regret to inform you that your credit card will be black listed
until the investigation is complete. You may wish to inform your bank of such
an occurrence.

We hope to resolve the problem as soon as possible.
The Amazon Abuse Team

-OR-

Dear Customer,
We thank you for using our automatic virus scan. Periodically for the last
three weeks we have been scanning your ip address for virus'. In the past
four hours our scans have revealed you are infected with the 'Sasser/Perl'
virus. This virus causes your system resources to be used thus slowing down
the computer system.

Our intelligent scan has detected the 'Sasser/Perl' virus and provided a patch
attached with this email. This patch will permanently fix the hole in Windows
where the 'Sasser/Perl' worm got in and remove all traces of it from your
system. To install the patch double click on the attachment and then the
double click on the binary contained with-in the archive. After the patch is
installed your system should start to speed up, a system reboot is not
required.

The Sophos Anti-Virus Team
http://www.sophos.com",

-OR-

Dear Customer,
As you may have heard Microsoft have holes in their software which virus'
exploit. We have highly skilled staff working on these problems 24 / 7 and
are slowly making our operating system more secure by the day.
Your sytem is currently vulnerable to several bugs including the recently
discovered 'lsass.exe' remote execution of files. We are happy to announce
our new initiative to help make the internet a safer more resourceful place.
Attached is a patch suited to your system which will secure all the currently
known holes. We are highly grateful to you, the customer for helping make our
operating system and the internet a more friendly envrioment to work in and
around.
For installing the patch follow the steps below:
1: Double click on the attached file (below the subject line in outlook)
2: Depending on your Outlook setting you will get warned that the archive
could contain a virus. Usually you would use caution when opening a
file send by a stranger but this time proceed to open the file.
3: Once the archive is open, double click on the file named 'mspatch.exe'
4: This may take a moment to install, once installed your system will be
more optimised and safe from malicious hackers. After installation
a system reboot is NOT required.
Thank you for your time.
Microsoft Inc.

-OR-

hiya,
thought you might find this funny!

-OR-

hey,
Check this out lol

Perl/Zoomen-A connects to a remote site and joins an IRC channel where it then awaits commands from a remote user.