W32/Surnova-B

Please follow the instructions for removing worms.

Windows NT/2000/XP

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Supernova

and delete it if it exists.

Close the registry editor.

W32/Surnova-B is a worm that spreads using the KaZaA network software installation and the MSN instant messenger utility. The worm will initially copy itself to the Windows folder with the one of the following filenames:

Alles-ist-vorbei.exe
Desktop-shooting.exe
Hello-Kitty.exe
BigMac.exe
Cheese-Burger.exe
Blaargh.exe

W32/Surnova-B sets the following registry entry to point to the new copy of the worm so that the file is run when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Supernova

When first executed the worm displays the fake error message
"Application attempted to read memory at 0xFFFFFFFFh
Terminating application"

W32/Surnova-B queries the following registry entry for a folder that is shared across the KaZaA network:

HKLM\Software\KaZaA\LocalContent

If a value is not found then the folder C:\<Windows>\Media is used. The worm then creates thirty eight copies of itself in this folder with the following filenames:

Windows XP key generator.exe
Windows XP serial generator.exe
Key generator for all windows XP versions.exe
Warcraft 3 ONLINE key generator.exe
Half-life ONLINE key generator.exe
Quake 4 BETA.exe
Grand theft auto 3 CD1 crack.exe
GTA3 crack.exe
Battle.net key generator (WORKS!!).exe
Warcraft 3 battle.net serial generator.exe
Half-life WON key generator.exe
Star wars episode 2 downloader.exe
Winzip 8.0 + serial.exe
Winrar + crack.exe
Britney spears nude.exe
Macromedia MX key generator (all products).exe
KaZaA media desktop v2.0 UNOFFICIAL.exe
Microsoft key generator, works for ALL microsoft products!!.exe
Microsoft Windows XP crack pack.exe
Hack into any computer!!.exe
DivX codec v6.0.exe
DivX newest version.exe
DivX.exe
DivX pro key generator.exe
Key generator for over 1,000 applications (really!).exe
DivX patch - Increases quality.exe
KaZaA spyware remover.exe
Age of empires 2 crack.exe
Norton antivirus 2002.exe
Macromedia Dreamweaver MX Key Generator.exe
Macromedia Flash MX Key Generator.exe
Neverwinter nights crack.exe
Microsoft Office XP (english) key generator.exe
Microsoft Office XP.iso.exe
CloneCD + crack.exe
CloneCD all-versions key generator.exe
XBOX emulator (WORKS!!).exe
Gamecube Emulator (WORKS!!).exe
Xbox.info.exe

W32/Surnova-B will also attempt to send itself to contacts in the infected user's Messenger contact list. The worm will arrive with one of the following messages:

Hehe, check this out :-)
Funny, check it out (h)
LOL!! See this :D
LOL!! Check this out :)
Hehe, this is fun :-)

The worm creates a text file in the Windows folder with a name consisting of randomly generated digits. The text file contains the text

W32.Supernova - Ban religion
Patch the leaks or the ship will sink