Home

World Cup Virus (W32.Worm.Zade.B)

Notification Date:	June 26, 2006

Name:	World Cup Virus (W32.Worm.Zade.B)
Public disclosure/ In the wild date:	June 26, 2006 11:49am
Aliases:	W32.Worm.Zade.B, Generic.Malware.SFMPHV@mmPk.BC19FA4B (BitDefender), W32/Sixem.a@MM (McAfee)
Risk:	Medium
Description:	W32.Worm.Zade.B is a mass-mailing worm. It is the second variant of the W32.Worm.Zade family of mass-mailing worm. This second variant sends emails with fake messages relating to soccer, job offer, nude ladies and naked politicians. This new variant has a longer list of names of security applications to terminate and has the capability to delete registry keys used by to antivirus and firewall programs. This malcode is also designed to delete itself from the system on and after July 11.

ISS Coverage

Product	Content Version
Proventia Desktop	8.0.675 and above
Proventia Multi-Function Appliances	3.6 and above

Propagation Techniques	ISS Protection	Available
Email:	DisableAV (VPS)	Oct. 14, 2005

Detailed Description

Affected Platforms:	Microsoft Windows 98 Microsoft Windows ME Microsoft Windows 2000 Microsoft Windows XPMicrosoft Windows Server 2003
Malicious behaviors:	When this virus is detected by VPS, VPS displays the following malicious behaviors in the event details: Disables anti-virus software. Disables personal firewall software.
Variant information:	Differences between this variant and the first variant: Difference in email message characteristics (subject, message) Longer list of names of security and utility software that it will terminate Additional removal of registry keys relating to antivirus and firewall programs This variant is designed to delete itself on and after July 11. An interesting note is that this variant is received exactly in a span of 1 week after the first variant: W32.Worm.Zade.A - June 19, 2006 (11:59am), Monday W32.Worm.Zade.B - June 26, 2006 (11:49am), Monday
0-day detection:	AV-Test.org reports the following vendors detect/miss this sample as of Mon 6/26/2006 11:51 AM: ---------------------------------------------------------------------- Scan report of: bush_nudes_img.jpg.exe @Proventia-VPS Malicious (Cancelled) AntiVir HEUR/Hijacker Avast! - AVG - BitDefender Generic.Malware.SFMPHV@mmPk.BC19FA4B ClamAV Trojan.Killav-31 Command - Dr Web WIN.MAIL.WORM.Virus (probably) eSafe Trojan/Worm [101] (suspicious) eTrust-INO - eTrust-INO (BETA) - eTrust-VET - eTrust-VET (BETA) - Ewido - F-Prot - F-Secure - F-Secure (BETA) - Fortinet suspicious Fortinet (BETA) suspicious Ikarus Email-Worm.Win32.Sixem.a Kaspersky - McAfee W32/Sixem.a@MM McAfee (BETA) W32/Sixem.a@MM Microsoft - Nod32 NewHeur_PE (probably unknown virus) Norman - Panda Suspicious file Panda (BETA) Suspicious file QuickHeal Suspicious (warning) Sophos - Symantec - Symantec (BETA) - Trend Micro - Trend Micro (BETA) - VBA32 ERROR VirusBuster ERROR YY_Spybot -
Technical Description:	W32.Worm.Zade.B is a mass-mailing worm. It is the second variant of the W32.Worm.Zade family of mass-mailing worm. This second variant sends emails with fake messages relating to soccer, job offer, nude ladies and naked politicians. This new variant has a longer list of names of security applications to terminate and has the capability to delete registry keys used by to antivirus and firewall programs. This malcode is also designed to delete itself from the system on and after July 11. Malcode Installation Upon execution, the malcode will drop a copy of itself as: %System%\jucshed.exe (Where %System% refers to the Windows system folder. On Windows XP and 2003, the Windows system folder is usually C:\Windows\System32, on Windows 2000 it is usually C:\WINNT\System32 and on Windows 95, 98 and ME it is usually C:\Windows\System) Then, it creates the following registry entries so that its dropped copy will be executed every system startup: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Run javastr = "%System%\jucshed.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \RunServices javastr = "%System%\jucshed.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run javastr = "%System%\jucshed.exe" Additionally the malcode creates the following registry entry to store its data: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \URL mis = %value% Mass-Mailing Behavior For its mass-mailing routine, it will harvest email addresses from the affected user’s system. The email addresses are harvested from files having any of the following extensions: wab, adb, msg, dbx, mbx, mdx, eml, nch, txt, tbb, tbi, html, htm, xml, doc, rtf, msg, xls, sht, oft. The malcode will then send copies of itself as an email attachment with double extensions, the first extension is of an image file and the second extension is .EXE. The email it sends out has the following formats: Email format 1: Email format 2: Email format 3: Email format 4: Email format 5: Downloading Behavior This malcode also attempts to download the following file: hxxp://couplesexxx.com/pics.exe The malcode saves the downloaded file in the Windows temporary folder and then executes it. Security Software Retaliation This malcode attempts to terminate the following programs, most of which are related to security programs (antivirus, firewall) and system utilities: • _AVP32.EXE • _AVPCC.EXE • _AVPM.EXE • AVP32.EXE • AVPCC.EXE • AVPM.EXE • AVP.EXE • iamapp.exe • iamserv.exe • FRW.EXE • blackice.exe • blackd.exe • zonealarm.exe • vsmon.exe • VSHWIN32.EXE • VSECOMR.EXE • WEBSCANX.EXE • AVCONSOL.EXE • VSSTAT.EXE • OUTPOST.EXE • REGEDIT.EXE • NETSTAT.EXE • TASKMGR.EXE • MSCONFIG.EXE • NAVAPW32.EXE • NAVW32.EXE • UPDATE.EXE • AGENTSVR.EXE • ANTI-TROJAN.EXE • ANTIVIRUS.EXE • ANTS.EXE • APIMONITOR.EXE • APLICA32.EXE • APVXDWIN.EXE • ATCON.EXE • ATGUARD.EXE • ATRO55EN.EXE • ATUPDATER.EXE • ATWATCH.EXE • AUPDATE.EXE • AUTODOWN.EXE • AUTOTRACE.EXE • AUTOUPDATE.EXE • AVGSERV9.EXE • AVLTMAIN.EXE • AVprotect9x.exe • AVPUPD.EXE • AVSYNMGR.EXE • AVWUPD32.EXE • AVXQUAR.EXE • BD_PROFESSIONAL.EXE • BIDEF.EXE • BIDSERVER.EXE • BIPCP.EXE • BIPCPEVALSETUP.EXE • BISP.EXE • BOOTWARN.EXE • BORG2.EXE • BS120.EXE • CDP.EXE • CFGWIZ.EXE • CFIADMIN.EXE • CFIAUDIT.EXE • CFINET.EXE • CFINET32.EXE • CLEAN.EXE • CLEANER.EXE • CLEANER3.EXE • CLEANPC.EXE • CMGRDIAN.EXE • CMON016.EXE • CPD.EXE • CPF9X206.EXE • CPFNT206.EXE • CV.EXE • CWNB181.EXE • CWNTDWMO.EXE • DEFWATCH.EXE • DEPUTY.EXE • DPF.EXE • DPFSETUP.EXE • DRWATSON.EXE • DRWEBUPW.EXE • ENT.EXE • ESCANH95.EXE • ESCANHNT.EXE • ESCANV95.EXE • EXANTIVIRUS-CNET.EXE • FAST.EXE • FIREWALL.EXE • FLOWPROTECTOR.EXE • FP-WIN_TRIAL.EXE • FSAV.EXE • FSAV530STBYB.EXE • FSAV530WTBYB.EXE • FSAV95.EXE • GBMENU.EXE • GBPOLL.EXE • GUARD.EXE • GUARDDOG.EXE • HACKTRACERSETUP.EXE • HTLOG.EXE • HWPE.EXE • ICLOAD95.EXE • ICLOADNT.EXE • ICMON.EXE • ICSSUPPNT.EXE • ICSUPP95.EXE • ICSUPPNT.EXE • IFW2000.EXE • IPARMOR.EXE • IRIS.EXE • JAMMER.EXE • KAVLITE40ENG.EXE • KAVPERS40ENG.EXE • KERIO-PF-213-EN-WIN.EXE • KERIO-WRL-421-EN-WIN.EXE • KERIO-WRP-421-EN-WIN.EXE • KILLPROCESSSETUP161.EXE • LDPRO.EXE • LOCALNET.EXE • LOCKDOWN.EXE • LOCKDOWN2000.EXE • LSETUP.EXE • LUALL.EXE • LUCOMSERVER.EXE • LUINIT.EXE • MCAGENT.EXE • MCUPDATE.EXE • MFW2EN.EXE • MFWENG3.02D30.EXE • MGUI.EXE • MINILOG.EXE • MOOLIVE.EXE • MRFLUX.EXE • MSINFO32.EXE • MSSMMC32.EXE • MU0311AD.EXE • NAV80TRY.EXE • NAVDX.EXE • NAVSTUB.EXE • NC2000.EXE • NCINST4.EXE • NEOMONITOR.EXE • NETARMOR.EXE • NETINFO.EXE • NETMON.EXE • NETSCANPRO.EXE • NETSPYHUNTER-1.2.EXE • NISSERV.EXE • NISUM.EXE • NMAIN.EXE • NORTON_INTERNET_SECU_3.0_407.EXE • NPF40_TW_98_NT_ME_2K.EXE • NPFMESSENGER.EXE • NPROTECT.EXE • NSCHED32.EXE • NTVDM.EXE • NUPGRADE.EXE • NVARCH16.EXE • NWINST4.EXE • NWTOOL16.EXE • OSTRONET.EXE • OUTPOSTINSTALL.EXE • OUTPOSTPROINSTALL.EXE • PADMIN.EXE • PANIXK.EXE • PAVPROXY.EXE • PCC2002S902.EXE • PCC2K_76_1436.EXE • PCCIOMON.EXE • PCDSETUP.EXE • PCFWALLICON.EXE • PCIP10117_0.EXE • PDSETUP.EXE • PERISCOPE.EXE • PERSFW.EXE • PF2.EXE • PFWADMIN.EXE • PINGSCAN.EXE • PLATIN.EXE • POPROXY.EXE • POPSCAN.EXE • PORTDETECTIVE.EXE • PPINUPDT.EXE • PPTBC.EXE • PPVSTOP.EXE • PROCEXPLORERV1.0.EXE • PROPORT.EXE • PROTECTX.EXE • PSPF.EXE • PURGE.EXE • PVIEW95.EXE • QCONSOLE.EXE • QSERVER.EXE • RAV8WIN32ENG.EXE • REGEDT32.EXE • RESCUE.EXE • RESCUE32.EXE • RRGUARD.EXE • RSHELL.EXE • RTVSCN95.EXE • RULAUNCH.EXE • SAFEWEB.EXE • SBSERV.EXE • SD.EXE • SETUP_FLOWPROTECTOR_US.EXE • SETUPVAMEEVAL.EXE • SFC.EXE • SGSSFW32.EXE • SH.EXE • SHELLSPYINSTALL.EXE • SHN.EXE • SMC.EXE • SOFI.EXE • SPF.EXE • SPHINX.EXE • SPYXX.EXE • SS3EDIT.EXE • ST2.EXE • SUPFTRL.EXE • SUPPORTER5.EXE • SYMPROXYSVC.EXE • SYSEDIT.EXE • TASKMON.EXE • TAUMON.EXE • TAUSCAN.EXE • TC.EXE • TCA.EXE • TCM.EXE • TDS2-98.EXE • TDS2-NT.EXE • TDS-3.EXE • TFAK5.EXE • TGBOB.EXE • TITANIN.EXE • TITANINXP.EXE • TRACERT.EXE • TRJSCAN.EXE • TRJSETUP.EXE • TROJANTRAP3.EXE • UNDOBOOT.EXE • VBCMSERV.EXE • VBCONS.EXE • VBUST.EXE • VBWIN9X.EXE • VBWINNTW.EXE • VCSETUP.EXE • VFSETUP.EXE • VIRUSMDPERSONALFIREWALL.EXE • VNLAN300.EXE • VNPC3000.EXE • VPC42.EXE • VPFW30S.EXE • VPTRAY.EXE • VSCENU6.02D30.EXE • VSISETUP.EXE • VSMAIN.EXE • VSWIN9XE.EXE • VSWINNTSE.EXE • VSWINPERSE.EXE • W32DSM89.EXE • W9X.EXE • WATCHDOG.EXE • WGFE95.EXE • WINRECON.EXE • WNT.EXE • WRADMIN.EXE • WRCTRL.EXE • WSBGATE.EXE • WYVERNWORKSFIREWALL.EXE • XPF202EN.EXE • ZAPRO.EXE • ZAPSETUP3001.EXE • ZATUTOR.EXE • ZAUINST.EXE • ZONALM2601.EXE It also deletes the following registry keys, some of which are also related to antivirus and firewall programs: • HKLM\Software\Agnitum • HKLM\Software\KasperskyLab • HKLM\Software\McAfee • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\APVXDWIN • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avg7_cc • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avg7_emc • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KAV50 • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\McAfee Guardian • HKLM\Software\Microsoft\Windows\CurrentVersion\Run \McAfee.InstantUpdate.Monitor • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV CfgWiz • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SSC_UserPrompt • HKLM\Software\Microsoft\Windows\CurrentVersion\Run \Symantec NetDriver Monitor • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Zone Labs Client • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50 • HKLM\Software\Panda Software • HKLM\Software\Symantec • HKLM\Software\Zone Labs • HKLM\System\CurrentControlSet\Control\SafeBoot Other Information This malcode is designed to delete itself from the system on and after July 11. This malcode temporarily saves the harvested email addresses in to the following file: %System%\tag2.jpg It also attempts to upload the harvested email addresses to a remote server via the following PHP script: sextraf.com/ms2/count.php It uses the user-agent string “bDeza” when connecting to the said PHP script. The malcode creates a mutex with the name “maria” for its own internal synchronization.
Symptoms:	High bandwidth usage due to mass-mailing behavior An arbitrary program is downloaded and executed in the system Security software and utility programs are terminated Registry keys of Antivirus and Firewall programs are deleted
Removal instructions:	Terminate the following malcode process: jucshed.exe Note: Since the malcode also attempts to terminate the task manager, the task manager program (%System%\taskmgr.exe) can be copied to a different filename and then executed. Also, several process management tools are available from the internet: An example is Process Explorer from Sysinternals: http://www.sysinternals.com/Utilities/ProcessExplorer.html Delete the following malcode file: %System%\jucshed.exe (Where %System% refers to the Windows system folder. On Windows XP and 2003, the Windows system folder is usually C:\Windows\System32, on Windows 2000 it is usually C:\WINNT\System32) Delete the following malcode registry keys: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run javastr = "%System%\jucshed.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \RunServices javastr = "%System%\jucshed.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run javastr = "%System%\jucshed.exe"

References

Revision History

June 26, 2006	Initial report
June 27, 2006	Corrected "in the wild" date. Zane A appeared on the 19th, and Zane B appeared on the 26th.

* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About IBM Security Systems

IBM Security Systems include an extensive portfolio of hardware, software solutions, professional and managed services offerings covering the spectrum of IT and business security risks: people and identity, data and information, application and process, network, server and endpoint and physical infrastructure, empowering clients to innovate and operate their businesses on the most secure infrastructure platforms. Through world-class solutions that address risk across the enterprise, IBM helps organizations build a strong security posture that helps reduce costs, improve service, and manage risk. IBM X-Force(R) Research and Development is one of the most renowned commercial security research and development groups in the world. For more information on how to address today's biggest risks, please visit us at ibm.com/security.