Main Menu
Home
Bookmark
Contact Us

Categories
  Adware
  Adware Bundler
  AOL Exploit
  Backdoor
  Browser Hijacker
  Browser Plug-in
  Commercial Key Logger
  Commercial Remote Control
  Cookie
  Dialer
  E-Mail Flooder
  Hostile ActiveX Control
  ICQ Exploit
  Joke Program
  Key Logger
  Loader
  Low Risk Adware
  Misc
  Nuker
  P2P
  Password Hijacker
  Potential Privacy Risk
  Potentially Dangerous Tools
  RAT
  Search Hijacker
  Security Disabler
  Spyware
  Stealth Notifier
  Surveillance
  Toolbar
  Trojan
  Trojan Downloader
  Trojan FTP
  Trojan Telnet
  Viruses
  Worm
 


 
I-Worm.Amus. Viruses Information

Name: I-Worm.Amus.
Category: Viruses
Description: Details
I-Worm.Amus.a

Amus is an Internet worm that spreads in email attachments. It is a Windows PE exe file, written in Visual Basic and packed by Yoda. The compressed file size is about 50 KB.
Amus is activated only if users double click on the attachment.
Installation
After being launched, Amus:
Creates a unique identifier named 'Masum'
Attempts to activate ISpeechVoice.Speak and play the following soundtrack:
How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye. I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule.
Amus then copies itself into the root directory of the C drive under the name masum.exe and into the Windows folder under the following names:
Adapazari.exe
Ankara.exe
Anti_Virus.exe
Cekirge.exe
KdzEregli.exe
Messenger.exe
Meydanbasi.exe
My_Pictures.exe
Pide.exe
Pire.exe
The worm registers the file KdzEregli.exe in the following Windows auto run system registry key:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
"Microzoft_Ofiz"="%WINDIR%KdzEregli.exe"
Moreover, Amus creates the following system registry key:
[HKCUSOFTWAREMicrosoftMasumWho]
"Who"="OnEmLi_DeGiL"
Propagation by email
Amus uses MS Outlook to send copies of itself to all recipients listed in the address book.
Infected emails
Subject
Listen and Smile
Attachment name
Masum.exe
Body text
Hey. I beg your pardon. You must listen.
Amus does not spoof sender addresses and uses the real address of the infected machine.
Other
Amus is programmed to replace the home page URL in Internet Explorer on the 1, 6, 20 and 25 of each month with the following text:
Konneting du pepil and dizkoneting you. Anlami: Baglansan ne olacak, baglanmasan ne olacak. Zaten hatlar burada rezalet.
On the 2, 15 and 17 of each month Amus will attempt to delete all .ini firles in the Windows folder.
While on the 10 and 23 of each month, the worm will attempt to delete all .dll files in the Windows folder.



Top Viruses Visited Pages:
Invader. - 241 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 67 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits

Random Viruses Pages:
TrojanDownloader.BMP.Agent.
Macro.Word.Ech
Fanthomas.144
Rust.171
Pirat
Macro.Word.Counte
Troi.32
SMEG.v0_3.Demo.
Ufr
Logen.102


 

© 2006-2008 spyware32.com - Privacy Policy