World Cup Soccer Worm Spreads - Disables Security Software

A vulgar new worm has been found spreading that is taking advantage of the 2006 World Cup Soccer games. The worm arrives as an E-mail attachment with one of the following subjects and message bodys:

Subjects:

1. Soccer fans killed five teens

2. Crazy soccer fans

3. Please reply me Tomas

4. My tricks for you

5. Naked World Cup game set

6. My sister whores, shit i dont know

Message Bodies:

1. Soccer fans killed five teens, watch what they make on photos. Please report on this all who know.

2. Crazy soccer fans killed two teens, watch what they make on photos. Please report on this all who know.

3. I wait your photos from New York. I sent my pics where i naked for you. Please reply me. Linda Salivan

4. Nudists are organising their own tribute to the world cup, by staging their own nude soccer game, though it is not clear how the teams will tell each other apart. Good photos ;)

5. Emily Carr was an artist know for her prudery, but now the Portrait Gallery of Canada has aquired a nude self-portrait.

Upon execution, the worm copies itself to the following location:

%Sysdir%\msctools.exe

Attempts to download additional malware:

http://couple{removed}.com/tumbs/dianaimg.exe

The worm also attempts to disable the following processes:

AVP32.EXE

AVPCC.EXE

AVPM.EXE

AVP.EXE

iamapp.exe

iamserv.exe

FRW.EXE

blackice.exe

blackd.exe

zonealarm.exe

vsmon.exe

VSHWIN32.EXE

VSECOMR.EXE

WEBSCANX.EXE

AVCONSOLE.EXE

VSSTAT.EXE

OUTPOST.EXE

REGEDIT.EXE

NETSTAT.EXE

TASKMGR.EXE

MSCONFIG.EXE

NAVAPW32.EXE

UPDATE.EXE

msctools.exe

The worm then uses a built-in mail engine to send copies of itself to addresses that have been harvested from the infected machine. The worm avoids sending itself to addresses containing the following strings:

temps

abuse

admin

webmaster

support

submit

service

sendmail

secur

samples

ripe

privacy

postmaster

panda

nothing

mydomai

mozilla

linux

kernel

inpris

icrosoft

ibm.com

google

example

contact

certific

borlan

berkeley

anyone

policy

apache

webmin

webmist

random

local

anonymous

addres

kaspersk

microsof

norton

symantec

virus

reply

report

Topics

404

Sorry! Page not found.

The article you requested has either been moved or removed from the site.