W32.Explet - AGen1.03.exe

tasklist.org		A comprehensive list of processes running in your computer
		tasklist \| attachlist

bookmark this website!		total tasks: 16297

AttachList is a list of email attachment files that viruses usually send in email. It contains the attached file names, typical subjects and messages, the name of the viruses that send them, and instruction on how to remove these viruses.

most requested

Browse attachlist by file name:

| a | b | c | d | e | f | g | h | i | j | k | l | m | n | o | p | q | r | s | t | u | v | w | x | y | z |

Name: W32.Explet

Sender:

Sender is spoofed. The worm may choose the sender's name from a
predetermined list, the email addresses it finds, or it may randomly
generate the address.

Subject:

For you
Good offer.
Hi, Mike
RE:
RE: order

Message:

Greets! I offer you full base of accounts with passwords of mail
server yahoo.com. Here is archive with small part of it. You can see
that all information is real. If you want to buy full base, please
reply me...
Hi.Here is the archive with those information, you asked me.And don't
forget, it is strongly confidencial!!!Seya, man.P.S. Don't forget my
fee ;)
Hi, my darling :)Look at my new screensaver. I hope you will
enjoy...Your Liza
Hi, Nick. In this archive you can find all those things, you asked
me.See you. Steve
My friend gave me this account generator for http: 
//www.pantyola.com I wanna share it with you :)And please do not
distribute it. It's private.

Attachment:

AGen1.03.exe
AtlantI.exe
demo.exe
release.exe
SecUNCE.exe

Comments: A mass-mailing worm that retrieves email address from files with .htm, .html, .php, .tbb, and .txt extensions, on all fixed drives from C through Y. Also uses its own SMTP engine to send itself to the email addresses it finds and spreads through network shares and the Kazaa file-sharing network. Attempts to propagate by exploiting the Microsoft Windows LSASS Buffer Overrun

Symptoms:


 Adds a value: "NvClipRsv"="

	" to the registry key,
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun 
 Retrieves KaZaA shared folder from the value "DlDir0" in the
registry key: HKEY_CURRENT_USERSoftwareKazaaTransfer 
 Copies itself as to the Kazaa shared folder as one of the following:
AVP5.xcrack.exe hx00def.exe ICQBomber.exe InternetOptimizer1.05b.exe
Shrek_2.exe UnNukeit9xNTICQ04noimageCrk.exe YahooDBMails.exe 
 Overwrites the file %Windir%system32driversetchosts with the
following lines: 127.0.0.1  downloads-us1.kaspersky-labs.com 127.0.0.1
 downloads1.kaspersky-labs.com 127.0.0.1 
downloads4.kaspersky-labs.com 127.0.0.1  downloads2.kaspersky-labs.com
127.0.0.1  downloads-eu1.kaspersky-labs.com

Recommended Cleanup Software: We found that Easy SpyRemover is the most effective tool for removing this file.

Manual Removal Instructions: Disable System Restore (Windows Me/XP).
Update the virus definitions.
Restart the computer in Safe mode or VGA mode.
Run a full system scan and delete all the files detected as W32.Explet.A@mm.
Delete the value that was added to the registry.
Delete the added lines from the Windows Hosts file