O
ovi
Guest
Also known as: W32/Paps (McAfee).
Method of infection:
Win32.Paps.C is a mass mailing worm, which propagates via email.
It arrives as an UPX packed 255,888 byte executable file inside an email attachement.
When executed the worm copies itself to %Windows%\win32config.exe
and creates the following files:
%Windows%\win32apps1.txt
%Windows%\win32apps2.txt
%Windows%\win32apps3.txt
%Windows%\win32apps4.txt
%Windows%\strings.txt
%Windows%\KERNEL32.DLL - the copy of the worm
The worm also drops iphist.dat file to the location from where it was originaly executed.
The worm sets the following registry to ensure it runs on every system boot:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32Config = %Windows\win32config.exe
Note: '%Windows%' is a variable locations. The worm determines the location of the folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
Method of distribution:
Via E-mail
The worm sends itself as an attachment to email addresses, which it collects
on the affected computer from files with the following extentions:
.doc
.txt
.wab
.rtf
.htm
.html
.dbx
.xml
.msg
.php
.cgi
.pst
.nk2
The worm will try to use www.whatismyip.com
to determine the local computer IP addess it is running from and also
use www.google.de to collect more email addresses by querying receipence name strings.
It will avoid sending itself to email addresses with the following substrings:
VIRUS
PESTPATROL
KASPERSKY
SOPHOS
SYMANTEC
NORTON
AVP
ANTIVIR
FREEAV
EWIDO
F-SECURE
MCAFEE
NAI.COM
BUSE@
MICROSOFT
The subject of the email message can be one of the following either in German:
RE: RE: FWD:
Re: Message Error
Re: Ihre Informationen
Re: Bad Request
Anzeige wegen illegalem Mp3-Tausch
du hast einen Trojaner auf deinem PC
Du Idiot!!!
ups, Ich habe Ihre Mail bekommen
Ich hasse dich!!
Achtung: Neuer Virus!!!
MailerDaemon: Mail Delivery Failure
or in English:
"RE: RE: FWD:"
"Re: Message Error"
"Re: Mail Authentification"
"Re: Bad Request"
"illegal file sharing"
"a trojan horse is on your PC"
"you are an idiot"
"ups, i've got your mail"
"I hate you"
"hi, its me"
"MailerDaemon: Mail Delivery Failure"
The body of the meassage could be either in German:
Hi du! Hab mal schnell ein paar Fotos mit Meikes Webcam gesc
hossen. Sind echt lustig geworden
Hab dir die Fotos angeh
Sngt! Wir sehen uns...
ESMTP [Secure Mail System #334]: Secure message is attached.
++++ Attachment: No Virus found ++++ Norton AntiVirus - www.symantec.com
Guten Tag! Die angeforderten Informationen befinden sich im Anhang. MfG
++++ Attachment: No Virus found +++ Kaspersky AntiVirus - www.kaspersky.com
Bad Gateway: The message has been attached.
++++ Attachment: No Virus found ++++ Norton AntiVirus - www.symantec.com
Sie tauschen illegal mp3-files aus! Ein Gerichtsverfahren gegen Sie wurde eingeleitet.
NShere Informationen entnehmen Sie bitte dem Anhang.
Hallo, ich bin aus +sterreich. Ich hab gerade mal kurz deinen
Computer gescannt und festgestellt, das du einen Trojaner drauf hast.
Ich konnte mir deine komplette Festplatte angucken.
Ich hab dir mal nen Removal tool an die Mail angehSngt.
Warum machen sie das? Sie Idiot! Sie haben mein Geld gestolen!!!
ICH WERDE SIE BEI DER POLIZEI ANZEIGEN!!!! Schauen Sie sich den Anhang an!
Das muss wohl ein FehllSufer sein. Irgendjemand hat eine Mail, die fnr Sie bestimmt war an meine Mail Adresse geschickt.
Ich leite die Mail einfach mal weiter. Der Anhang ist sehr interessant
Ich hab dir gesagt, das ich dich liebe...und du?? Du....du hast garnichts gesagt!!!
Verschwinde...du Schuft ... Ich hasse dich!! Du kannst deine Dateien zurnck haben!!!
Ich hab sieangehSngt...
Achtung: An alle Online-Spieler!! Ein neuer Wurm verbreitet sich nber Online-Spiele!!!
Installiert euch den Patch im Anhang so schnell wie m÷glich damit ihr das nicht auch kriegt!!
Mail transaction failed. Partial message is available
++++ Attachment: No Virus found ++++ Norton AntiVirus - www.symantec.com
or in English:
Here, the DigiCam photos. A few are overexposed...
ESMTP [Secure Mail System #334]: Secure message is attached.
++++ Attachment: No Virus found ++++ Norton AntiVirus - www.symantec.com
Please read the attachment to get the message.
++++ Attachment: No Virus found +++ Kaspersky AntiVirus - www.kaspersky.com
Bad Gateway: The message has been attached.
++++ Attachment: No Virus found ++++ Norton AntiVirus - www.symantec.com
You are sharing illegal mp3-files. A legal investigation has been startet. For details read the attachment.
hi, I am from austria and you`ll don`t believe me, but a trojan horse in on your PC.
I've scanned your Computer and discovered that the trojan horse subseven is running on Port 1234.
I have attached a removal tool for you to this mail
why did you do that? idiot! You stole my money!!!
I`LL REPORT YOU TO THE POLICE!!!! See the attachment!
i`m very very sorry, but anybody have sent your mail to my a
ddress. The attachment is very surprising
I said, I love you...and you said NOTHING And now...
Go Away From Me ... I hate you!! You can have your documents back!!
I`ve attached them...
Caution: To all gamers A new worm spread via online gaming!'
Install the attached patch as soon as possible!!'
Mail transaction failed. Partial message is available
++++ Attachment: No Virus found ++++ Norton AntiVirus - www.symantec.com
The attachment name could be one of the following:
MailMessage.Msg.exe
Filesharing_details.DOC.exe
Trojan_removal_tool.exe
Report.DOC.exe
Documents.DOC.exe
Removal_tool.exe :mrgreen:
Method of infection:
Win32.Paps.C is a mass mailing worm, which propagates via email.
It arrives as an UPX packed 255,888 byte executable file inside an email attachement.
When executed the worm copies itself to %Windows%\win32config.exe
and creates the following files:
%Windows%\win32apps1.txt
%Windows%\win32apps2.txt
%Windows%\win32apps3.txt
%Windows%\win32apps4.txt
%Windows%\strings.txt
%Windows%\KERNEL32.DLL - the copy of the worm
The worm also drops iphist.dat file to the location from where it was originaly executed.
The worm sets the following registry to ensure it runs on every system boot:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Win32Config = %Windows\win32config.exe
Note: '%Windows%' is a variable locations. The worm determines the location of the folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
Method of distribution:
Via E-mail
The worm sends itself as an attachment to email addresses, which it collects
on the affected computer from files with the following extentions:
.doc
.txt
.wab
.rtf
.htm
.html
.dbx
.xml
.msg
.php
.cgi
.pst
.nk2
The worm will try to use www.whatismyip.com
to determine the local computer IP addess it is running from and also
use www.google.de to collect more email addresses by querying receipence name strings.
It will avoid sending itself to email addresses with the following substrings:
VIRUS
PESTPATROL
KASPERSKY
SOPHOS
SYMANTEC
NORTON
AVP
ANTIVIR
FREEAV
EWIDO
F-SECURE
MCAFEE
NAI.COM
BUSE@
MICROSOFT
The subject of the email message can be one of the following either in German:
RE: RE: FWD:
Re: Message Error
Re: Ihre Informationen
Re: Bad Request
Anzeige wegen illegalem Mp3-Tausch
du hast einen Trojaner auf deinem PC
Du Idiot!!!
ups, Ich habe Ihre Mail bekommen
Ich hasse dich!!
Achtung: Neuer Virus!!!
MailerDaemon: Mail Delivery Failure
or in English:
"RE: RE: FWD:"
"Re: Message Error"
"Re: Mail Authentification"
"Re: Bad Request"
"illegal file sharing"
"a trojan horse is on your PC"
"you are an idiot"
"ups, i've got your mail"
"I hate you"
"hi, its me"
"MailerDaemon: Mail Delivery Failure"
The body of the meassage could be either in German:
Hi du! Hab mal schnell ein paar Fotos mit Meikes Webcam gesc
hossen. Sind echt lustig geworden
Hab dir die Fotos angehSngt! Wir sehen uns...
ESMTP [Secure Mail System #334]: Secure message is attached.
++++ Attachment: No Virus found ++++ Norton AntiVirus - www.symantec.com
Guten Tag! Die angeforderten Informationen befinden sich im Anhang. MfG
++++ Attachment: No Virus found +++ Kaspersky AntiVirus - www.kaspersky.com
Bad Gateway: The message has been attached.
++++ Attachment: No Virus found ++++ Norton AntiVirus - www.symantec.com
Sie tauschen illegal mp3-files aus! Ein Gerichtsverfahren gegen Sie wurde eingeleitet.
NShere Informationen entnehmen Sie bitte dem Anhang.
Hallo, ich bin aus +sterreich. Ich hab gerade mal kurz deinen
Computer gescannt und festgestellt, das du einen Trojaner drauf hast.
Ich konnte mir deine komplette Festplatte angucken.
Ich hab dir mal nen Removal tool an die Mail angehSngt.
Warum machen sie das? Sie Idiot! Sie haben mein Geld gestolen!!!
ICH WERDE SIE BEI DER POLIZEI ANZEIGEN!!!! Schauen Sie sich den Anhang an!
Das muss wohl ein FehllSufer sein. Irgendjemand hat eine Mail, die fnr Sie bestimmt war an meine Mail Adresse geschickt.
Ich leite die Mail einfach mal weiter. Der Anhang ist sehr interessant
Ich hab dir gesagt, das ich dich liebe...und du?? Du....du hast garnichts gesagt!!!
Verschwinde...du Schuft ... Ich hasse dich!! Du kannst deine Dateien zurnck haben!!!
Ich hab sieangehSngt...
Achtung: An alle Online-Spieler!! Ein neuer Wurm verbreitet sich nber Online-Spiele!!!
Installiert euch den Patch im Anhang so schnell wie m÷glich damit ihr das nicht auch kriegt!!
Mail transaction failed. Partial message is available
++++ Attachment: No Virus found ++++ Norton AntiVirus - www.symantec.com
or in English:
Here, the DigiCam photos. A few are overexposed...
ESMTP [Secure Mail System #334]: Secure message is attached.
++++ Attachment: No Virus found ++++ Norton AntiVirus - www.symantec.com
Please read the attachment to get the message.
++++ Attachment: No Virus found +++ Kaspersky AntiVirus - www.kaspersky.com
Bad Gateway: The message has been attached.
++++ Attachment: No Virus found ++++ Norton AntiVirus - www.symantec.com
You are sharing illegal mp3-files. A legal investigation has been startet. For details read the attachment.
hi, I am from austria and you`ll don`t believe me, but a trojan horse in on your PC.
I've scanned your Computer and discovered that the trojan horse subseven is running on Port 1234.
I have attached a removal tool for you to this mail
why did you do that? idiot! You stole my money!!!
I`LL REPORT YOU TO THE POLICE!!!! See the attachment!
i`m very very sorry, but anybody have sent your mail to my a
ddress. The attachment is very surprising
I said, I love you...and you said NOTHING And now...
Go Away From Me ... I hate you!! You can have your documents back!!
I`ve attached them...
Caution: To all gamers A new worm spread via online gaming!'
Install the attached patch as soon as possible!!'
Mail transaction failed. Partial message is available
++++ Attachment: No Virus found ++++ Norton AntiVirus - www.symantec.com
The attachment name could be one of the following:
MailMessage.Msg.exe
Filesharing_details.DOC.exe
Trojan_removal_tool.exe
Report.DOC.exe
Documents.DOC.exe
Removal_tool.exe :mrgreen:
