FRISK Software International


Summary of W32/Recory.B@mm
Alias:Recory.B, Recory
Discovered: 7 Jan 2003
Risk Level: Low
Distribution:Low
Infection Method:Through peer-to-peer networks and infected e-mail attachments
 
Jump to:
Brief description
Technical description

Brief Description
This worm uses the fact of a known hoax about the jdbgmgr.exe file to spread. This file is normally a windows component, this worm overwrites that file, so all the warnings telling the file is harmless become not true.

The worm is programmed in Visual Basic, spreads through IRC modifying the Mirc scripts, and tries to copy itself to the shared folder of several P2P and messaging programs.


Technical Description
The worm is UPX packed.

Names of the files copied to shared folders of P2P programs are:

-The Lord of the Rings 
-The Two Towers (Fast-Downloader).pif 
-007 - Die Another Day (Rocket Downloader).pif 
-Harry Potter and the Chamber of Secrets (Fast-Downloader).pif 
-Britney Spears Wallpaper.pif 
-Harry Potter and the Philosophers Stone (Movie-Downloader).pif 
Among the affected programs are:

-Kazaa
-Kazaa Lite
-ICQ -Bearshare
-Edonkey2000
-Morpheus
-Grokster

The worm send e-mails with the following text.

Message's text follows:
------------------------------------------------------

Hello readers,

I have just cleaned my computer from a highly damaging computer virus Which is spreading rapidly through computer networks worldwide.

There is one way to check to see if your computer is infected with this virus.

Click the "Start" menu at the bottom left of your screen. Click the "Find" or "Search" button. Click the "Files or folders..." option. Then once the search application starts, type "Jdbgmgr.exe"

If you have found this file, right-click on it and click the "Properties" tab. If the Properties menu has a picture of a bear on it, your computer is infected with this virus. (Note that the non-infected file picture has a hammer and a screwdriver shown in it)

You may delete this file, but this is not the only file that the virus infects, To remove this virus, I have included a virus removal tool in the attachments that will scan all system files and remove any infectious code from them. This virus removal tool is very easy to use. If you have any trouble with this tool, read the help menu that the removal tool supplies.

If your computer is infected with this virus, It is strongly recommended that you send this removal tool to as many people as you can to help remove the traces of this virus worldwide.

----------------------------------------------------------

Of course, opposite as said in the message the bear icon corresponds to the normal version of the jdbgmgr.exe file, the one with the screwdriver is the worm.

It copies itself to the following files:

In the Windows Startup folder:
-"LoadWin.pif"

In the "Windows\System32" folder:
-"MswinRegFiles32.com"
-"CheckThis.pif"
-"Jdbgmgr.exe"
-"Msjpeg32.pif"
-"Runsys32.bat"
-"Regfiles.bat"
-"Winbatch.bat"
-"Msjava.pif"
-"Filecmd32.com"
-"Mswin32.pif"
-"Winocx32.pif"

In the "Windows\Java" folder:
-"WinJava32.pif"
-"Javatemp.bat"
-"JavaStart.com"

In the Windows folder:
-"Jdbgmgr.exe"
-"TempFiles.pif"
-"WinStartup.pif"
-"Msupdater32.pif"
-"WinStart32.pif"
-"Winupd32.com"
-"Regedit32.com"
-"Winhlp32.com"
-"Charmap.pif"

In "Documents And Settings/[User]/Local Configuration/Temp":
-"Jdbgmgr.exe"

In shared drives as:

-"\Removal.exe".

It also saves itself with names as of the ones generated for the attachments.

Posible subjects for the message are, it can be preceeded by "Fw:" or "Fwd:"

Computer virus outbreak
Computer virus removal
About a severe computer virus
Severe computer virus alert
Virus removal tool
Severe alert
Attention employees
Alert
Readme
Important
Important Information
Update your virus scanners
Warning
Microsoft support
Knowledge Database alert
Virus warning
Virus alert
Help with removal
Removal tool
Urgent news

Possible names for the attachment can be:

RemovalTool
FixTool
KillVir
KillVirus
RepairVirus
RepairVir
Cleaner
VirusFix
CleanVirus
CleanVir
VirFix
FixVir
FixVirus
VirusRemoval
RemoveVirus
WinProtect
VirusClean
VirusCleaner
ScanVir
ScanVirus
Repair
RepairWizard
RepairScan
Scanner
FileScanner
ScanFiles
FixFiles
FileFix
RepairTool
VirusRepair
VirRepair
RepairFiles
FileRepair
AntiVirus
AntiVir
RemoveVir
CleanFiles
FileClean
FileCleaner
FileRepairer
CleanTool
CleanerTool
FixComputer
RepairComputer
CleanComputer
FixComp
RepairComp
CleanComp
FixPC
RepairPC
CleanPC
FixSystem
RepairSystem
CleanSystem
FixSys
RepairSys
CleanSys
SystemFix
SystemClean
SystemRepair
SysFix
SysClean
SysRepair
Recovery

With any extension from the following list
(.exe, .pif, .com, )

The following key is created in the Windows' registry:

[HKEY_CURRENT_USER\Software\Zed/[rRlf]\Recovery\1.1\] 



[Analysis: Ero Carrera; F-Secure Corp.; January 7th, 2003]
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is