longname.scr

[usernamealreadyis]

W32/Fanbot-J is a email, network and P2P worm and IRC backdoor for the Windows platform.

W32/Fanbot-J runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Fanbot-J spreads:

• via file sharing on P2P networks
• to other network computers by exploiting common buffer overflow vulnerabilities, including PnP (MS05-039)
• by copying itself to network shares

Emails sent by W32/Fanbot-J have the following characteristics:

Subject line chosen from:

DETECTED Online User Violation.
Email Account Suspension.
Important Notification!
Members Support.
Notice of account limitation.
Security measures.
Your Account is Suspended For Security Reasons.
Your Account is Suspended.
Hello. We're Skype and we've got something we would like to share with you.
Share Skype.
Skype for Windows 1.4 - Have you got the new Skype?
Warning Message: Your services near to be closed.
What is Skype?

Message text from:

Dear user ,
It has come to our attention that your User Profile ( x ) records are out of date. For further details see the attached document.
Thank you for using !
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.

Dear Member,
We have temporarily suspended your email account .
This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
   See the details to reactivate your account.
   Sincerely,The Support Team
   +++ Attachment: No Virus (Clean)
   +++ Antivirus - www.

Dear Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel your membership.
Virtually yours,
The Support Team
+++ Attachment: No Virus (Clean)
+++ Antivirus - www.

Dear user ,

Skype is a little piece of software that lets you talk over the Internet to anyone, anywhere for free.
And it just got even better download the latest version of Skype:
Our call quality is the best ever for talking, laughing and sharing stories.
You can forward calls on to mobiles, landlines and other Skype Names.
Make calls instantly from Outlook email or Internet Explorer with our new toolbars.
Personalise your Skype play around with sounds, ringtones and pictures to show the world who you are.
For further details see the attached document.
This message contains graphics. If you do not see the graphics, click here to view.
2002-2005 by Skype Technologies S.A.
Legal information

In the above message texts, the word would be replaced by text extracted from the harvested email addresses.

Attachments may have the following base filenames, usually with a zip extensions:

account-details
account-info
account-report
document
email-details
important-details
readme
Share Skype
Skype-details
Skype-document
Skype-info
Skype-stuffs
Skype for Windows 1.4

W32/Fanbot-J spreads via peer to peer networks by copying itself into folder with names containing any of the followings strings:

bak
bear
donkey
download
ftp
htdocs
http
icq
incoming
kazaa
lime
morpheus
mule
share
sharing
soft
upload
www

W32/Fanbot-J then copies itself to these folders with the following filenames:

X hardcore pics.jpg.exe
WinXP eBook newest.doc.exe
Windows XP crack.exe
Windows 2003 crack.exe
Windows 2000 Sourcecode.doc.exe
WinAmp 13 full.exe
Win Longhorn re.exe
Win Longhorn.doc.exe
Winxp_Crack.exe
Winamp5.exe
Visual Studio Net Crack all.exe
virii.scr
Ulead Keygen 2004.exe
UltraEdit-32 12.01 + Cracker.exe
The Sims 4 beta.exe
Teen Porn 15.jpg.pif
TouchNet Browser 1.29b.exe
Star Office 9.exe
Smashing the stack full.rtf.exe
Serials edition.txt.exe
Screensaver2.scr
Saddam Hussein.jpg.exe
Serials 2005_New.exe
Strip-Girl-2.0b.exe
Super Dollfie.pif
strippoker.exe
Serial.txt.exe
Ringtones.mp3.exe
Ringtones.doc.exe
RFC compilation.doc.exe
RealPlayer_New.exe
rfc compilation.doc.exe
Rain.scr
Porno Screensaver britney.scr
Partitionsmagic 10 beta.exe
programming basics.doc.exe
porno.scr
Opera 11.exe
Office_Crack.exe
Norton Antivirus 2005 beta.exe
netsky source code.scr
nuke2004.exe
MS Service Pack 6.exe
Microsoft WinXP Crack full.exe
Microsoft Office 2003 Crack best.exe
Matrix.mpg.exe
Magix Video Deluxe 5 beta.exe
max payne 2.crack.exe
Maxthon_New.exe
MSN7-final.exe
matrix.scr
Lightwave 9 Update.exe
Learn Programming 2004.doc.exe
Keygen 4 all new.exe
Kazaa new.exe
Kazaa Lite 4.0 new.exe
Kula.jpg.pif
Kula.scr
K.jpg.pif
Internet Explorer 9 setup.exe
icq2005-final.exe
How to hack new.doc.exe
Harry Potter.doc.exe
Harry Potter game.exe
Harry Potter e book.doc.exe
Harry Potter all e.book.doc.exe
Harry Potter 5.mpg.exe
Harry Potter 1-6 book.txt.exe
how to hack.doc.exe
Gimp 1.8 Full with Key.exe
Full album all.mp3.pif
firefox-1.6a1.en-US.win32.installer.exe
Eminem.mp3.exe
Eminem Spears porn.jpg.exe
Eminem Song text archive.doc.exe
Eminem Sexy archive.doc.exe
Eminem sex xxx.jpg.exe
Eminem Poster.jpg.exe
Eminem full album.mp3.exe
Eminem blowjob.jpg.exe
E-Book Archive2.rtf.exe
eminem - lick my pussy.mp3.pif
e-book.archive.doc.exe
e.book.doc.exe
Doom 3 release 2.exe
DivX 8.0 final.exe
Dictionary English 2004 - France.doc.exe
Dark Angels new.pif
dolly_buster.jpg.pif
dictionary.doc.exe
dcom_patches.exe
doom2.doc.pif
Cracks & Warez Archiv.exe
Cloning.doc.exe
Clone DVD 6.exe
cool screensaver.scr
Britney Spears.mp3.exe
Britney Spears.jpg.exe
Britney Spears Song text archive.doc.exe
Britney Spears Sexy archive.doc.exe
Britney Spears porn.jpg.exe
Britney Spears full album.mp3.exe
Britney Spears fuck.jpg.exe
Britney Spears cumshot.jpg.exe
Britney Spears blowjob.jpg.exe
Britney Spears and Eminem porn.jpg.exe
Britney sex xxx.jpg.exe
Best Matrix Screensaver new.scr
BlackIce_Firewall_Enterpriseactivation_Crack.exe
Butterfly.scr
Bifrost.scr
Arnold Schwarzenegger.jpg.exe
American Idol.doc.exe
Altkins Diet.doc.exe
Ahead Nero 8.exe
Adobe Premiere 10.exe
Adobe Photoshop 10 full.exe
Adobe Photoshop 10 crack.exe
ACDSee 10.exe
AcrobatReader_New.exe
activation_crack.exe
angels.pif
3D Studio Max 6 3dsmax.exe
1001 Sex and more.rtf.exe

W32/Fanbot-J also attempts to spread by exploiting the PNP (MS05-039) vulnerability.

W32/Fanbot-J includes functionality to:

• steal confidential information
• carry out DDoS flooder attacks
• silently download, install and run new software
• modify the HOSTS file
• display fake messages
• disable other applications
• open and close the CD drive tray
• removing shared access connections to other networks
• injects code to WINLOGON.EXE process

When first run W32/Fanbot-J displays a fake message box with the caption 'Error!' and the message text 'The file could not be opened!'

W32/Fanbot-J then moves itself to \remote.exe and adds a service named RpcRemotes to ensure that is it run when Windows starts.

Registry entries are created under:

HKLM\SYSTEM\CurrentControlSet\Services\RpcRemotes

W32/Fanbot-J also creates the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
Ph4nt0m
Ph4nt0m

W32/Fanbot-J sets the following registry entries to disable the automatic startup of security software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

W32/Fanbot-J modifies the HOSTS file, changing the URL-to-IP mappings for selected websites, therefore preventing normal access to these sites.

0.0.0.0 jiangmin.com
0.0.0.0 www.jiangmin.com
0.0.0.0 Update2.JiangMin.com
0.0.0.0 Update3.JiangMin.com
0.0.0.0 rising.com.cn
0.0.0.0 www.rising.com.cn
0.0.0.0 online.rising.com.cn
0.0.0.0 iduba.net
0.0.0.0 www.iduba.net
0.0.0.0 kingsoft.com
0.0.0.0 db.kingsoft.com
0.0.0.0 scan.kingsoft.com
0.0.0.0 kaspersky.com.cn
0.0.0.0 www.kaspersky.com.cn
0.0.0.0 symantec.com.cn
0.0.0.0 www.symantec.com.cn
0.0.0.0 www.symantec.com
0.0.0.0 securityresponse.symantec.com
0.0.0.0 symantec.com
0.0.0.0 www.sophos.com
0.0.0.0 sophos.com
0.0.0.0 www.mcafee.com
0.0.0.0 mcafee.com
0.0.0.0 liveupdate.symantecliveupdate.com
0.0.0.0 www.viruslist.com
0.0.0.0 viruslist.com
0.0.0.0 viruslist.com
0.0.0.0 f-secure.com
0.0.0.0 www.f-secure.com
0.0.0.0 kaspersky.com
0.0.0.0 kaspersky-labs.com
0.0.0.0 www.avp.com
0.0.0.0 www.kaspersky.com
0.0.0.0 avp.com
0.0.0.0 www.networkassociates.com
0.0.0.0 networkassociates.com
0.0.0.0 www.ca.com
0.0.0.0 ca.com
0.0.0.0 mast.mcafee.com
0.0.0.0 my-etrust.com
0.0.0.0 www.my-etrust.com
0.0.0.0 download.mcafee.com
0.0.0.0 dispatch.mcafee.com
0.0.0.0 secure.nai.com
0.0.0.0 nai.com
0.0.0.0 www.nai.com
0.0.0.0 update.symantec.com
0.0.0.0 updates.symantec.com
0.0.0.0 us.mcafee.com
0.0.0.0 liveupdate.symantec.com
0.0.0.0 customer.symantec.com
0.0.0.0 rads.mcafee.com
0.0.0.0 trendmicro.com
0.0.0.0 www.pandaguard.com
0.0.0.0 pandasoftware.com
0.0.0.0 www.pandasoftware.com
0.0.0.0 www.trendmicro.com
0.0.0.0 www.grisoft.com
0.0.0.0 www.microsoft.com
0.0.0.0 microsoft.com
0.0.0.0 www.virustotal.com
0.0.0.0 virustotal.com

A patch for the operating system vulnerability exploited by W32/Fanbot-J is available from Microsoft:

MS05-039