F-Secure Virus Descriptions : Fakerr
Fakerr worm appeared in the middle of July 2003. The worm spreads
itself in e-mails. It was also created to spread through Kazaa
file sharing networks, but this routine has a bug. The worm has a
dangerous payload - it can delete files on a hard drive and
modify certain Registry values making Windows operating system
unusable.
Being run, the worm shows a fake error message. This fake error
message looks like a real error messages displayed by Windows XP.
After a user clicks a button on that fake error message the worm
opens CD-ROM tray and then opens several Windows configuration
windows that can be usually opened from Control Panel: display,
add/remove programs, time/date properties and a few others.
Finally it displays the following message:
kIlLeRgUaTe
Your computer now is mine, Why? Because I didn't had nothing to
do and I thought, why not make the evil? Remember NOW YOUR PC IS
IN MY POWER Windows Sucks! I can't stand it anymore! Windows has
always sucked. Wake up people! It's a scam! You don't need a
faster computer. You need a better operating system. Microsoft
continuingly makes money by selling you the latest and greatest
Windows. The latest Windows version is always the most
inefficient yet, slowing down your fast computer. Also, now you
have to upgrade all your other software too because different
Windows versions are not compatible with each other! A hidden
cost not mentioned at all. It's part of the scam. Capitalism
Sucks!, Communism Sucks. KILLERGUATE.
Then the worm copies itself with hidden attribute to the root
folder of C: drive as RUNDLL32.EXE file and modifies startup keys
for the following file extensions:
exe
com
bat
pif
hta
ht
The worm also creates/modifies several Registry entries, that do
not allow system logoff, closing of Explorer, opening Task
Manager, locking of workstation and changing a password.
The worm spreads itself in e-mails to all addresses found in
Outlook Address Book. An infected message looks like that:
Subject:
Symantec: New serious virus found
Body:
Norton Security Response: has detected a new virus in the
Internet. For this reason we made this tool attachement, to
protect your computer from this serious virus. Due to the number
of submissions received from customers, Symantec Security
Response has upgraded this threat to a Category 5 (Maximum ).
Attachment:
Norton_Symantec_Tool.exe
The worm tries to copy itelf as 'Norton 2003 Pro.exe' file to
Kazaa P2P (peer-to-peer) client's shared folder, but there's an
error in that routine and such an event never happens.
The worm has a dangerous payload. It can delete the following
files from an infected hard drive:
C:\WINNT\system32\ntoskrnl.exe
C:\WINNT\system32\command.com
C:\WINNT\regedit.exe
C:\windows\system32\ntoskrnl.exe
C:\windows\system32\command.com
C:\windows\regedit.exe
C:\AUTOEXEC.bat
C:\config.sys
C:\WINNT\system32\*.exe
C:\WINNT\system32\*.com
C:\WINNT\system32\*.dll
C:\WINNT\system32\*.ocx
C:\windows\system32\*.dll
C:\windows\system32\*.ocx
C:\windows\system32\*.exe
C:\windows\system32\*.com
Also the worm can delete all files from the following folders:
C:\WINNT\system
C:\windows\system
C:\WINNT\system32
C:\windows\system32
D:\
Detection of Fakerr worm is available in the following FSAV
updates:
Version=2003-07-16_03
[Description: F-Secure Anti-Virus Research Team; July 16th, 2003]
|
![](/images/pixel.gif"){kind=tracking}
