Threat Description

Recory.B

Details

Aliases:Recory.B, Recory
Category:Malware
Type:Worm
Platform:W32

Summary



This worm uses the fact of a known hoax about the jdbgmgr.exe file to spread. This file is normally a windows component, this worm overwrites that file, so all the warnings telling the file is harmless become not true. The icon of Recory worm looks like that:

The information about the hoax can be found:

http://www.f-secure.com/hoaxes/jdbgmgr.shtml

The worm is programmed in Visual Basic, spreads through IRC modifying the Mirc scripts, and tries to copy itself to the shared folder of several P2P and messaging programs.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



The worm is UPX packed.

Names of the files copied to shared folders of P2P programs are:

  • -The Lord of the Rings - The Two Towers (Fast-Downloader).pif
  • -007 - Die Another Day (Rocket Downloader).pif
  • -Harry Potter and the Chamber of Secrets (Fast-Downloader).pif
  • -Britney Spears Wallpaper.pif
  • -Harry Potter and the Philosophers Stone (Movie-Downloader).pif

Among the affected programs are:

  • -Kazaa
  • -Kazaa Lite
  • -ICQ
  • -Bearshare
  • -Edonkey2000
  • -Morpheus
  • -Grokster

The worm send e-mails with the following text.

Message's text follows:

------------------------------------------------------------------
Hello readers,
 I have just cleaned my computer from a highly damaging computer virus
 Which is spreading rapidly through computer networks worldwide.
 There is one way to check to see if your computer is infected with this virus.
 Click the "Start" menu at the bottom left of your screen.
 Click the "Find" or "Search" button.
 Click the "Files or folders..." option.
 Then once the search application starts, type "Jdbgmgr.exe"
 If you have found this file, right-click on it and click the "Properties" tab.
 If the Properties menu has a picture of a bear on it,
 your computer is infected with this virus. (Note that the non-infected file
 picture has a hammer and a screwdriver shown in it)
 You may delete this file, but this is not the only file that the virus infects,
 To remove this virus, I have included a virus removal tool in the attachments
 that will scan all system files and remove any infectious code from them.
 This virus removal tool is very easy to use. If you have any trouble with this
 tool, read the help menu that the removal tool supplies.
 If your computer is infected with this virus, It is strongly recommended that you
 send this removal tool to as many people as you can to help remove the traces of
 this virus worldwide.

------------------------------------------------------------------

Of course, opposite as said in the message the bear icon corresponds to the normal version of the jdbgmgr.exe file, the one with the screwdriver is the worm.

It copies itself to the following files:

In the Windows Startup folder:

  • -"LoadWin.pif"

In the "Windows\System32" folder:

-"MswinRegFiles32.com"
 -"CheckThis.pif"
 -"Jdbgmgr.exe"
 -"Msjpeg32.pif"
 -"Runsys32.bat"
 -"Regfiles.bat"
 -"Winbatch.bat"
 -"Msjava.pif"
 -"Filecmd32.com"
 -"Mswin32.pif"
 -"Winocx32.pif"

In the "Windows\Java" folder:

-"WinJava32.pif"
 -"Javatemp.bat"
 -"JavaStart.com"

In the Windows folder:

-"Jdbgmgr.exe"
 -"TempFiles.pif"
 -"WinStartup.pif"
 -"Msupdater32.pif"
 -"WinStart32.pif"
 -"Winupd32.com"
 -"Regedit32.com"
 -"Winhlp32.com"
 -"Charmap.pif"

In "Documents And Settings/[User]/Local Configuration/Temp":

-"Jdbgmgr.exe"

In shared drives as:

-"\Removal.exe".

It also saves itself with names as of the ones generated for the attachments.

Posible subjects for the message are, it can be preceeded by "Fw:" or "Fwd:"

Computer virus outbreak
 Computer virus removal
 About a severe computer virus
 Severe computer virus alert
 Virus removal tool
 Severe alert
 Attention employees
 Alert
 Readme
 Important
 Important Information
 Update your virus scanners
 Warning
 Microsoft support
 Knowledge Database alert
 Virus warning
 Virus alert
 Help with removal
 Removal tool
 Urgent news

Possible names for the attachment can be:

RemovalTool
 FixTool
 KillVir
 KillVirus
 RepairVirus
 RepairVir
 Cleaner
 VirusFix
 CleanVirus
 CleanVir
 VirFix
 FixVir
 FixVirus
 VirusRemoval
 RemoveVirus
 WinProtect
 VirusClean
 VirusCleaner
 ScanVir
 ScanVirus
 Repair
 RepairWizard
 RepairScan
 Scanner
 FileScanner
 ScanFiles
 FixFiles
 FileFix
 RepairTool
 VirusRepair
 VirRepair
 RepairFiles
 FileRepair
 AntiVirus
 AntiVir
 RemoveVir
 CleanFiles
 FileClean
 FileCleaner
 FileRepairer
 CleanTool
 CleanerTool
 FixComputer
 RepairComputer
 CleanComputer
 FixComp
 RepairComp
 CleanComp
 FixPC
 RepairPC
 CleanPC
 FixSystem
 RepairSystem
 CleanSystem
 FixSys
 RepairSys
 CleanSys
 SystemFix
 SystemClean
 SystemRepair
 SysFix
 SysClean
 SysRepair
 Recovery

With any extension from the following list (.exe, .pif, .com, ).

The following key is created in the Windows' registry:

[HKEY_CURRENT_USER\Software\Zed/[rRlf]\Recovery\1.1\]




Technical Details: Ero Carrera; F-Secure Corp.; January 7th, 2003


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Disinfect your PC

F-Secure Anti-Virus will disinfect your PC and remove all harmful files

Learn More