Threat Description

Supova

Details

Aliases: Supova, Worm.P2P.Surnova.e
Category: Malware
Type: Worm
Platform: W32

Summary


This worm tries to propagate through MSN and Kazaa. It also launches a DDoS attack to pre-configured sites. The worm was programmed in Visual Basic.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


It writes the following text to a file with random name and '.txt' extension.

W32.Supernova - Ban religion  ---------------------------------------------------  Religion = War  Religion = Based on fairytales  Wars based on fairytales?  Ban religion, welcome to the truth  ---------------------------------------------------  

The worm deletes files from the user's computers, displaying the following messages:

0wned by the blasting star  Religion=war  Patch the leaks... Or the ship will sink....  

It copies itself to the Windows directory under the following names:

Alles-ist-vorbei.exe  Desktop-shooting.exe  Hello-Kitty.exe  BigMac.exe  Cheese-Burger.exe  Blaargh.exe  

And then sets the Registry key "Supernova" under:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  

to point to any of the files.

It runs the following commands, in an attempt to direct a DDoS attack against those hosts.

ping www.islamicity.com -t  ping www.christianity.com -t  ping www.beliefnet.com -t  

These commands won't generate enough traffic to be DDoS attack unless a high number of hosts (on the range of thousands) become infected by this worm.

When trying to spread through MSN it will present the users with the following massages:

Hehe, check this out :-)  Funny, check it out (h)  LOL!! See this :D  LOL!! Check this out :)  Hehe, this is fun :-)  

It will copy itself into the Kazaa shared folder using the following names:

Windows XP key generator.exe  Windows XP serial generator.exe  Key generator for all windows XP versions.exe  Warcraft 3 ONLINE key generator.exe  Half-life ONLINE key generator.exe  Quake 4 BETA.exe  Grand theft auto 3 CD1 crack.exe  GTA3 crack.exe  Battle.net key generator (WORKS!!).exe  Warcraft 3 battle.net serial generator.exe  Half-life WON key generator.exe  Star wars episode 2 downloader.exe  Winzip 8.0 + serial.exe  Winrar + crack.exe  Britney spears nude.exe  Macromedia MX key generator (all products).exe  KaZaA media desktop v2.0 UNOFFICIAL.exe  Microsoft key generator, works for ALL microsoft products!!.exe  Microsoft Windows XP crack pack.exe  Hack into any computer!!.exe  DivX codec v6.0.exe  DivX newest version.exe  DivX.exe  DivX pro key generator.exe  Key generator for over 1,000 applications (really!).exe  DivX patch - Increases quality.exe  KaZaA spyware remover.exe  Age of empires 2 crack.exe  Norton antivirus 2002.exe  Macromedia Dreamweaver MX Key Generator.exe  Macromedia Flash MX Key Generator.exe  Neverwinter nights crack.exe  Microsoft Office XP (english) key generator.exe  Microsoft Office XP.iso.exe  CloneCD + crack.exe  CloneCD all-versions key generator.exe  XBOX emulator (WORKS!!).exe  Gamecube Emulator (WORKS!!).exe  Xbox.info.exe  Grand Prix 4 crack.exe  Nokia simlock remover (includes new models).exe  Britney spears hard porn (REAL!).exe  Christina Aguilera fuck (REAL!).exe  Kiddy child incest porn.exe  Doom 3 preview!!.exe  Crazy taxi crack.exe  Copy protection remover.exe  Sex.exe  AAAAAAAAAA.exe  Jedi Knight 2 crack.exe  Warcraft 3 trainer.exe  Cable modem uncapper.exe  Grand theft auto 3 trainer.exe  GTA3 trainer.exe  




Technical Details:Ero Carrera; F-Secure Corp; February 21st, 2003


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More