Internet Security Threats

When the worm executes, it drops the following files in the root directory of all drives:

• Autorun.inf
• Desktop.ini
• Mr_CoolFace.scr - a copy of the worm

The worm then creates the Mr_CF folder in the following locations:

• Root directory of all drives
• %UserProfile%\Application Data
• %UserProfile%\Local Settings\Application Data

The folder Mr_CF contains the following files:

• Folder.htt
• Mr_CF.exe - a copy of the worm

The worm also copies itself to the following locations:

• %SystemRoot%\EXPLORER.EXE
• %System%\Mr_CoolFace.scr
• %System%\[RANDOM].exe
• %System%\msvbvm60.dll
• %Windir%\Negeri Serumpun Sebalai.pif.bat.com.scr.exe
• %UserProfile%\Start Menu\Programs\Startup\winlogon.exe
• %UserProfile%\Application Data\Mutant.exe
• %UserProfile%\Application Data\SMA Negeri 1 Pangkalpinang.exe
• %UserProfile%\Application Data\Sahang.exe
• %UserProfile%\Application Data\Timah.exe
• %UserProfile%\Application Data\explorer.exe
• %UserProfile%\Desktop\Message For My Princess.scr
• %UserProfile%\Local Settings\Application Data\Polymorph1.exe
• %UserProfile%\Local Settings\Application Data\Polymorph2.exe
• %UserProfile%\Local Settings\DNALSI_AKGNAB.exe
• %UserProfile%\Local Settings\DNALSI_AKGNAB.exe.mutant
• %UserProfile%\Local Settings\Mr_CF_Mutation.Excalibur
• %UserProfile%\Local Settings\[RANDOM].exe

Next, the worm creates the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "[RANDOM CHARACTERS].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "[RANDOM CHARACTERS].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "explorer.exe "%SystemRoot%\explorer.exe""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit:" = "%System%\userinit.exe, %SystemRoot%\explorer.exe"

The worm also creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sol.exe\"Debugger" = "[FILENAME]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\"Debugger" = "[FILENAME]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\"Debugger" = "[FILENAME]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe\"Debugger" = "[FILENAME]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmine.exe\"Debugger" = "[FILENAME]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\"Debugger" = "[FILENAME]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshearts.exe\"Debugger" = "[FILENAME]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\freecell.exe\"Debugger" = "[FILENAME]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spider.exe\"Debugger" = "[FILENAME]" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe\"Debugger" = "[FILENAME]" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANSAV.exe\"Debugger" = "[FILENAME]" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANSAV32.exe\"Debugger" = "[FILENAME]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\"Debugger" = "[FILENAME]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\"Debugger" = "[FILENAME]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winamp.exe\"Debugger" = "[FILENAME]" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\URemovalCRC32.exe\"Debugger" = "[FILENAME]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe\"Debugger" = "[FILENAME]" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Niu.exe\"Debugger" = "[FILENAME]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvccf.exe\"Debugger" = "[FILENAME]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcod.exe\"Debugger" = "[FILENAME]" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CClaw.exe\"Debugger" = "[FILENAME]" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcoas.exe\"Debugger" = "[FILENAME]" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Njeeves.exe\"Debugger" = "[FILENAME]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nipsvc.exe\"Debugger" = "[FILENAME]" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcsched.exe\"Debugger" = "[FILENAME]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe\"Debugger" = "[FILENAME]" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe\"Debugger" = "[FILENAME]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nip.exe\"Debugger" = "[FILENAME]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\"Debugger" = "[FILENAME]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\"Debugger" = "[FILENAME]"

where [FILENAME] is one of the following:

• "%CommonProgramFiles%\kartu.exe"
• "%CommonProgramFiles%\reged1t.exe"
• "%CommonProgramFiles%\tskmgr.exe"
• "%CommonProgramFiles%\kalkulator.exe"
• "%CommonProgramFiles%\w1nm1ne.exe"
• "%CommonProgramFiles%\N0TEPAD.exe"
• "%CommonProgramFiles%\msheart.exe"
• "%CommonProgramFiles%\freecel.exe"
• "%CommonProgramFiles%\msconfag.exe"
• "%CommonProgramFiles%\Laba_Laba.exe"
• "%CommonProgramFiles%\_cmd.exe"

The worm then modifies the following registry entries to disable System Restore:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\"DisableConfig" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\"DisableSR" = "1"

The worm also modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden" = "2"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideFileExt" = "1"
HKEY_CLASSES_ROOT\exefile\"(Default)" = "JPEG Image"
HKEY_CLASSES_ROOT\scrfile\"(Default)" = "JPEG Image"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState\"FullPath" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\"UncheckedValue" = "0"
HKEY_CLASSES_ROOT\txtfile\"(Default)" = "Princess Document"
HKEY_CURRENT_USER\Control Panel\Desktop\"SCRNSAVE.EXE" = "MR_COO~1.SCR"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\"AlternateShell" = "c:\explorer.exe"

The worm infects.exe files on local drives and network drives.

Next, the worm searches for files with the following extensions:

• .SWF
• .swf
• .GIF
• .gif
• .BMP
• .bmp
• .BAT
• .bat
• .INF
• .inf
• .htm
• .Avi
• .AVI
• .avi
• .3Gp
• .3GP
• .3gp
• .Mpg
• .MPG
• .mpg
• .MIDI
• .Midi
• .midi
• .Wmv
• .WMV
• .wmv
• .Wma
• .WMA
• .wma
• .Mp4
• .MP4
• .mp4
• .Mp3
• .MP3
• .mp3
• .Mid
• .MID
• .mid
• .Mov
• .MOV
• .mov
• .Jpeg
• .JPEG
• .jpeg
• .Jpg
• .JPG
• .jpg

The worm changes the attributes of the above files to hidden and system. It then drops a copy of itself as [FILE NAME].scr.

The worm disables keyboard and mouse input when it discovers an active window containing any of the following titles:

• RUN
• NOTEPAD
• UNTITLED

The worm then changes the window title to the following:

• Message For My Princess
• Mr_CoolFace Has Come !

The worm spreads by copying itself to local drives, network mapped drives and removable storage devices.

The worm may send a copy of itself to other computers as an email attachment.
The email has the following characteristics:

Subject:
One of the following:

• Re:
• I don't wish to lost you again!
• Please Come Back!
• Rindu Yang Tak Tertahankan
• Remember Our Past?
• Don't Forget Me,please!
• Shall I Be The One For You ?
• I Miss You So Much !
• Please Remember Me.
• Still Remember???
• I miss U
• Ketika Kangen bertemu Rindu
• Lama Tak Jumpa
• Ketika Rindu bertemu Kangen

Message Body:
One of the following:

• I wanna be you friend. So I give you a little present ^_^
• Ehm,....would you like to be my friend ?
• Please check, tell me if you like it ^_^.
• Will I meet You my old friend...
• I miss You, I give you a file that will remind you...
• Dear My Sweetie..
• Here is the file, Thank you for your friendship.
• Please, don't forget me...Ok! Take a look at the attacment, you will remember me.
• I am missing you, please come back...
• I give you the proof that I miss you so much!
• Shall I be the one for you?
• Still remember me ???
• Do you remember me?
• Dear My Friend..
• Here is the file, Thank you for your cooperative.
• Take this, please tell me if there's an error.
• Please check, told me if there's a mistake.
• Sorry, I forget to send you the document.
• I'm oversleep.
• Finally, I found the data !, what do you think ??
• Here, the file that you want

Attachment:
One of the following:

• Rindu dan Kangen bersatu.txt[SEVERAL SPACE CHARACTERS]pif
• Kangen dan Rindu bersatu.tmp[SEVERAL SPACE CHARACTERS]pif
• SweetMemory.doc[SEVERAL SPACE CHARACTERS].pif
• Friend Reminder.doc[SEVERAL SPACE CHARACTERS].exe
• www.lovestory.com
• MyMind.doc[SEVERAL SPACE CHARACTERS].pif
• CuteGame3.0 Installer.com
• LoveGame.bmp[SEVERAL SPACE CHARACTERS].exe
• My_Beloved.doc[SEVERAL SPACE CHARACTERS].exe
• Love_U_So_Much.txt[SEVERAL SPACE CHARACTERS].pif
• Our_Memory.ppt[SEVERAL SPACE CHARACTERS].pif
• I_Miss_U.doc[SEVERAL SPACE CHARACTERS].pif
• Rindu.doc[SEVERAL SPACE CHARACTERS].exe
• Kenangan Cinta.doc[SEVERAL SPACE CHARACTERS].pif
• www.Hacking_Tool.bat
• Namo7.0_Installer.com
• NetMeeting.com
• MindMap.exe
• Mahasiswi Cantik.scr
• Crack.exe
• Tutorial.ppt[SEVERAL SPACE CHARACTERS].pif
• Data.doc[SEVERAL SPACE CHARACTERS].pif
• Keygen.exe
• Beauty ScreenSaver.scr

The worm then ends processes that contain the following strings, some of which may be security-related:

• 0GrtMultikiller
• 2rellikitluM
• AD-AWARE
• ADNAP
• ANVIE
• AnVir
• ANVIR
• AVIRA
• BACA BRO
• BITDEF
• BLACKICE
• CabinetW
• CASTLECOP
• CHRIS PC
• CILIN
• CITSITSCANNING STATISTIC
• CLEANER
• COMMAND BRO
• COMPACTBYTE
• CONFIGURATION UTILITY
• ConsoleW
• COPYING..
• CURR PROCESS
• CurrProcess
• CURRPROCESS
• DELETING..
• EARTHLINK PROTECTION
• ERTANTO
• explorer.exe
• EXTENSION TEST
• FLAMMING WALL
• FOLDER OPTION
• FORCE
• FREECELL
• F-SECURE
• GEOBLACK
• GRISOFT
• HACKER
• HEARTS
• HIJACK
• HtrGPANDA
• I KNOW
• IDI0T
• IDIOT
• IKNOW
• JAMILA
• KASPERSKY
• LUKE FILEWALKER
• MACHINE
• MALWARE
• MCAFEE
• MEDIA PLAYER
• MIGHTY CHICKEN
• MIGHTYCHICKEN
• MINESWEEPER
• MOVING..
• Mr_CoolFace
• Multikiller2
• MY DOCUMENTS
• NORMAN
• NORTON
• NOTESXP
• OPTIX PRO
• PCMAV
• PCSUMMARIZER
• PINBALL
• POP3TRAP
• POWER TOOL
• POWERDVD
• POWERTOOL
• PrcView
• PROCESS EXPLORER
• PROCESS INFO
• PROCESS MANAGER
• PROCESS MONITOR
• PROCESS VIEWER
• Process Viewer
• PROCESSINFO
• PROCESSMANAGER
• PROCESSMONITOR
• PROCESSVIEWER
• PROCEXP
• PROCEXPL
• REALPLAYER
• REG FIX
• REGCURE
• RegEdit
• REGFIX
• REGISTRY
• Registry Editor
• REMOVA
• REMOVER
• REMOVI
• RESULT DETAIL
• SEARCH RESULTS
• SECUNIA
• SECURITY TASK
• SIKUP
• SOLITAIRE
• SOPHOS
• SPIDER
• SPYWARE
• STARTUP ORGANIZER
• SYMANTEC
• SYSINTERNAL
• System Configuration Utility
• System Restore
• SYSTEM32
• TASK INFO
• TASK MANAGER
• TASKGUARDIAN
• TASKINFO
• TASKMANAGER
• TASKS MANAGER
• TForm1
• ThunderRT
• TmainF
• TMainF
• TREND
• TROJAN
• TShowSplash
• TSystemCleaner
• TWEAK
• VAKSIN
• VIROLOG
• VIRUS
• WANTI
• Warecase
• WASHER
• WAV V
• WIN TASK
• WINDOWS FILE PROTECTION
• WINHEX
• WINPATROL
• WINTASK
• wITNA
• wProcess Explorer
• YOHAN
• ZANDA
• Zanda's little helper

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.