Cabe señalar que crea un fichewro gusano de nombre UssaShohhdi.vbs dentro de la carpeta de sistema, el cual es llamado por una clave del registro de sistema en cada reinicio, además de infectar todos los EXE con el script de este gusano VBS, si bien a partir del 1º de Mayo las máquinas infectadas ya no arrancarán de nuevo hasta que se restauren los ficheros borrados, pero ojo, además de eliminar el virus, pues si no se entraría en un circulo vicioso de Rstaurar ficheros borrados, arrancar llamando el virus con lo que se borrarían los ficheros, volver a restaurar ficheros borrados...
El payload de este virus borra a partir de dicho día, 1 de Mayo de 2004, los siguientes ficheros, del sistema de inicio según sea el S.O, a saber:
C:\NTDETECT.COM (NT, W2000, XP)
C:\COMMAND.COM (Windows 95-98, y Me)
C:\MSDOS.SYS "
C:\IO.SYS\ "
Todos los indicados ficheros menos el COMMAND.COM son de sistema y ocultos. y residen en el directorio raiz de C:
Es importante señalar que tras dicho borrado deberám restaurarse dichos ficheros, (aparte eliminar los gusanos, de limpiar los ficheros infectados, y restaurar las claves de registro modificadas por el virus), lo cual es relativamente sencillo en los sistemas antiguos Windows 95-98. con SYS C pero de mayor dificultad en Me, que no tiene el comando SYS, y peor en sistemas NTFS, lo cuales se requerirá una reparacion arrancando con el CDROM de instalacion. Ya veremos de proponer soluciones para ello antes de que inicie dicha eliminacion de estos ficheros, pero mejor evitar infectarse, conociendo las caracteristicas del e-mail y éliminarlo antes del 1 de mayo si hubiera entrado en el ordenador:
__________________________________________
Virus Name Risk Assessment
W32/Shodi.c@MM Corporate User : Low
Home User : Low
Virus Information
Discovery Date: 04/06/2004
Origin: Unknown
Length: 65,536 bytes
Type: Virus
SubType: Email
Minimum DAT: 4351 (04/14/2004)
Updated DAT: 4352 (04/21/2004)
Minimum Engine: 4.2.40
Description Added: 04/16/2004
Description Modified: 04/16/2004 5:10 AM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
This is a prepending file virus that drops a VBS script to mail itself to recipients extracted from the Outlook address book. From May 2004 onwards, the virus delivers a destructive payload, deleting critical system files.
Proactive Detection
This threat is detected as virus or variant New Malware.b with the 4309 DATs or greater. The VBS script which performs the mailing is detected as VBS/Generic@MM since the 4140 DATs.
Exact detection and repair as W32/Shoder.a@MM is provided in the 4351 DATs. In the 4352 DATs, this detection has been renamed to W32/Shodi.c@MM.
File Infection
The virus prepends .EXE files on the victim machine, prepending itself. The following files are excluded from infection:
CCREGVFY.EXE
CCAPP.EXE
IEXPLORE.EXE
The following string is also appended to infected files (together file offest data):
UssaShohhdi
In total, parasitically infected files increase in size by 65,555 bytes.
Mail Propagation
When an infected file is run, a VBS script is dropped. This script performs the mass-mailing, sending a copy of the infected file to recipients extracted from the Outlook address book. The mail is formatted as follows:
Subject: MyFriend,How are you?
Body: Please See The Attachment (Important)!
Attachment: a copy of the infected file.
The script also sets the following Registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\UssaShohhdi? = 1
This key is used by the script so it does not mail more than once from an infected machine.
Destructive Payload
The virus checks the system date. If the date is May 2004 or later, it delivers a destructive payload, deleting the following files:
C:\NTDETECT.COM
C:\COMMAND.COM
C:\MSDOS.SYS
C:\IO.SYS\
Without these system files, Windows will not restart.
Top of Page
Symptoms
Parasitically infected files, increasing in size by 65,555 bytes.
Existence of the Registry key detailed above.
Missing critical system files (May 2004 onwards) indicating delivery of virus' payload.
Top of Page
Method Of Infection
This is a prepending file virus. When an infected file is run, a VBS script is dropped which is intended to mail the infected file to the Outlook address book.
Top of Page
Removal Instructions
All Users:
Use specified engine and DAT files for detection. The 4.2.40 engine can complete repair without reboot, but older engines require a reboot for repair to complete.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and DAT combination (or higher), older engines may not be able to remove all registry keys created by this threat.
Additional Windows ME/XP removal considerations
Top of Page
Variants
Name Type Sub Type Differences
Top of Page
Aliases
Name
W32.Tunk.A (Symantec)
W32/Shoder.a@MM
__________________________________________
Aun no tenemos muestra de este bicho. Si alguien lo recibiera, sería conveniente que nos enviaran el fichero anexado al mail, o cualquier otro infectado con este virus a:
saludos
ms, 19-04-2004
msc hotline sat Virus Research Engineer