Home / malware Win32.MSNWorm.Rodok.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.MSNWorm.Rodok.A is also known as Worm.Win32.Fleming, (Kaspersky.
Explanation :
This worm spreads by by maliciously inviting the user's MSN Messenger contacts to download it; it was written in Visual Basic.
The virus is disguised as a CD-key generator for the great Half-Life/CounterStrike games; when run, it invites the user to click the "Generate" button, but the resulting "keys" are just random digits:
The virus actually steals the user's CD-keys for Half-Life and CounterStrike. The keys are read from the following registry keys:
- HKCUSoftwareValveCounterStrikeSettingsKey
- HKCUSoftwareValveHalf-LifeSettingsKey
and sent to styggefolk@hotmail.com; the sent message looks like this:
I have loaded the ur CDKEY Generator 1.3! CS: HL: In order to spread, the worm sends instant messages to the user's contacts, inviting them to download and run a program (actually a copy of the virus) from a website:
The virus then attempts to download an executable file from the location http://home.no.net/downl0ad/CS-Keygen.exe and save it as C:hehe2397824.exe. If the user receives a message from styggefolk@hotmail.com, it will take a specific action depending on the contents of that message:
- if the message reads "hey", the virus will send the CounterStrike/Half-Life CD keys again;
- if the message reads "hello", the virus will download a file (probably containing an updated version of the virus) from the location http://home.no.net/downl0ad/Update.exe and save it as C:update35784.exe; a message will be sent back to styggefolk@hotmail.com, containing the text "Updating...";
- if the message reads "hi", the virus will reply with "Spamming..." and send virus download invitations again to the user's contacts.
The worm runs the downloaded executable files (C:hehe2397824.exe, C:update35784.exe), if they are found; it will remain resident, waiting for messages from styggefolk@hotmail.com.Last update 21 November 2011
