Techguy
December 6, 2000, 12:57 pm
TROJ_MUSIC.B
Risk rating: low
Virus type: Trojan
Destructive: N
Aliases:
MUSIC WORM, MUSIC.B
Description:
This Trojan, upon execution, displays a graphic and plays a tune. It also modifies the registry and drops files, so that the Trojan is executed at every Windows start up. It uses Microsoft Messaging API to propagate and sends itself as an email attachment to all lists in the Windows Address book of the infected user. This Trojan is a variant of TROJ_MUSIC.A.
Solution:
Scan your whole system and list down the files detected as TROJ_MUSIC.B,
Click on Start|Run, then type regedit
In the Registry Editor, click on the “+” to the left of the names to go to the registries below:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\SysDrv
HKEY_LOCAL_MACHINE\Software\Microsoft\MCM
In the right pane of the Registry Editor, look for the entry whose value includes the filename listed in step 1, click on the entry, and press <Delete<.
Reboot the machine
Scan your system with your antivirus and delete all files detected as TROJ_MUSIC.B.
In the wild: No
Trigger condition 1: Upon execution
Payload 1: Display Graphics and plays a tune
Detected by pattern file#: 800
Detected by scan engine#: 5.17
Language:
English
Platform: Windows
Encrypted: No
Size of virus: 40,960 Bytes
Details:
Upon execution, this Trojan displays a window containing graphics and plays a tune. While the graphic is displayed, the Trojan drops a copy of itself, SYSMCM.EXE, in the Windows System directory. Then it adds the following Windows Registry entry so that the Trojan is executed at every Windows start up: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\"SysDrv""%WINSYS%\ SYSDRV.EXE"
where %WINSYS% is the Windows System directory. It also adds the registry entries: HKLM\Software\Microsoft\MCM FirstRun LastRun RunMCM Version = 001113
The registry value FirstRun contains the date when the Trojan was first executed. The registry value Version contains the version of the worm.
When the window displayed by the Trojan is closed, the Trojan remains in memory. While in memory, it tries to connect to several predefined Internet sites, and attempts to download some components of the Trojan encoded in Base 64. These components are then processed and converted as SYSDRV.EXE, SYSTMP.DLL, and MSWINSCK.DLL (Microsoft Standard Winsock library).
The Trojan requires the Visual Basic Runtime files in order to execute this download. Once these files have been downloaded, the Trojan modifies the registry entry it created earlier, to point to the downloaded file SYSDRV.EXE.
This Trojan has the capability to upgrade its components by downloading them from the Internet site. Therefore, the author may change the functionality of the Trojan in the future to add destructive payloads.
The Trojan gathers addresses from the Windows Address Book and sends out an email with an attachment. This attachment is a copy of the original message. The email sent out has these properties: Subject:Testing to send file
Message Body:
Hi, just testing email using Merry Christmas music file, not bad music. Or Hi, just testing email using Merry Christmas music file, you'll like it.
This Trojan is a slow mass-mailer. After sending out the mail, the Trojan exits and is triggered again at next Windows startup.
------------------
Thank you for using Help From Techs Support Forums!
Please come again and remember to refer a friend to our site.
Risk rating: low
Virus type: Trojan
Destructive: N
Aliases:
MUSIC WORM, MUSIC.B
Description:
This Trojan, upon execution, displays a graphic and plays a tune. It also modifies the registry and drops files, so that the Trojan is executed at every Windows start up. It uses Microsoft Messaging API to propagate and sends itself as an email attachment to all lists in the Windows Address book of the infected user. This Trojan is a variant of TROJ_MUSIC.A.
Solution:
Scan your whole system and list down the files detected as TROJ_MUSIC.B,
Click on Start|Run, then type regedit
In the Registry Editor, click on the “+” to the left of the names to go to the registries below:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\SysDrv
HKEY_LOCAL_MACHINE\Software\Microsoft\MCM
In the right pane of the Registry Editor, look for the entry whose value includes the filename listed in step 1, click on the entry, and press <Delete<.
Reboot the machine
Scan your system with your antivirus and delete all files detected as TROJ_MUSIC.B.
In the wild: No
Trigger condition 1: Upon execution
Payload 1: Display Graphics and plays a tune
Detected by pattern file#: 800
Detected by scan engine#: 5.17
Language:
English
Platform: Windows
Encrypted: No
Size of virus: 40,960 Bytes
Details:
Upon execution, this Trojan displays a window containing graphics and plays a tune. While the graphic is displayed, the Trojan drops a copy of itself, SYSMCM.EXE, in the Windows System directory. Then it adds the following Windows Registry entry so that the Trojan is executed at every Windows start up: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\"SysDrv""%WINSYS%\ SYSDRV.EXE"
where %WINSYS% is the Windows System directory. It also adds the registry entries: HKLM\Software\Microsoft\MCM FirstRun LastRun RunMCM Version = 001113
The registry value FirstRun contains the date when the Trojan was first executed. The registry value Version contains the version of the worm.
When the window displayed by the Trojan is closed, the Trojan remains in memory. While in memory, it tries to connect to several predefined Internet sites, and attempts to download some components of the Trojan encoded in Base 64. These components are then processed and converted as SYSDRV.EXE, SYSTMP.DLL, and MSWINSCK.DLL (Microsoft Standard Winsock library).
The Trojan requires the Visual Basic Runtime files in order to execute this download. Once these files have been downloaded, the Trojan modifies the registry entry it created earlier, to point to the downloaded file SYSDRV.EXE.
This Trojan has the capability to upgrade its components by downloading them from the Internet site. Therefore, the author may change the functionality of the Trojan in the future to add destructive payloads.
The Trojan gathers addresses from the Windows Address Book and sends out an email with an attachment. This attachment is a copy of the original message. The email sent out has these properties: Subject:Testing to send file
Message Body:
Hi, just testing email using Merry Christmas music file, not bad music. Or Hi, just testing email using Merry Christmas music file, you'll like it.
This Trojan is a slow mass-mailer. After sending out the mail, the Trojan exits and is triggered again at next Windows startup.
------------------
Thank you for using Help From Techs Support Forums!
Please come again and remember to refer a friend to our site.