Techguy
December 7, 2000, 11:48 pm
TROJ_MUSIC.C
Risk rating: low
Virus type: Trojan
Destructive: N
Description:
This network-enabled Trojan is disguised as a simple program that displays graphics and plays a tune. Upon execution, it modifies the Windows registry and drops files to propagate via email. Although the samples received so far are non-destructive, this Trojan has the capability to download upgrades from the Internet, which may be malicious. It is a variant of TROJ_MUSIC.A.
Solution:
Scan infected system and list down the files detected as TROJ_MUSIC.C,
Click on Start|Run, then type regedit
In the Registry Editor, click on the "+" to the left of the names to go to the registry below:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\SysDrv
HKEY_LOCAL_MACHINE\Software\Microsoft\MCM
In the right pane of the Registry Editor, look for the entry with the value included in the filenames listed in step 1, click on the entry, and press <Delete>.
Reboot the machine
Scan your system with your antivirus and delete all files detected as TROJ_MUSIC.C.
In the wild: No
Trigger condition 1: Upon execution
Payload 1: Display Graphics , Displays a Message Box and Plays a Tune
Detected by pattern file#: 800
Detected by scan engine#: 5.170
Language:
English
Platform: Windows
Encrypted: No
Size of virus: 41,472 Bytes
Details:
This Trojan was created in Visual Basic, and needs MS Visual Studio DLL library in order to propagate.
It spreads via email as an attachment. This attachment can have any one of the following filenames:
MUSIC.COM, MUSIC.EXE or MUSIC.ZIP.
When the attachment is executed, the Trojan displays a window that contains graphics, and at the same time plays a tune.
http://www.antivirus.com/vinfo/images/troj_music.a.gif
While the tune is played, the Trojan drops a file "SYSMCM.EXE" in the Windows System directory. This is an exact copy of the attachment. Then it adds the following entry to the Windows Registry so that the Trojan is executed at every Windows start up:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\"SysDrv" = "%WINSYS%\SYSMCM.EXE"
Or
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\"SysDrv" = "%WINSYS%\SYSDRV.EXE"
Where %WINSYS% is the Windows System directory.
It also adds the registry entries:
HKLM\Software\Microsoft\MCM
FirstRun
LastRun
RunMCM
Version = 001113
The registry value FirstRun contains the date of when the Trojan was first executed. The registry value Version contains the version of the worm.
When the window displayed by the Trojan is closed, the Trojan remains in memory. While in memory, it repeatedly tries to connect to the Internet, specifically to http://free001.homepage.com, and attempts to download some components of the Trojan encoded in Base 64. These components are then processed and converted to SYSDRV.EXE, SYSTMP.DLL and MSWINSCK.DLL (MS Standard Winsock library).
Once these files have been downloaded, the Trojan modifies the registry entry it created earlier, to point to the downloaded file SYSDRV.EXE
It also has the capability to upgrade it’s components by downloading them from the Internet site. Thus, the author may change the functionality of the trojan in the future to add destructive payloads.
The Trojan is also capable of upgrading the its components by downloading them from a website. Therefore, in theory the virus writer can alter this Trojan.
Then the Trojan sends itself as an attachment to every address listed in the Windows Address Book of the infected user. A sample of the email is as follows:
Subject: Testing to send file
Message Body: Hi, just testing email using Merry Christmas music file, not bad music.
Or
Hi, just testing email using Merry Christmas music file, you'll like it.
Attachment: MUSIC.COM or MUSIC.EXE or MUSIC.ZIP
This Trojan is a slow mass-mailer. After sending out the mail, the Trojan exits and is triggered again at next Windows startup.
By Trend
------------------
Thank you for using Help From Techs Support Forums!
Please come again and remember to refer a friend to our site.
Risk rating: low
Virus type: Trojan
Destructive: N
Description:
This network-enabled Trojan is disguised as a simple program that displays graphics and plays a tune. Upon execution, it modifies the Windows registry and drops files to propagate via email. Although the samples received so far are non-destructive, this Trojan has the capability to download upgrades from the Internet, which may be malicious. It is a variant of TROJ_MUSIC.A.
Solution:
Scan infected system and list down the files detected as TROJ_MUSIC.C,
Click on Start|Run, then type regedit
In the Registry Editor, click on the "+" to the left of the names to go to the registry below:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\SysDrv
HKEY_LOCAL_MACHINE\Software\Microsoft\MCM
In the right pane of the Registry Editor, look for the entry with the value included in the filenames listed in step 1, click on the entry, and press <Delete>.
Reboot the machine
Scan your system with your antivirus and delete all files detected as TROJ_MUSIC.C.
In the wild: No
Trigger condition 1: Upon execution
Payload 1: Display Graphics , Displays a Message Box and Plays a Tune
Detected by pattern file#: 800
Detected by scan engine#: 5.170
Language:
English
Platform: Windows
Encrypted: No
Size of virus: 41,472 Bytes
Details:
This Trojan was created in Visual Basic, and needs MS Visual Studio DLL library in order to propagate.
It spreads via email as an attachment. This attachment can have any one of the following filenames:
MUSIC.COM, MUSIC.EXE or MUSIC.ZIP.
When the attachment is executed, the Trojan displays a window that contains graphics, and at the same time plays a tune.
http://www.antivirus.com/vinfo/images/troj_music.a.gif
While the tune is played, the Trojan drops a file "SYSMCM.EXE" in the Windows System directory. This is an exact copy of the attachment. Then it adds the following entry to the Windows Registry so that the Trojan is executed at every Windows start up:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\"SysDrv" = "%WINSYS%\SYSMCM.EXE"
Or
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\"SysDrv" = "%WINSYS%\SYSDRV.EXE"
Where %WINSYS% is the Windows System directory.
It also adds the registry entries:
HKLM\Software\Microsoft\MCM
FirstRun
LastRun
RunMCM
Version = 001113
The registry value FirstRun contains the date of when the Trojan was first executed. The registry value Version contains the version of the worm.
When the window displayed by the Trojan is closed, the Trojan remains in memory. While in memory, it repeatedly tries to connect to the Internet, specifically to http://free001.homepage.com, and attempts to download some components of the Trojan encoded in Base 64. These components are then processed and converted to SYSDRV.EXE, SYSTMP.DLL and MSWINSCK.DLL (MS Standard Winsock library).
Once these files have been downloaded, the Trojan modifies the registry entry it created earlier, to point to the downloaded file SYSDRV.EXE
It also has the capability to upgrade it’s components by downloading them from the Internet site. Thus, the author may change the functionality of the trojan in the future to add destructive payloads.
The Trojan is also capable of upgrading the its components by downloading them from a website. Therefore, in theory the virus writer can alter this Trojan.
Then the Trojan sends itself as an attachment to every address listed in the Windows Address Book of the infected user. A sample of the email is as follows:
Subject: Testing to send file
Message Body: Hi, just testing email using Merry Christmas music file, not bad music.
Or
Hi, just testing email using Merry Christmas music file, you'll like it.
Attachment: MUSIC.COM or MUSIC.EXE or MUSIC.ZIP
This Trojan is a slow mass-mailer. After sending out the mail, the Trojan exits and is triggered again at next Windows startup.
By Trend
------------------
Thank you for using Help From Techs Support Forums!
Please come again and remember to refer a friend to our site.