Techguy
December 7, 2000, 11:49 pm
TROJ_MUSIC.D
Risk rating:
Virus type: Trojan
Destructive: N
Aliases:
MUSIC.D, W95/Music@M, I-Worm.Music.D
Description:
This network-enabled Trojan is disguised as a simple program that displays graphics and plays a tune. Upon execution, it modifies the Windows registry and drops files to propagate via email. Although the samples received so far are non-destructive, this Trojan has the capability to download upgrades from the Internet, which may be malicious.
Solution:
Scan your system with your antivirus and delete all files detected as TROJ_MUSIC.D.
Click on Start|Run, then type regedit
In the Registry Editor, click on the "+" to the left of the names to go to the registry below: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
In the right pane of the Registry Editor, look for the entry whose value includes the filename listed in step 1, click on the entry, and press <Delete>.
Reboot the machine, scan system again with your antivirus, and delete all files detected as TROJ_MUSIC.D.
In the wild: No
Trigger condition 1: Upon execution
Payload 1: Display Graphics and plays a tune
Detected by pattern file#: 808
Detected by scan engine#: 5.170
Language:
English
Platform: Windows
Encrypted: No
Size of virus: 39,936 bytes
Details:
Upon execution, this Trojan displays a window containing graphics, and at the same time plays a tune. But in the background, it drops the file SYSMCM.EXE, a copy of the Trojan, in the Windows System directory. Then, it adds the following entry to the Windows Registry so that the Trojan is executed at every Windows start up:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\"SysDrv" = "%WINSYS%\SYSMCM.EXE"
Where %WINSYS% is the Windows System directory.
When the window displayed by the Trojan is closed, the Trojan remains in memory. While in memory, it repeatedly tries to connect to the Internet, and attempts to download some components of the Trojan. These components are saved to the Windows\System directory as SYSDRV.EXE and SYSTMP.DLL. The Trojan needs the Visual Basic Runtime files in order to execute this download.
Once these files have been downloaded, the Trojan modifies the registry entry it created earlier, to point to the downloaded file SYSDRV.EXE
It also has the capability to upgrade its components by downloading them from an Internet website. Thus, the author may change the functionality of the Trojan in the future to add destructive payloads.
Then the Trojan sends itself as an attachment to every address listed in the Windows Address Book of the infected user. A sample of the email is as follows:
Subject: Testing to send file
Message Body: Hi, just testing email using Merry Christmas music file, not bad music.
Or
Hi, just testing email using Merry Christmas music file, you'll like it.
This Trojan is a slow mass-mailer. After sending out the mail, the Trojan exits and is triggered again at next Windows startup.
------------------
Thank you for using Help From Techs Support Forums!
Please come again and remember to refer a friend to our site.
Risk rating:
Virus type: Trojan
Destructive: N
Aliases:
MUSIC.D, W95/Music@M, I-Worm.Music.D
Description:
This network-enabled Trojan is disguised as a simple program that displays graphics and plays a tune. Upon execution, it modifies the Windows registry and drops files to propagate via email. Although the samples received so far are non-destructive, this Trojan has the capability to download upgrades from the Internet, which may be malicious.
Solution:
Scan your system with your antivirus and delete all files detected as TROJ_MUSIC.D.
Click on Start|Run, then type regedit
In the Registry Editor, click on the "+" to the left of the names to go to the registry below: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
In the right pane of the Registry Editor, look for the entry whose value includes the filename listed in step 1, click on the entry, and press <Delete>.
Reboot the machine, scan system again with your antivirus, and delete all files detected as TROJ_MUSIC.D.
In the wild: No
Trigger condition 1: Upon execution
Payload 1: Display Graphics and plays a tune
Detected by pattern file#: 808
Detected by scan engine#: 5.170
Language:
English
Platform: Windows
Encrypted: No
Size of virus: 39,936 bytes
Details:
Upon execution, this Trojan displays a window containing graphics, and at the same time plays a tune. But in the background, it drops the file SYSMCM.EXE, a copy of the Trojan, in the Windows System directory. Then, it adds the following entry to the Windows Registry so that the Trojan is executed at every Windows start up:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\"SysDrv" = "%WINSYS%\SYSMCM.EXE"
Where %WINSYS% is the Windows System directory.
When the window displayed by the Trojan is closed, the Trojan remains in memory. While in memory, it repeatedly tries to connect to the Internet, and attempts to download some components of the Trojan. These components are saved to the Windows\System directory as SYSDRV.EXE and SYSTMP.DLL. The Trojan needs the Visual Basic Runtime files in order to execute this download.
Once these files have been downloaded, the Trojan modifies the registry entry it created earlier, to point to the downloaded file SYSDRV.EXE
It also has the capability to upgrade its components by downloading them from an Internet website. Thus, the author may change the functionality of the Trojan in the future to add destructive payloads.
Then the Trojan sends itself as an attachment to every address listed in the Windows Address Book of the infected user. A sample of the email is as follows:
Subject: Testing to send file
Message Body: Hi, just testing email using Merry Christmas music file, not bad music.
Or
Hi, just testing email using Merry Christmas music file, you'll like it.
This Trojan is a slow mass-mailer. After sending out the mail, the Trojan exits and is triggered again at next Windows startup.
------------------
Thank you for using Help From Techs Support Forums!
Please come again and remember to refer a friend to our site.