W32/Amirecivel.H Worm

 Information about the W32/Amirecivel.H Worm:

W32/Amirecivel.H is a mass mailing worm. The worm will infect Windows systems and spreads through email.

The 'From' address of the infected email will be any one of the following;

bia2@yahoo.com
imen@yahoo.com
iransare@yahoo.com
iranvig@yahoo.com
irib@yahoo.com
irna@yahoo.com
irvirus@yahoo.com
john@yahoo.com
mary@yahoo.com
mohammad@yahoo.com
mozilla@yahoo.com
nastaran@yahoo.com
panda@yahoo.com
Reply @yahoo.com
shima@yahoo.com
simorg@yahoo.com
stan@yahoo.com
symntec@yahoo.com
taktaz@yahoo.com
IRANSARE20008@yahoo.com

The 'Subject' of the infected mail will be any one of the following;

FBI
IHS
hello
IRNA
irvirus
NOD32
irvanvig
Attention
password
symantec
simorgh-ev
ANTI VIRUS
IranSare2008
Returned Mail
Announcement
Your IP was logged
Read it immediately!
Soccer funs in public place
E-mail account disabling warning

The body of the infected mail will be any one of the following;

fun file
anti virus imen
noron anti virus
i hope thats not true!
the information is wrong!
another pic, have fun! ... :->
passworde user haye iranvig
passworde user haye simorgh
Ioana, sex in grup in camin. Cred ca o stii si
behtarin screen saver az axhaye iransare2008
salam dooste aziz...golchini az behtarinaxhaye iran sare
Six Soccer funs fucked one girl in public place. Mad images. View it.
salam..site irvirus hack shode va inam passworde admine sit hastesh
I find my husband. If you saw his report me please. His photos in attach.
salam lotfan forme nazar sanji ra ke hamrahe file peivast hast ra por konid
salam dooste aziz baraye rahaty az daste virus ha anti virus rayegane maara downlod konid
one of the files is a virus... can you tell me which one is it? hehehe, i'm only joking... your friend, paul..
three files for you to keep... always remember that i'm into deep... i don't know you but i think i'm in love...
Credeti ca ar fi mai bine ca Romania sa-si retraga trupele din Irak anul acesta?Deschideti programul Vot, alegeti votul dvs. si vedeti rezultatele.Parerea dvs. conteaza!

Upon execution of the infected attachment, the worm copies itself as AcroTray32.exe in the Windows system folder.

It alters the windows registry at the following location to load itself during next startup;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It also creates a mutex 'AmirCivil' to ensure only one instance of the worm is running.

The worm searches for files with the following extensions in system drives and spreads by copying itself with the filenames found with the .EXE extension appended.

.wav, .jpg, .jpeg, .avi, .bmp, .c, .cpp, .vbp, .vbw, .frm, .ocx, .DAT, .doc, .pdf, .zip, .sig, .Tif and .scr

To propagate itself, the worm scans the files having the following extensions and collects all the available email addresses from the infected system;

. txt, .html, .xml, .adb, .asp, .cfg, .cgi, .dbx, .eml, .pl, .shtm, .wab

The worm alters the hosts file to deny access to few antivirus websites. It also terminates some of the security related processes.

The worm also has the backdoor capabilities that opens a random TCP port on the infected machine.

This worm first appeared on July 26, 2006.

 Other names of W32/Amirecivel.H Worm:

This Worm is also known as W32.Amirecivel.H@mm.