Fandom

Malware Wiki

W32.Ahker.F@mm

1,321pages on
this wiki
Add New Page
Comments0 Share

W32.Ahker.F@mm is a worm that was discovered March 31, 2005. It infects Windows 95, 98, Me, NT, 2000, XP, and Server 2003 computers.

Technical details and how it infects Edit

When W32.Ahker.F@mm is executed, it performs the following actions:

  1. Copies itself as %Windir%\LSASS.EXE.

Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  1. Drops a copy of itself as C:\Documents and Settings\[Current User]\Start Menu\Startup\SVCHOST-.EXE.
  2. Adds the values:to the registry subkey:to disable the Registry Editor and the Task Manager.
  3. Modifies the values:in the registry subkey:to change the name of the computer.
  4. Adds the value:to modify security settings.
  5. Adds the value:to the registry subkeys:to modify firewall settings.
  6. Adds the values:
    to the registry subkeys:
    to modify security settings.
  7. Adds the values:
    to the registry subkeys:
    to modify security settings.
  8. Adds the value:to the registry subkey:
  9. Creates the file %Windir%\firewall.dll, which contains the following message:
  10. Creates the file %System%\svcpack.dll, which is not malicious.

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  1. Appends the following message to the file %System%\hal.dll:
  1. Adds the following values: to the registry subkey:to disable several programs including the Registry Editor, Notepad, and Wordpad.
  2. Adds the value:to the registry key:so that the worm executes when Windows starts.
  3. Adds the value:to the registry key:so that the worm executes when Windows starts.
  4. Adds the value:to the registry key:
  5. Modifies the value:in the registry subkey:so that the worm is executed each time a .txt file is opened.
  6. Modifies the value:
    in the registry subkey:so that the worm is executed each time a .txt file is opened.
  7. Adds the value:to the registry subkey:
  8. Adds the values:to the registry subkey:Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
  9. Adds the value:to the registry subkey:
  10. Ends the fowllowing processes, which diables several security programs and other worms:
    • bbeagle.exe
    • ccApp.exe
    • d3dupdate.exe
    • i11r54n4.exe
    • irun4.exe
    • mscvb32.exe
    • msblast.exe
    • navapw32.exe
    • navw32.exe
    • netstat.exe
    • outpost.exe
    • rate.exe
    • ssate.exe
    • sysinfo.exe
    • teekids.exe
    • taskmon.exe
    • wincfg32.exe
    • winsys.exe
    • winupd.exe
    • zapro.exe
    • zonealarm.exe
    • MSBLAST.exe
    • PandaAVEngine.exe
    • Penis32.exe
    • SVCHOST.EXE
    • SysMonXP.exe
  11. Modifies certain registry keys in order to disable the following programs:
    • AntiVirus
    • autoupdate
    • Explorer
    • Firewall
    • registrytool
    • System Restore
    • Tsk manager
  12. Disables the following applications:
    • regedit.exe
    • msnmsgr.exe
    • notepad.exe
    • svchost-.exe
    • wordpad.exe
    • write.exe
    • wuauclt.exe
    • wupdmgr.exe
    • AUPDATE.exe
    • ALUNOTIFY.exe
    • DAP.exe
    • LUALL.exe
  13. Adds the following lines to the Hosts file to block access to several Web sites, some of which may be security related:
  14. Spreads by sending a copy of itself to email addresses gathered from a compromised computer. The email has the following characteristics:

From:
One of the following:

    • owner@xxxceleb.com
    • Clip@celebporno.com
    • cought@worldporn.com

Subject
One of the following:

    • Please READ!
    • Service Pack 2 Update!
    • Read this for your own good!
    • Service Pack 2 BUG!
    • Read it!
    • READ! HURRY! BEFORE It's too late!
    • Read this TWICE!
    • Microsoft Windows Service Pack 2 Bug!
    • Adminstrator
    • Microsoft's Worst Mistake!
    • Read this for your PC safety!

Message Body:'

    • Hey buddy,Check out this new porn clip of Britney Sprears!Very Short but HOT!!DOWNLOAD IT and WATCH IT!
    • Hello!Paris Hilton new SEX TAPE has been released!In the attachment you will find some short quick scenes(HOT!!) that I liked the most!!Clip OwnerAdmin@fuckcelebrity.comDownload it! I know it's SHORT but at least you've watched the HOTTEST parts of it!Owner
    • Hi...Watch this and tell me what you think!Download it! It's short but it's VERY HOT!Hell yeah...it's Pam!Watch this latest clip of Pamela Anderson!You will find the clip in the attachment! Enjoy!Admin

Attachment: Clip.zip'
Note: When Clip.zip is run, the worm downloads a copy of itself from the following domian:
'
[domain removed]/ahkerf.zip

Statistics Edit

  • Wild: Low
  • Damage: Medium
  • Removal: Medium
  • Distrubution: High

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.