Spy Sweeper with AntiVirus

The most award-winning anti-spyware software

Spy Sweeper with Antivirus

Get serious about removing spyware with Spy Sweeper - the award-winning anti-spyware software trusted by millions of home computer users.

Add to Cart Button

$29.95

Spyware & Virus Directory

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 

W32.Mapson.Worm

Risk Level 2: Low

Discovered: June 6, 2003
Updated: November 20, 2003 02:51:39 PM ZE9
Also Known As: W32/Mapson@MM [McAfee], W32/Mapson-A [Sophos], WORM_MAPSON.A [Trend], Win32.Mapson.A [CA], I-Worm.Mapson [KAV]
Type: Worm
Infection Length: 180,736 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me

SUMMARY


W32.Mapson.Worm sends itself to all the contacts in the MSN messenger contact list. The Subject line, Message body, and attachment vary. The attachment will have a .com, .exe, or .pif file extension. Also, the email may have spoofed the From field.

This worm also attempts to spread itself through the KaZaA, KaZaA Lite, eDonkey2000, Gnucleus, Limewire, Morpheus, Grokster file-sharing networks and ICQ.

If the current system month is July, the worm will display messages with the title "Lorraine Worm [GEDZAC LABS 2003]."

W32.Mapson.Worm is written in the Borland Delphi programming language and is compressed with UPX.


Protection

  • Virus Definitions (LiveUpdate™ Weekly) June 7, 2003
  • Virus Definitions (Intelligent Updater) June 7, 2003

Threat Assessment

Wild

  • Wild Level: Medium
  • Number of Infections: More than 1000
  • Number of Sites: More than 10
  • Geographical Distribution: Medium
  • Threat Containment: Easy
  • Removal: Moderate

Damage

  • Damage Level: Low
  • Large Scale E-mailing: Sends itself to all the email addresses in the MSN Messenger contact lists.

Distribution

  • Distribution Level: High
  • Subject of Email: Varies
  • Name of Attachment: Varies with the .com, .exe, or .pif file extension
  • Size of Attachment: 180,736 bytes
  • Shared Drives: Attempts to spread through KaZaA, KaZaA Lite, eDonkey2000, Gnucleus, Limewire, Morpheus, Grokster, and ICQ

TECHNICAL DETAILS


When W32.Mapson.Worm runs, it does the following:
  1. Copies itself to the %System% folder as the following:

    amigos.pif
    amigototote.pif
    amor-por-ti.pif
    antiwinlogon.pif
    antrox.scr
    BigBrother.pif
    bugmsn.pif
    chistesgraficos.pif
    chupamelo.pif
    comotegustan.pif
    CracksPPZ.pif
    cristina-aguilera.pif
    defaced-madonna-site.pif
    eggbrother.exe
    EICAX.COM
    existeee.pif
    financiamiento.pif
    GEDZAC.PIF
    grancarnal.exe
    grande.pif
    hackeahotmail.pif
    historial.pif
    hotmail.pif
    kamasutra.pif
    lacosha@hotmail.com
    LatinCard.pif
    linuxandmicrosoft.pif
    Lorenaaaa.pif
    Madonna_sEXY.pif
    MariaVirgen.pif
    Matrix-Trailer.pif
    mujeres.pif
    Música.pif
    No-Spam.exe
    nuevovirus.txt .pif
    Oradores.pif
    osamabinhuevoback.exe
    parejaideal.txt.pif
    petardas.pif
    porqueteamo.pif
    projimo.pif
    relacionsexual.pif
    resetarios.pif
    SARS.pif
    seguridad_en_hotmail.pif
    serhacker.pif
    Shakira.pif
    solo-a-ti.pif
    Spamno.pif
    te-pido.scr
    teamo.exe
    test-idiota.pif
    testpasion.pif
    thalialoca.pif
    TutorialVBSvirus.pif
    WindowsMediaPlayerBug.pif
    www.mfernanda.com
    www.vsantiviru.com
    www.zonaviru.com
    zorrotttas.pif

    NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).

  2. Creates C:Lorraine.hta.

  3. Attempts to send itself to all the email addresses it finds in the MSN Messenger contact list. The Subject line, Message body, and attachment vary. Also, the email may have spoofed the From field.

    Some email examples:

    From: bigbrother@bigbrother.tv
    Subject: Big Brother te espera
    Message: Felicidades! le hemos enviado este E-Mail porque usted ha ganado un pasaje a México al programa Reality show BigBrother,si usted quiere participar en este programa deberá abrir el archivo adjunto.
    Attachment: BigBrother.pif

    From: support@hotmail.com
    Subject:Su cuenta de hotmail sera eliminada
    Message:Estimado usuario de hotmail,debido al trafico en el servidor y a las fallas que se han venido presentando en este presente mes,hemos de informarle que su cuenta será removida de nuestra base de datos en menos de 24 horas, le rogamos por favor lea el adjunto con los pasos para evitar que esto suceda. Atentamente el Equipo tecnico de Hotmail.
    Attachment: hotmail.pif

    From: support@passport.com
    Subject:10 reglas de seguridad para su cuenta de hotmail
    Message: Amable Usuario de hotmail, la razón de este mail es para darle a conocer las 10 reglas de seguridad que un usuario de passport debe tener en cuenta para evitar que su cuenta sea borrada, hackeada etc...las reglas están en el adjunto.Atentamente equipo tecnico de passport
    Attachment: seguridad_en_hotmail.pif

    From: hacker@hotmail.com
    Subject:+Puedo ser hacker en 24 horas?
    Message: No. La respuesta es un no rotundo. Ni en 24 ni en 48 horas :) Pero en este tiempo sí puedes tener una idea aproximada y muy básica de lo que es y de lo que "no es" un hacker y decidir si quieres convertirte en uno de ellos. Te recomiendo que leas el archivo que te mando, esta en español y es muy interesante acerca de estos temas (hacking,cracking,vulnerabilidades)
    Attachment: serhacker.pif

    Subject:Problema de seguridad en Windows Media Player
    Message: Windows Media Player, el reproductor multimedia que acompaña gratuitamente a los sistemas Microsoft, se ve afectado por un problema de seguridad que puede permitir la ejecución de código en la máquina del usuario atacado.por lo que recomendamos leer más acerca de este bug en el adjunto y aplicar los correspondientes parches de seguridad.
    Attachment: WindowsMediaPlayerBug.pif

    Subject: ¿Cómo hackear hotmail?
    Message: Hola, he estado buscando en la red y encontré esta guía de hacking que enseña como hackear hotmail,orienta al robo de cuentas, imagínate robarle la cuenta a tu novia, tu amigo etc.. a quien quieras, te lo aseguro yo ya lo leí y lo comprobé, disfrútalo.
    Attachment: hackeahotmail.pif

    From: notice@madonna.com
    Subject:Hackean pßgina de Madonna sospechosa de envenenar KaZaA
    Message: Tras sospecharse que Madonna contaminó la red KaZaA con algunos archivos envenenados, un grupo hacker ha contraatacado asaltando su página y colgando algunos de los temas de su último álbum en formato MP3.más de esta revelante noticia en el adjunto.|
    Attachment: defaced-madonna-site.pif

    Subject:+Que le atrae a las mujeres?
    Message: Un reciente estudio del comportamiento en la mujer afirma que a ellas les atrae de los hombreses la cara, las manos y su movimiento, si quiere saber más lea por favor el articulo que le adjuntamos
    Attachment: mujeres.pif

    From: Anti-Spam@campaña.com
    Subject:SPAM La proxima gran epidemia
    Message: El Spam esta avanzando constantemente y a logrado saturar nuestros correos electronicostal vez sea el principio de una epidemia mundial de esta peste que nos tiene cansados de la publicidad
    Attachment: No-Spam.exe

    From: test@hispasec.com
    Subject:Tests antivirus para comprobar la protección del e-mail
    Message: Hispasec pone a disposición de todos los usuarios dos tests para comprobar el correcto funcionamiento de la protección antivirus del correo electrónico. El primero de ellos nos indicará la correcta instalación y buen funcionamiento del antivirus, mientras que el segundo determinará la capacidad de detección proactiva para identificar gusanos que explotan vulnerabilidades conocidas.
    Attachment: EICAX.COM

    From: Amor@teamo.com
    Subject:Te amo
    Message: Lo amo a usted por que es la persona más linda del mundo.
    Attachment: teamo.exe

    From: Latincards@latincards.com
    Subject:LatinCards
    Message: Le han enviado una LatinCard para poder visualizarla abra el adjuntoGracias.
    Attachment: LatinCard.pif

    Subject: Chistes Grßficos
    Message: Estos son los chistes grßficos que mßs me han gustado espero que a ti también.
    Attachment: chistesgraficos.pif

    From: lorena@hotmail.com
    Subject: Te Amo
    Message: Averigua por que.....
    Attachment: porqueteamo.pif

    Subject: Test de pasi
    Message: Test de pasión para usted y su pareja, contéstelo y descubra cuanto desea y quiere a su pareja.
    Attachment: testpasion.pif

    From: Maria_fernanda@mfernanda.com
    Subject: Re: Dime que te parece
    Message: Hola, como estás? hace tiempo que no se nada de ti... quería hablar contigo sobre un tema.Se trata de mi nuevo portal en el que quiero ofrecer toda mi recopilación de links en espanol. Me gustaría que le echaras un vistazo y me dijeras que tal lo ves tu, si te gusta o cambiarías algo
    Attachment: www.mfernanda.com

    Subject: RE: Test de idiotes
    Message: Compruebe si usted es un verdadero idiota.
    Attachment: test-idiota.pif

    Subject: Kamasutra
    Message: Kamasutra el arte del sexo
    Attachment: kamasutra.pif

  4. Attempts to copy itself to the following folders:

    C:Program FilesKaZaAMy Shared Folder
    C:Program Filesedonkey2000incoming
    C:Program Filesgnucleusdownloads
    C:Program Filesicqshared files
    C:Program Fileskazaa litemy shared folders
    C:Program Fileslimewireshared
    C:Program Filesmorpheusmy shared folder
    C:Program FilesGroksterMy Grokster

    as:

    Sexy Bikini .gif .exe
    Sexo en la playa con .gif .exe
    las pelotas de .gif .exe
    Desnuda en la playa .gif .exe
    Nude Pic .gif .exe
    Sexy Beach .gif .exe
    Galilea Montijo.gif .exe
    Shakira.gif .exe
    Britney Spears.gif .exe
    Lorena.gif .exe
    Halle berry.gif .exe
    Cameron dias.gif .exe
    Pink.gif .exe
    Thalia.gif .exe
    Paulina Rubio.gif .exe
    Francini.gif .exe
    Brenda.gif .exe
    Celine Dion.gif .exe
    Kylie Minogue.gif .exe
    Laura Pausini.gif .exe
    Lili Brillanti.gif .exe
    Angelica Vale.gif .exe
    Alejandra Guzman.gif .exe

  5. If the current system month is July, the worm will display the following messages:







Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
  • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL


The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Run a full system scan and delete all the files detected as W32.Mapson.Worm.

For specific details on each of these steps, read the following instructions.

1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.

2. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
  • Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
  • Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

    The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

3. Scanning for and deleting the infected files
  1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
  2. Run a full system scan.
  3. If any files are detected as infected with W32.Mapson.Worm, click Delete.



Spy Sweeper 5.2 stops spyware in its tracks while offering home computer users the ability to configure the program to suit their specific needs, such as:

Choose a Quick, Full or Custom Sweep: With Spy Sweeper 5.2, you can easily choose to perform a quick, full or customized sweep. If you're looking for an immediate diagnosis, choose a quick sweep. For a pinpointed search, customize your sweep to have Spy Sweeper skip files by folder or file extension. For a deep cleaning, opt for a full sweep.

Exclude Files from a Sweep: Spy Sweeper allows you to save time during a sweep by skipping specific files or different sections of your PC. You can select specific file extension, such as .xls or .mpg to exclude.

Additional Highlights

As soon as it's installed, Spy Sweeper gives 360 degrees of protection against spyware, including:

Simple Sweeps: Detecting spyware and removing unwanted programs found on your computer in three effortless steps

Easy Management: Quickly and simply configure program, sweep and upgrade options

Fast Home: Use the home screen to access the most commonly used functions of Spy Sweeper

Shields Summary: A redesigned shields summary page makes it simple to see at a glance which shields are on or off

Action Alerts: Receive clear, easy-to-understand notifications when new spyware threats are detected

"Spy Sweeper remains a favorite for protection from spyware."



"This program's dominance is apparent as soon as you install it."