Discovered by antivirus vendors on March 7, 2005, the Crog IM worm sends its infected file to MSN contacts. When opened, the Crog worm edits the system registry to lower security settings, modifies the HOSTS file to redirect access to various security sites and shuts down processes associated with various security software. The Crog worm also spreads via the P2P eMule network and via the shared folder under 'Documents and Settings'.
Hidden within the Crog worm are text messages directed towards the author of the Assiral worm. Assiral, first discovered in February 2005, includes a routine to shut down processes associated with the Bropia Instant Messenger worms.
Symptoms of infection
The Crog worm copies itself to the Windows System folder as formatsys.exe and serbw.exe and to the Windows directory as msmbw.exe and lspt.exe. The following registry keys are then modified to launch these copies when Windows is started:
Under HKCU\Microsoft\Windows\CurrentVersion\ modifications are made to the Run key and the Policies\Explorer\Run key.
Under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ modifications are made to the Run key, the RunServices key, and the policies\Explorer\Run key.
Additionally, the following files may be created in shared folders for the eMule P2P filesharing program and in the current user's shared folder under Documents and Settings:
Crazy frog gets killed by train!.pif
Annoying crazy frog getting killed.pif
See my lesbian friends.pif
LOL that ur pic!.pif
My new photo!.pif
Me on holiday!.pif
The Cat And The Fan piccy.pif
How a Blonde Eats a Banana...pif
Mona Lisa Wants Her Smile Back.pif
Topless in Mini Skirt!
lol.pif
Fat Elvis! lol.pif
Jennifer Lopez.scr
Prevention
Do not accept or execute files received unexpectedly via Instant Messenger programs. First check with the sender to determine whether it was intentionally sent. Before opening any file in a shared folder or received via IM (even those intentionally sent), scan the file first with up-to-date antivirus software.
Modifications to the HOSTS file and critical areas of the System area can be prevented with TeaTimer, a utility included with the free Spybot Search & Destroy. For tips on using and configuring TeaTimer, see Protecting the HOSTS file.
Hidden within the Crog worm are text messages directed towards the author of the Assiral worm. Assiral, first discovered in February 2005, includes a routine to shut down processes associated with the Bropia Instant Messenger worms.
Symptoms of infection
The Crog worm copies itself to the Windows System folder as formatsys.exe and serbw.exe and to the Windows directory as msmbw.exe and lspt.exe. The following registry keys are then modified to launch these copies when Windows is started:
Under HKCU\Microsoft\Windows\CurrentVersion\ modifications are made to the Run key and the Policies\Explorer\Run key.
Under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ modifications are made to the Run key, the RunServices key, and the policies\Explorer\Run key.
Additionally, the following files may be created in shared folders for the eMule P2P filesharing program and in the current user's shared folder under Documents and Settings:
Crazy frog gets killed by train!.pif
Annoying crazy frog getting killed.pif
See my lesbian friends.pif
LOL that ur pic!.pif
My new photo!.pif
Me on holiday!.pif
The Cat And The Fan piccy.pif
How a Blonde Eats a Banana...pif
Mona Lisa Wants Her Smile Back.pif
Topless in Mini Skirt!
lol.pif
Fat Elvis! lol.pif
Jennifer Lopez.scr
Prevention
Do not accept or execute files received unexpectedly via Instant Messenger programs. First check with the sender to determine whether it was intentionally sent. Before opening any file in a shared folder or received via IM (even those intentionally sent), scan the file first with up-to-date antivirus software.
Modifications to the HOSTS file and critical areas of the System area can be prevented with TeaTimer, a utility included with the free Spybot Search & Destroy. For tips on using and configuring TeaTimer, see Protecting the HOSTS file.
Source...