The only virus I found that has the words in it is this:<
>
<
>
securityresponse.symantec.com/avcenter/venc/data/w32.erkez.a@mm.html<
>
<
>
Here's a snippet of info. Bold is mine. While I doubt this is the virus infecting you (if you even have one), since it doesn't fit the profile explained below, I'll mention it in case they missed something.<
>
<
>
-----------------<
>
<
>
When W32.Erkez.A@mm runs, it does the following:<
>
<
>
<
>
1) If the computer's date is May 1, 2004, it will display the following Hungarian text:<
>
<
>
Emberek! Magyarok szazezrei, millioi elnek naprol - napra, halnak ehen - szomjan,<
>
s szegenysegben hazankban! Mikozben jonehany felso parlamenti gazember<
>
millios vagyonokra tesz szert, mitsem torodve velunk.<
>
Latszat emberek iranyitanak, kik emelik fizetesunk, s ketszer annyi adot vonnak le,<
>
kik igazsagszolgaltatasrol regelnek, mikor a bunozoket es a novekvo agressziot vedik<
>
torvenyeikkel, kik inkabb Forma1-re pocsekoljak a penzt, mialatt hajlektalanok<
>
halnak meg naponta utcainkon, s korhazi betegek szenvednek szukseges muszerek nelkul.<
>
Hogy - hogy nem latja ezt senki ???? Miert nincs egy igaz magyar, ki vegre<
>
mar nem sajat erdekeit, hanem az orszag sulyos problemait helyezne eloterbe!!!<
>
Nem eleg akarni, s beszelni, meg szonoklatni a szepet,s jot,<
>
tenni-tenni-tenni kell, egyarant mindenkinek - mindenkiert!<
>
== HAZAFI == /Pecs,2004, (SNAF Team)/<
>
<
>
<
>
2) Terminates itself if the month is not April.<
>
<
>
3) Copies itself to the %System% folder as an eight-character, random file name with a .exe extension. It also creates the text files in the same folder with .dll extensions.<
>
<
>
<
>
4) Creates the registry key:<
>
<
>
HKEY_LOCAL_MACHINESOFTWAREMicrosoftHazafi<
>
<
>
to store the configuration information of the worm.<
>
<
>
<
>
5) Adds the value:<
>
<
>
"<random name>"="%system%<random file name>.exe"<
>
<
>
to the registry key:<
>
<
>
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun<
>
<
>
so that the worm runs when you start Windows.<
>
<
>
<
>
6) Checks for an active Internet connection by querying http:/ /www.google.com.<
>
<
>
<
>
7) Attempts to end the following processes:<
>
<
>
dfw.exe <
>
fsav32.exe <
>
fsbwsys.exe <
>
fsgk32.exe <
>
fsm32.exe <
>
fssm32.exe <
>
fvprotect.exe <
>
mcagent.exe <
>
navapw32.exe <
>
navdx.exe <
>
navstub.exe <
>
navw32.exe <
>
nc2000.exe <
>
ndd32.exe <
>
netarmor.exe <
>
netinfo.exe <
>
netmon.exe <
>
nmain.exe <
>
nprotect.exe <
>
ntvdm.exe <
>
ostronet.exe <
>
outpost.exe <
>
pccguide.exe <
>
pcciomon.exe <
>
regedit.exe <
>
regedit32.exe <
>
taskmgr.exe <
>
tnbutil.exe <
>
vbcons.exe <
>
vbsntw.exe <
>
vbust.exe <
>
vsmain.exe <
>
vsmon.exe <
>
vsstat.exe <
>
winlogon.exe <
>
zonalarm.exe<
>
<
>
<
>
Searches for the email addresses in the files with the following extensions: <
>
<
>
.htm <
>
.wab <
>
.txt <
>
.dbx <
>
.tbb <
>
.asp <
>
.php <
>
.sht <
>
.adb <
>
.mbx <
>
.eml <
>
.pmr<
>
<
>
It avoids the email addresses containing the following substrings:<
>
<
>
microsoft <
>
vir <
>
trendmicro <
>
avp <
>
f-prot <
>
hotmail <
>
gov <
>
anti <
>
panda <
>
norton<
>
<
>
<
>
--------------------------------------------------------------------------------<
>
Note: The worm stores these email addresses in randomly named .dll files in the %System% folder.<
>
<
>
--------------------------------------------------------------------------------<
>
<
>
<
>
9) Generates the email addresses from random characters, to which it also sends itself.<
>
<
>
<
>
10) Randomly selects a recently typed URL from Internet Explorer's History folder and opens it in Internet Explorer.<
>
<
>
<
>
11) Sends an email that has the following characteristics:<
>
<
>
From: (One of the following)<
>
<
>
<spoofed><
>
<
>
mailto:kepeslapok@meglep.hu<
>
<
>
Subject: kepeslap erkezett!<
>
<
>
Message:<
>
Tisztelt felhasználó!<
>
Önnek kópeslapja órkezett!<
>
A kópeslap feladója: A lapot az alábbi cimen tudja megtekinteni: <
>
http//matav.hu/viewcard/index=psp4uo5683535GSb0123fhhf578840f0623cv2
vagy a mellókelt internetlink kattintásával.<
>
Üdvözlettel: Matav e-card!<
>
http//www.netezz.matav.hu/
<
>
<
>
-----------------------------------------<
>
<
>
EDIT: Darn emoticons...
<
>
<
><
>
[Tynkur Toyz][66 Gnomish Arch Convoker][Email][Magelo]<
>
<i>Edited by: Tynkur at: 6/26/05 12:51 pm<
></i>