Worm.MSN.Elon.a, AdClicker-BD, Trojan.MulDrop.1134, Worm:Win32/Smuma.A, WORM_SNONE.A,
Worm/Rayl.A, W32/Elon.A, Worm/Elon.A, Win32.Worm.MSN.Elon.A, Worm.MSN.Elon.A,
Category: Computer Worm
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
21 Sep 2004
The W32.Snone.A program is a worm that tries to propagate by putting a malicious URL to outgoing MSN Instant messages.
W32.Snone.A Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Snone.A from your computer.
More details about W32.Snone.A
The W32.Snone.A program is a worm that tries to spread by putting a malicious URL to MSN Instant Messenger outgoing messages. When the malicious URL is opened, the worm accesses a Web page on the “xf2s.com” domain, which displays a picture and tries to utilize the Internet Explorer ITS Protocol Zone Bypass Vulnerability exploit to open a “.CHM” file on the similar site. The worm terminates “ZoneAlarm” and the following processes: “RavMon.EXE”, “EGHOST.EXE”, “MAILMON.EXE”, and “NETBARGP.EXE”. The worm downloads and opens the following files: “C:SYShttp1.sys” and “C:SYShttp2.sys”.
The W32.Snone.A drops the “%System%moniker.exe”, “%System%hktt.dll”, and “%Temp%winX.tmp” files. Take note that %System% is a changeable that submits to the folder of the system. This is “C:WinntSystem32 (Windows NT/2000)”, “C:WindowsSystem (Windows 95/98/Me)”, or “C:WindowsSystem32 (Windows XP)” and %Temp% is a variable that submits to the temporary folder of Windows. This is “C:WINNTTemp (Windows NT/2000)”, or “C:WindowsTEMP (Windows 95/98/Me/XP)”. The W32.Snone.A adds the value "realone_nt2003" = "%system%moniker.exe" to the registry key, so that the worm is opened each time the Windows starts up. The W32.Snone.A opens “moniker.exe”, which utilizes “hktt.dll” to hook MSN Instant Messenger. This causes the URL to be sent w/ each message through Instant Messenger, with a message in Chinese characters.