My Anti Spyware

New worm disables Security Software

Sanbeltblog reported about new World Cup Soccer Worm. The worm arrives as an E-mail attachment with one of the following subjects and message bodys:

Subjects:

1. Soccer fans killed five teens
2. Crazy soccer fans
3. Please reply me Tomas
4. My tricks for you
5. Naked World Cup game set
6. My sister whores, shit i dont know

Message Bodies:

1. Soccer fans killed five teens, watch what they make on photos. Please report on this all who know.
2. Crazy soccer fans killed two teens, watch what they make on photos. Please report on this all who know.
3. I wait your photos from New York. I sent my pics where i naked for you. Please reply me. Linda Salivan
4. Nudists are organising their own tribute to the world cup, by staging their own nude soccer game, though it is not clear how the teams will tell each other apart. Good photos
5. Emily Carr was an artist know for her prudery, but now the Portrait Gallery of Canada has aquired a nude self-portrait. View photos.

Upon execution, the worm copies itself to the following location:

%Sysdir%\msctools.exe

Attempts to download additional malware:

http://couple{removed}.com/tumbs/dianaimg.exe

The worm also attempts to disable the following processes:

AVP32.EXE, AVPCC.EXE, AVPM.EXE, AVP.EXE, iamapp.exe, iamserv.exe, FRW.EXE, blackice.exe, blackd.exe, zonealarm.exe, vsmon.exe, VSHWIN32.EXE, VSECOMR.EXE, WEBSCANX.EXE, AVCONSOLE.EXE, VSSTAT.EXE, OUTPOST.EXE, REGEDIT.EXE, NETSTAT.EXE, TASKMGR.EXE, MSCONFIG.EXE, NAVAPW32.EXE, UPDATE.EXE, msctools.exe