Aliases

P2P-Worm.Win32.Surnova.k (Kaspersky Lab) is also known as: Worm.P2P.Surnova.k (Kaspersky Lab), W32/Supova.worm!p2p (McAfee),   W32.Supova.Worm (Symantec),   Win32.HLLW.Supernova.45056 (Doctor Web),   W32/Surnova-H (Sophos),   Win32/Supova.G.worm (RAV),   WORM_SURNOVA.K (Trend Micro),   Worm/Surnova.K (H+BEDV),   W32/Spuova.M@p2p (FRISK),   Win32:Supov (ALWIL),   Worm/Surnova (Grisoft),   Win32.Worm.Supova.K (SOFTWIN),   W32/Supova.K (Panda),   Win32/Surnova.K (Eset)

Description added	Oct 24 2007
Behavior	P2P Worm

• Technical details
• Payload
• Removal instructions

This network worm spreads via file-sharing networks. It propagates by creating copies of itself in publicly accessible Kazaa directories, and also sends copies of itself via Windows Messenger. It is a Windows PE EXE file. It is 45056 bytes in size.

Installation

When launched, the worm causes the following error message to be displayed:

The worm then copies its executable file to the Windows root directory under one of the following names:

%WinDir%\BigMac.exe
%WinDir%\Alles-ist-vorbei.exe
%WinDir%\Desktop-shooting.exe
%WinDir%\Hello-Kitty.exe
%WinDir%\Cheese-Burger.exe
%WinDir%\Blaargh.exe

In order to ensure that the worm is launched automatically when the system is rebooted, the worm adds a link to its executable file to the system registry:

The worm copies its executable file to the following folder:

under the following names:

Windows XP key generator.exe
Windows XP serial generator.exe
Key generator for all windows XP versions.exe
Warcraft 3 ONLINE key generator.exe
Half-life ONLINE key generator.exe
Quake 4 BETA.exe
Grand theft auto 3 CD1 crack.exe
GTA3 crack.exe
Battle.net key generator (WORKS!!).exe
Warcraft 3 battle.net serial generator.exe
Half-life WON key generator.exe
Star wars episode 2 downloader.exe
Winzip 8.0 + serial.exe
Winrar + crack.exe
Britney spears nude.exe
Macromedia MX key generator (all products).exe
KaZaA media desktop v2.0 UNOFFICIAL.exe
Microsoft key generator, works for ALL microsoft products!!.exe
Microsoft Windows XP crack pack.exe
Hack into any computer!!.exe
DivX codec v6.0.exe
DivX newest version.exe
DivX.exe
DivX pro key generator.exe
Key generator for over 1,000 applications (really!).exe
DivX patch - Increases quality.exe
KaZaA spyware remover.exe
Age of empires 2 crack.exe
Norton antivirus 2002.exe
Macromedia Dreamweaver MX Key Generator.exe
Macromedia Flash MX Key Generator.exe
Microsoft Office XP (english) key generator.exe
Microsoft Office XP.iso.exe
CloneCD + crack.exe
CloneCD all-versions key generator.exe
XBOX emulator (WORKS!!).exe
Gamecube Emulator (WORKS!!).exe
Xbox.info.exe
Spiderman CD 1 of 2.exe
Spiderman CD 2 of 2.exe
Blade 2 [DVD Quality].exe

The worm also copies its executable file under the names shown above to the folder which the following registry key parameter links to:

The worm also spreads via a vulnerability in MSN Messenger which makes it possible to download files to the victim machine without the knowledge or consent of the user. In order to do this, the worm sends a message with a malcrafted header to all MSN contacts. The copy of the worm is accompanied by one of the following messages:

Hehe, check this out :-)
Funny, check it out (h)
LOL!! See this :D
LOL!! Check this out :)
Hehe, this is fun :-)

The worm also deletes all files from the C: root directory.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the worm process.
2. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
3. Delete the following system registry key value:
   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   "Supernova" = "%WinDir%\<name of worm file>.exe"
4. Delete the copies of the worm:

   %WinDir%\BigMac.exe
   %WinDir%\Alles-ist-vorbei.exe
   %WinDir%\Desktop-shooting.exe
   %WinDir%\Hello-Kitty.exe
   %WinDir%\Cheese-Burger.exe
   %WinDir%\Blaargh.exe

5. Delete all copies of the worm from the hard disk.
6. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).