Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

W32.XPExp.Worm Hoax

W32.XPExp.Worm Hoax

Discovered:
January 31, 2003
Updated:
February 13, 2007

Symantec Security Response encourages you to ignore any messages regarding this hoax. It is intended only to cause unwarranted concern. This hoax arrives as a message box on the computer screen. The message box is not a result of executing a local file, but the result of a user remotely instructing the computer to display the message box via Microsoft Networking. Users should take steps to lock down their system to prevent this type of hoax message box from appearing.



Message box hoaxes and SPAM can arrive unexpectedly to your computer if Microsoft Networking is enabled. Microsoft Networking can be blocked by configuring your desktop firewall to block ports:
    • 135/tcp - Microsoft RPC
    • 135/udp - Microsoft RPC
    • 138/udp - Microsoft NetBIOS
    • 139/tcp - Microsoft RPC, Named Pipes, NetBios, File Sharing
    • 445/tcp - Microsoft Named Pipes, RPC, File Sharing
    • 445/udp - Microsoft Named Pipes, RPC, File Sharing

To disable the service that allows remote message boxes perform the following steps. Please be aware modifying these configurations may prevent other applications from operating properly and will disable the ability to share files via Microsoft Networking with remote computers:

For Windows 9x:
    1. Select Start | Settings | Control Panel
    2. Double-click Network
    3. Select the Configuration tab
    4. Click File and Print Sharing
    5. Disable I want to be able to give others access to my files.
    6. Disable I want to be able to allow others to print to my printer(s).
    7. Click OK

For Windows NT/2000:
    1. Select Start | Programs | Administrative Tools | Services
    2. Scroll down until you see the Messenger service
    3. Right-click Messenger
    4. Click Stop
    5. In the Startup type drop-down list select Disable
    6. Click OK

For Windows XP:
    1. Select Start | Control Panel | Performance and Maintenance | Administrative Tools | Services
    2. Scroll down until you see the Messenger service
    3. Right-click Messenger
    4. Click Stop
    5. In the Startup type drop-down list select Disable
    6. Click OK





This hoax arrives as a pop-up message box on the system. The message box will state it comes from Symantec, but this is a hoax. The message box will contain an IP address specifying the computer that sent the message and the time.

The message box may state:
    Symantec (Deutschland) GmbH - Kaiserswerther Str. 115 - 40880 Ratingen
    Telefon: 02 102/74 53-0 - Telefax: 02 102/74 53 922

    Sehr geehrter Computernutzer,

    Symantec Online VirusScan hat den Befall Ihres Rechners mit dem Virus W32.XPExp.Worm
    festgesllt. W32.XPExp.Worm is ein Wurm, der Systeme angreft, auf denen Windows 2000/XP
    verwendet wird. Hierdurch werden schleichend Dokumente verandert bzw, unbrauchbar.
    Aufgrund der grossen Anzahl an versendeten Datenpaketen verursacht der Wurm ausserdem einen
    Denial-of-Service-Angriff, fur den Sie unter Umstanden haftbar gemacht werden konnen.

    Da bereits gross Teile des Internets betroffen sind und wir uns der Sicherheit der Computernutzer
    verpflichtet fuhlen, erhalten Sie kostenlos eine Vollversion von Norton AntiVirus 2003, wenn Sie
    uns unter o.g. Kontakt ansprechen.

    Mit freundlichen Grussen
    Ihr Symantec AntiVirus Team

and will appear like:

Such message are able to be displayed remotely via Microsoft Networking.Please ignore any messages regarding this hoax and do not pass on messages. Passing on messages about the hoax only serves to further propagate it.
Writeup By: Eric Chien