As of March 31, 2004, due to an increase in submission rate, we have upgraded W32.Trance.1999@mm to a Category 3 level threat from a Category 2 threat.

The W32.Trance.1999@mm virus:

• is a carefully crafted worm that remains resident in the memory of an infected system
  
  
• stays idle and is triggered when the system writes or reads to a file ending with the MP3 suffix. It will then search for an ID3 (v1/v2) tag and if the "Genre" field has "Trance" selected it will then release its payload and corrupt the music file at 15 second intervals*
  
  
• immediately begins to infect crucial Windows System files and corrupts any past Windows XP System Restore sessions preventing the user from recovering from their pre-corrupted state
  
  * Approximate - point of corruption will vary with encoded quality & type used
  

• There is no way to fix a corrupted file - the data is randomly shuffled using your system time as the seed.
• The virus has an MD5 value of 0x04871d17dbbd196d9dbd2011afc734dd.

Also Known As:	W32/Transe.1999@mm
Type:	Worm
Infection Length:	15,488 bytes
Systems Affected:	Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected:	Linux, Macintosh, OS/2, UNIX, Windows 3.x, DOS, Eniac

Wild: Number of infections: 50 - 999 Number of sites: More than 1000 Geographical distribution: High Threat containment: Challenging Removal: Unknown

Threat Metrics Wild: High Damage: Low Distribution: High

Damage

• Payload Trigger: Opening of .MP3 file
• Payload: YES
  • Deletes files: n/a
  • Modifies files: YES
  • Degrades performance: YES
  • Causes system instability: YES
  • Releases confidential info: n/a
  • Compromises security settings: n/a

Distribution

• Filename: Varied - dozens of copycats of the worm under different filenames are being reported
• Size of attachment: 15,488 bytes
• Time stamp of attachment: n/a
• Ports: n/a
• Shared drives: n/a
• Target of infection: n/a

Current information suggests this virus may be inspired by Trance.1721 as it has a day-based trigger as well as one which is file-based. W32.Trance.199@mm contains the text string: "Trance Virus (c) 1999 by DJ Viral".

When W32.Trance.1999@mm is executed, it performs the following actions:

1. Copies itself as %Windir%\WinTrance.exe (15,488 bytes).
   
   

   ---

   Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

   ---

   
   
2. Hooks onto rundll32 and any processes that call upon it.
   
   
3. Creates a mutex named "_-oOaxX|-+O+-+a+-+K+-+e+-+N+-+f+-+O+-+l+-+D+-+|XxKOo-_", which allows only one instance of the virus to remain resident concurrently.
   
   
4. Adds the value:
   
   "Trance"="%Windir%\WinTrance.exe"
   
   to the registry key:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   
5. The worm will drop the following file into your Kazaa share directory:
   
   • trancebootlegnewunreleased.zip: A .zip file that contains the worm (15,488 bytes).
     
     
6. Deletes the values:
   
   • Explorer
   • system.
   • msgsvr32
   • au.exe
   • winupd.exe
   • direct.exe
   • jijbl
   • Video
   • service
   • DELETE ME
   • hrhr.exe
   • OLE
   • Sentry
   • gouday.exe
   • rate.exe
   • Taskmon
   • Windows Services Host
   • sysmon.exe
   • srate.exe
   • ssate.exe
   • Microsoft IE Execute shell
   • Winsock2 driver
   • ICM version
   • dontsendtheletter.exe
     
   • omghi2u.exe
   • pixorstfu.exe
   • tit.exe
   • paulmolitor_was_here.exe
   • are_you_a_ninja.bat
     
   • Microsoft System Checkup
     
   • ssvd.exe
     
     from the registry keys:
     
   • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
     \Run
   • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
     \Run
   • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
     \RunServices
     
     in an attempt to uninstall other worms that may be on an infected computer.
     
     
7. Deletes the following subkeys:
   
   • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
     \Explorer\MP3
   • HKEY_CLASSES_ROOT\CLSID\CLSID
     \{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
     
     
8. If the system date matches the 1st day of any month it will attempt to perform a Denial of Service (DoS) attack against the following sites between 17:00 and 21:00 (GMT):
   
   • www.ivibes.nu
   • www.tranceaddict.com
     
   • www.ets-global.org

PREVENTION

The best way to protect yourself is to set your MP3 files to be read-only so that the worm may not make modifications to them.