Kaspersky Threats

Class

Platform

Description

Technical Details

This is the first known Internet worm executed as a PIF-file (Windows Program information file). The worm body is a standard Windows PIF file, but with a special inside routine.

In infected systems, the worm can be found in three different forms:

– as a PIF file itself
– as a DOS BAT file spreading on a local computer
– as an INI script to spread through IRC channels

All three of these components are the same file, but with different names and extensions. They are contained by a system in different ways (as PIF file, as DOS batch program, as mIRC script) and their functionality is different.

The worm also drops a VBS-script file-helper to spread by e-mail.

After running, the FABLE.PIF file-worm makes two copies of itself with the names: C:TEST.BAT and %WinDir%BackUp570.pif. Then it executes C:TEST.BAT
that then is executed as a DOS batch file. This batch file makes several more copies in different directories and with different names. There are more than 30 files, for example:

%WinDir%CommandMS_Dos_Prompt.pif
%WinDir%MS_Dos_Prompt.pif
%WinDir%Game.pif
%WinDir%MrBat.bat
%WinDir%Plans.bat
%WinDir%TasksDefault.bat

Some of these files have the attributes “Hidden” and “Read-Only.” Separately, the worm creates INI files for mIRC clients and VBS-script files:

%WinDir%Blah.vbs
%WinDir%Blah2.vbs
C:mIRCScript.ini
C:Program FilesScript.ini

The INI-file is used for spreading through IRC channels. The VBS script creates the WINSTART.BAT file in the Windows directory, including commands for a run-itself copy when the operation system is starting. After that, the virus scripts through
API Outlook and creates and sends a message to every recipient in the Address Book.

The message contains randomly chosen subject from the following texts:

Fable
Something You Should Read
Very Important That You Receive This

The body of the message consists of one of two phrases:

A nice little fable
Wanted to make sure you received this

The FABLE.PIF file is attached to every message.

After the messages have been sent, the worm takes out the text message:

The Grasshopper and the Owl
An Owl, accustomed to feed at night and to sleep during the day,
was greatly disturbed by the noise of a Grasshopper and earnestly
besought her to stop chirping. The Grasshopper refused to
desist, and chirped louder and louder the more the Owl entreated.
When she saw that she could get no redress and that her words
were despised, the Owl attacked the chatterer by a stratagem.
“Since I cannot sleep,” she said, “on account of your song which,
believe me, is sweet as the lyre of Apollo, I shall indulge
myself in drinking some nectar which Pallas lately gave me. If
you do not dislike it, come to me and we will drink it together.”
The Grasshopper, who was thirsty, and pleased with the praise of
her voice, eagerly flew up. The Owl came forth from her hollow,
seized her, and put her to death.

Class	Email-Worm
Platform	PIF
Description	Technical Details This is the first known Internet worm executed as a PIF-file (Windows Program information file). The worm body is a standard Windows PIF file, but with a special inside routine. In infected systems, the worm can be found in three different forms: – as a PIF file itself – as a DOS BAT file spreading on a local computer – as an INI script to spread through IRC channels All three of these components are the same file, but with different names and extensions. They are contained by a system in different ways (as PIF file, as DOS batch program, as mIRC script) and their functionality is different. The worm also drops a VBS-script file-helper to spread by e-mail. After running, the FABLE.PIF file-worm makes two copies of itself with the names: C:TEST.BAT and %WinDir%BackUp570.pif. Then it executes C:TEST.BAT that then is executed as a DOS batch file. This batch file makes several more copies in different directories and with different names. There are more than 30 files, for example: %WinDir%CommandMS_Dos_Prompt.pif %WinDir%MS_Dos_Prompt.pif %WinDir%Game.pif %WinDir%MrBat.bat %WinDir%Plans.bat %WinDir%TasksDefault.bat Some of these files have the attributes “Hidden” and “Read-Only.” Separately, the worm creates INI files for mIRC clients and VBS-script files: %WinDir%Blah.vbs %WinDir%Blah2.vbs C:mIRCScript.ini C:Program FilesScript.ini The INI-file is used for spreading through IRC channels. The VBS script creates the WINSTART.BAT file in the Windows directory, including commands for a run-itself copy when the operation system is starting. After that, the virus scripts through API Outlook and creates and sends a message to every recipient in the Address Book. The message contains randomly chosen subject from the following texts: Fable Something You Should Read Very Important That You Receive This The body of the message consists of one of two phrases: A nice little fable Wanted to make sure you received this The FABLE.PIF file is attached to every message. After the messages have been sent, the worm takes out the text message: The Grasshopper and the Owl An Owl, accustomed to feed at night and to sleep during the day, was greatly disturbed by the noise of a Grasshopper and earnestly besought her to stop chirping. The Grasshopper refused to desist, and chirped louder and louder the more the Owl entreated. When she saw that she could get no redress and that her words were despised, the Owl attacked the chatterer by a stratagem. “Since I cannot sleep,” she said, “on account of your song which, believe me, is sweet as the lyre of Apollo, I shall indulge myself in drinking some nectar which Pallas lately gave me. If you do not dislike it, come to me and we will drink it together.” The Grasshopper, who was thirsty, and pleased with the praise of her voice, eagerly flew up. The Owl came forth from her hollow, seized her, and put her to death.

Email-Worm.PIF.Fable

Technical Details