Email-Worm.VBS.SSIWG

Class Email-Worm
Platform VBS
Description

Technical Details

This is “LoveLetter” -like Internet worm spreading via
e-mail by sending infected messages from infected computers. While
spreading, the worm uses MS Outlook and sends itself to all addresses that
are stored in the MS Outlook Address Book.

The known worm version has a mistake (one instruction is mistyped), and the
worm is not able to spread its copies via e-mail messages. In addition to this,
the mistake may be easily fixed, and the worm will be able to spread.

The worm is able to propagate through a local network. To do this, the worm
enumerates network resources and copies itself to there. The worm is not
able to activate itself on a remote computer, and infects it only in case the
worm copy is occasionally run by a user.

The worm itself is a VBS script program.

The worm arrives as an e-mail message with:

Subject: I’am missing U
Message body: Could u remember me ?
Attachment name: Y072QWV.VBS

Upon being activated by a user, the worm copies itself to the Windows system
directory with the same name (Y072QWV.VBS) and registers this copy in
the auto-run section in the system registry:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
“Y072QWV” = %Windir%Y072QWV.VBS

where “Windir” is the name of Windows system directory.

The worm then spreads through a local network by copying its “Y072QWV.VBS”
file to the root directory on drives shared for writing.

To send infected messages, the worm connects to MS Outlook, obtains all
addresses from the address book and sends to there its messages (the subject, body
and attachment name are the same as listed above).

Because the worm registers itself in the auto-run registry section, it is
activated upon each Windows boot-up, but it does not spread by e-mail
messages each time it is run. The worm has a counter that is stored in
the Windows registry:

HKEY_LOCAL_MACHINE “Y072QWV” = number

where “number” is the number of starts (upon each start, the worm increases
this counter). When the counter reaches 20, the worm resets it to zero and then
runs an Outlook infection routine. Otherwise, the worm skips it.

As a result, the worm sends infected messages only upon the first run (being
activated from an infected message), and upon each 20th reboot. The local
network spreading routine is activated each time the worm starts.

The worm has a feature that makes its detection a little bit more
difficult. All text strings in the worm code are slightly encrypted, and in
case of need, the worm decrypts and uses them.