Email-Worm.VBS.Talorm

Class Email-Worm
Platform VBS
Description

Technical Details

Talorm is a worm virus spreading via the Internet as an attachment to infected emails and copies itself to IRC channels. The worm itself is a CHM file (compressed HTML file) about 17KB
in length.

Infected messages have the following features:

The Subject Line text is randomly selected from the following variants:

  - Fotos de Thalia
  - Free Pics
  - Fotos XXX de Thalia
  - Fotos Exitantes de Thalia

The body text is randomly selected from the following variants:

  - Checa estas fotos de Thalia
  - Hola que tal? ya viste las super fotos exitantes de Thalia
  - Como tas! aqui te mando unas fotos de Thalia
  - Para mis mejores Amigos fotos de Thalia
  - Fotos XXX de Thalia
  - unas fotos bien padres de Thalia
  - Imagenes insolitas de Thalia
  - Apuesto a que no has visto desnuda a Thalia
  - HOLA! TE RETO A CHECAR ESTAS FOTOS BIEN CHIDAS DE Thalia
  - Fotos Exitantes de la cantante Thalia

 Attach:  Thalia.chm

An example of a “Talorm” email message:

The worm activates from infected emails only when a user clicks on the attached file. If this happens Talorm then installs itself to the system and runs its spreading routine.

The worm then overwrites a registry key with new text:

 HKLMSoftwareMicrosoftWindowsCurrentVersion
  RegisteredOwner = Thalia"

and displays the message:

Installing

While installing the worm copies itself to the Windows directory with the “Thalia.chm” name and
registers this file in the system registry auto-run key:

 HKLMSoftwareMicrosoftWindowsCurrentVersionRun
  Thalia =  %WinDir%Thalia.CHM

Spreading: EMail

To send infected messages the worm uses MS Outlook and sends messages to all addresses found in each victim machine’s Outlook address book.

Spreading: IRC

The worm looks for the mIRC subdirectory in the “Program Files” directory and writes a new “script.ini”
file to this location. This script file has instructions that send worm copies to every user who joins an infected IRC channel.