Email-Worm.Win32.Adrenaline

Class Email-Worm
Platform Win32
Description

Technical Details

This is a virus-worm that infects Windows systems and spreads via IRC channels. The worm itself is a Windows executable file, written in MS Visual C++ and compressed by PECompact (compressed size is about 35K, uncompressed size is about 65K).

When an infected file is run, it looks for EXE files in the Windows directory and infects them. While infecting, the virus moves the file body down by 35K, and then writes itself to the top of the file. To release control to host file,
the virus “disinfects” the host file to HOSTFILE.EXE, spawns it and then deletes it. The virus pays attention to the file names and does not infect a file if its name begins with ‘E’, ‘P’, ‘R’, ‘T’, ‘W’, or 3rd letter is ‘D’, or
5th letter is ‘R’.

The virus also infects EXE files in the C:MIRCDOWNLOAD directory, without paying attention to file names.

To spread via IRC channels, the virus drops its “pure” image to the Windows system directory with the BUGFIX.EXE name, and overwrites the SCRIPT.INI file in the mIRC client directory. The infected SCRIPT.INI file contains just one instruction that sends the BUGFIX.EXE file to everybody joining the infected IRC
channel.

The virus looks for the mIRC client in directories MIRC and PROGRA~1MIRC on all drives from C: to F:.

The virus then runs another routine that sends messages by using MS Outlook. The virus does not spread itself in infected messages, but just spams the address “Rhape79@ultimatechaos.demon.co.uk” with messages that have a randomly generated Subject and Body. Upon each run, the virus sends 15 messages to that address.