Kaspersky Threats

Class

Platform

Description

Technical Details

This is a virus-worm that spreads via the Internet, attached to infected
e-mails. The worm itself is a Windows PE EXE file about 4Kb in length and written in
Assembler. The main worm code is compressed by a built-in aPLib data compression
algorithm, so the original worm code is about 6Kb.

The infected messages contain:

Subject: different (see below)
Body: empty HTML message
Attach: whatever.exe

The Subject is randomly constructed from variants (str1 + str2 + … + str5):

 str1
 ----

 Fw:
 Fw: Re:

then:

 str2            str3          str4            str5
 ----            ----          ----            ----

 Cool            website       to check        !!      
 Nice            site          for you         !       
 Hot             pics          i found         :-)     
 some            urls          to see          ?!      
 Funny           pictures      here            hehe ;-)
 weird           stuff         - check it              
 funky           mp3s                                
 great           shit                                
 Interesting     music                               
 many            info

To run from an infected message, the worm uses a security breach (IFRAME
vulnerability, similar to the one used by the “Nimda” worm). So the worm may be
activated from infected e-mail simply upon reading or previewing the message.

When an infected file is run, the unpacking routine takes control,
unpacks the main worm code into the memory and jumps to it. The main code then
sends infected messages to e-mail addresses found in WAB (Windows Address
Book). To send e-mails, the worm connects to default the SMTP server.

The worm does not install itself to the system and is not activated anymore
(except cases when a user clicks on an attached e-mail again).

The worm has no payload routine and does not manifest itself in any way.

The e-mail spreading routine contains weak mistakes, and it seems the worm is
not able to spread under many e-mail client-server configurations.

The most interesting thing about worm is the fact that the activating-and-spreading routine (this is the main routine) is full in just about 3K of
executable code.

The worm contains the following text:

:::iworm.alizee.by.mar00n!ikx2oo1:::
while typing this text i realize this text got added on many av description sites, because this silly worm could be easily a hype. i wonder which av claims ‘[companyname] stopped high risk worm before it could escape!’ or shit like that. heh, or they boycot my virus because of this text. well, it is easy enough for the poor av’s to add this worm; since it was only released as source in coderz#2… btw, loveletter*2 power in pure win32asm and only a 4k exe file. heh, vbs kiddies, phear win32asm. 🙂 thx to: bumblebee!29a, asmodeus!ikx. greets to: starzer0!ikx, t-2000!ir, ultras!mtx & sweet gigabyte…btw,burgemeester van sneek: ik zoek nog een baantje…(alignmentfillingtext)

Class	Email-Worm
Platform	Win32
Description	Technical Details This is a virus-worm that spreads via the Internet, attached to infected e-mails. The worm itself is a Windows PE EXE file about 4Kb in length and written in Assembler. The main worm code is compressed by a built-in aPLib data compression algorithm, so the original worm code is about 6Kb. The infected messages contain: Subject: different (see below) Body: empty HTML message Attach: whatever.exe The Subject is randomly constructed from variants (str1 + str2 + … + str5): str1 ---- Fw: Fw: Re: then: str2 str3 str4 str5 ---- ---- ---- ---- Cool website to check !! Nice site for you ! Hot pics i found :-) some urls to see ?! Funny pictures here hehe ;-) weird stuff - check it funky mp3s great shit Interesting music many info To run from an infected message, the worm uses a security breach (IFRAME vulnerability, similar to the one used by the “Nimda” worm). So the worm may be activated from infected e-mail simply upon reading or previewing the message. When an infected file is run, the unpacking routine takes control, unpacks the main worm code into the memory and jumps to it. The main code then sends infected messages to e-mail addresses found in WAB (Windows Address Book). To send e-mails, the worm connects to default the SMTP server. The worm does not install itself to the system and is not activated anymore (except cases when a user clicks on an attached e-mail again). The worm has no payload routine and does not manifest itself in any way. The e-mail spreading routine contains weak mistakes, and it seems the worm is not able to spread under many e-mail client-server configurations. The most interesting thing about worm is the fact that the activating-and-spreading routine (this is the main routine) is full in just about 3K of executable code. The worm contains the following text: :::iworm.alizee.by.mar00n!ikx2oo1::: while typing this text i realize this text got added on many av description sites, because this silly worm could be easily a hype. i wonder which av claims ‘[companyname] stopped high risk worm before it could escape!’ or shit like that. heh, or they boycot my virus because of this text. well, it is easy enough for the poor av’s to add this worm; since it was only released as source in coderz#2… btw, loveletter*2 power in pure win32asm and only a 4k exe file. heh, vbs kiddies, phear win32asm. 🙂 thx to: bumblebee!29a, asmodeus!ikx. greets to: starzer0!ikx, t-2000!ir, ultras!mtx & sweet gigabyte…btw,burgemeester van sneek: ik zoek nog een baantje…(alignmentfillingtext)

Email-Worm.Win32.Aliz

Technical Details