Email-Worm.Win32.Android

Class Email-Worm
Platform Win32
Description

Technical Details

This is a virus-worm that spreads via Internet channels being attached to
e-mail messages as the ULTRA.EXE Windows executable file. This worm is
related to I-Worm_Suppl.

The worm has a very dangerous payload: within one week following computer infection, the worm erases the files with
the following extensions on local and remote drives: ICO, DOC, TXT, HTM, JPG, GIF, ZIP, RAR. The method of
erasing is the same used by the I-Worm_ZippedFiles
worm, and damaged files are not recoverable.

On the 5th of any month, the worm drops an ANDROID.BMP file with the “ANDROID” text
in it, and registers it in the system as wallpaper.

Installing

When an ULTRA.EXE file is activated by a user, the virus gains contol and
installs itself into the system; copies itself to the Windows system
directory with the ANDROID.DLL name; then drops its DLL component (that is
stored in the EXE file) to the same directory with the ULTRA.DLL name.

The worm then adds renaming instructions to the WININIT.INI file. These
instructions rename WSOCK32.DLL with the WSOCK33.DLL name, and replace the
WSOCK32.DLL with the worm’s ULTRA.DLL library. This trick causes Windows to
replace its WSOCK32.DLL with a worm copy upon the next Windows restart.

Upon initializing its DLLs, Windows loads an infected (worm’s) DLL instead of the original ones, and as a result, the worm gains access to the network functions.

Spreading

Upon the next Windows restart, the infected WSOCK32.DLL is loaded into the system
memory and gains control. The worm at this moment gains access and intercepts
all necessary library functions that the original WSOCK32 library does. For
all except two, the worm just forwards requests to original
the functions, and for this purpose, the worm also loads the WSOCK33.DLL
(original library) into the Windows memory.

The two functions are processed by the virus: their names are “send” and
“connect.” By using these functions, the worm intercepts sent e-mails and attaches its copy to these e-mails as the
ULTRA.EXE file.