Email-Worm.Win32.Atirus

Class Email-Worm
Platform Win32
Description

Technical Details

This is a Win32 worm that spreads by sending itself via e-mail to the recipients in a victim’s Outlook Address book.

When launched on a ‘clean’ PC, the worm copies itself to %SYSTEM%Setup30.exe.
The worm also writes an auto-start key, so it will launch each time Windows starts:

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Kernel Setup=%SYSTEM%Setup30.exe

Then, the worm suspends for 5 minutes, then launches one of its payloads depending on system time:

Monday: finds and removes I-Worm.Badtrans

Tuesday: restores default values in Win.ini:
[windows]
Run=
Load=

and sets the following registry key value:

HKCRexefileshellopencommand
Default value=”%1″ %*

Wednesday: finds and removes I-Worm.PrettyPark

Thursday: deletes the following files if they exist:

c:mircmirc.ini
c:mircscript.ini
c:mirc32mirc.ini
c:mirc32script.ini
c:ircmirc.ini
c:ircscript.ini
c:chatmirc.ini
c:chatscript.ini
c:progra~1mircmirc.ini
c:progra~1mircscript.ini
c:progra~1mirc32mirc.ini
c:progra~1mirc32script.ini
c:progra~1ircmirc.ini
c:progra~1ircscript.ini

Friday: finds and removes I-Worm.Sircam.c

Saturday: restores default values in System.ini:
[boot]
Shell=explorer.exe

Sunday: finds and deletes all files with a “.vbs” extension in %WINDOWS% and %SYSTEM% folders.

On September 16, displays the following message:

Antivirus
System protected by I-Worm.Antivirus
Copyright (c) 2001 by aLL3gRo

After executing the payload, the worm checks whether the following registry value is present:

HKLMSoftwareMicrosoftWindowsCurrentVersion Install=1

If the value doesn’t exist, the worm tries to send itself to the senders of messages that exist in MAPI default client’s folders.

The subject of the message sent is “New antivirus tool”, and the message also contains the attachment “Antivirus.exe” that is the virus itself, and also contains in the body:

Hey, checkout this new antivirus tool which checks your system for viruses