Technical Details
This is a worm that spreads under Win32 systems. The virus sends e-mail messages
with infected files attached, as well as installs a spying Trojan component
to steal information from infected systems. The worm was discovered
in-the-wild in November 2001.
The worm itself is a Win32 executable file (PE EXE file). It was found
in-the-wild in compressed form, and is about 29Kb in size. Upon being
decompressed, the worm file length becomes about 60Kb in size.
The worm consists of two main components, the Worm and Trojan. The “Worm”
component sends infected messages, and the “Trojan” component sends out
information (user’s info, RAS data, cached passwords, keyboard log) from
infected computers to a specified e-mail address. It also keeps a “keylogger”
program body in its code, and installs it into the system while infecting a new
machine.
Infecting the system
When an infected file is run (when a user clicks on an attached file and
activates it, or if the worm gains control through an IFRAME security breach),
the worm code gains control. First of all, it drops (installs)
its components to the system and registers in the system registry.
The installed Trojan file-name, the target directory and registry key are
optional. They are stored in encrypted form in the Trojan file at the file end.
A hacker may configure them before sending them to a victim’s machine, or
before putting it on a Web site.
The worm also drops an additional keyboard hooker (Win32 DLL file) to the system,
and then uses this to spy on text entered by a keyboard. The DLL file name is
optional as well.
Other optional features are:
– the worm deletes original infected file when installation is complete
– the size of keyboard log file
Spreading
To send infected messages, the worm uses a direct connection to an SMTP server.
A victim’s e-mail addresses are obtained in two different ways:
#1. The worm scans *.HT* and *.ASP files and extracts e-mail addresses from here
#2. The worm, using MAPI functions, reads all e-mail from the incoming box,
and obtains e-mail addresses from here.
Next, the worm sends infected messages. The message body contains HTML format, and
uses an IFRAME breach to spawn an infected attachment on vulnerable machines.
The message fields are as follows:
From: – original sender, or fake address, randomly selected from:
” Anna”
“JUDY”
“Rita Tulliani”
“Tina”
“Kelly Andersen”
” Andy”
“Linda”
“Mon S”
“Joanna”
“JESSICA BENAVIDES”
” Administrator”
” Admin”
“Support”
“Monika Prado”
“Mary L. Adams”
” Anna”
“JUDY”
“Tina”
The original sender address is a bit modified: the “_” character is inserted
before the e-mail address in there, for example:
“John K. Smith” “Vasja Pupkin” – original address
“John K. Smith” <_john123@yahoo.com> “Vasja Pupkin” <_vasyap@rambler.ru> – sent by worm
Subject: empty, or “Re:”, or “Re:” followed by original Subject from real
Inbox messsage (see #2 above)
Body: empty
Attachment: randomly selected “filename + ext1 + ext2” where:
“Filename”:
Pics (or PICS ) Card (or CARD)
images (or IMAGES) Me_nude (or ME_NUDE)
README Sorry_about_yesterday
New_Napster_Site info
news_doc (or NEWS_DOC) docs (or DOCS)
HAMSTER Humor (or HUMOR)
YOU_are_FAT! (or YOU_ARE_FAT!) fun (or FUN)
stuff SEARCHURL
SETUP S3MSONG
"ext1": .DOC .ZIP .MP3
"ext2": .scr, .pif
For example: “info.DOC.scr”
The worm doesn’t send infected messages twice to the same address. To do this,
it stores all infected e-mails in the Windows system directory in a PROTOCOL.DLL
file, and checks this file content before sending a new message.
Spying Trojan
This routine stores stolen information to a log file (with an optional name), and
encrypts this information with a key (also optional). After a period of time, this
information is sent to one of a number of randomly selected e-mail addresses. A list of these addresses appears below; the list contains 22 addresses and e-mail servers; and
these messages are sent through (email + server):
ZVDOHYIK@yahoo.com mx2.mail.yahoo.com
udtzqccc@yahoo.com mx2.mail.yahoo.com
DTCELACB@yahoo.com mx2.mail.yahoo.com
I1MCH2TH@yahoo.com mx2.mail.yahoo.com
WPADJQ12@yahoo.com mx2.mail.yahoo.com
fjshd@rambler.ru mail5.rambler.ru
smr@eurosport.com mail.ifrance.com
bgnd2@canada.com mail.canada.com
muwripa@fairesuivre.com fs.cpio.com
rmxqpey@latemodels.com inbound.latemodels.com.criticalpath.net
eccles@ballsy.net inbound.ballsy.net.criticalpath.net
suck_my_prick@ijustgotfired.com mail.monkeybrains.net
suck_my_prick4@ukr.net mail.ukr.net
thisisno_fucking_good@usa.com usa-com.mr.outblaze.com
S_Mentis@mail-x-change.com mail-fwd.rapidsite.net
YJPFJTGZ@excite.com mta.excite.com
JGQZCD@excite.com mta.excite.com
XHZJ3@excite.com mta.excite.com
OZUNYLRL@excite.com mta.excite.com
tsnlqd@excite.com mta.excite.com
cxkawog@krovatka.net imap.front.ru
ssdn@myrealbox.com smtp.myrealbox.com
Found In-The-Wild
This worm variant found in-the-wild on November 24, 2001 has the following
options:
It installs itself to a Windows system directory with the KERNEL32.EXE name, and
registers it in the following registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
Kernel32 = kernel32.exe
It drops a keyboard hooker with the KDLL.DLL name. The log info is stored in the Windows system
directory with the CP_25389.NLS name.
|