Email-Worm.Win32.Cervivec

Class Email-Worm
Platform Win32
Description

Technical Details

Cervivec is an Internet worm virus spreading via the Internet as an email attachment.

The worm itself is a Windows PE EXE file about 230Kb in size, written in Delphi. It is compressed by UPX – the decompressed size is about 670Kb.

The infected messages have Subject/Body content randomly selected from different variants in different languages:

Vtip
Cau posilam ti cerviky tak se na to podivej (virus to neni)

Vtip
Cau posielam ti cerviky tak sa na to pozri (virus to neni)

Witz
Hallo, Ich habe ein guter Witz-Wurm so sieh! (kein virus)

blague
J’ai une bonne blague ca s’appelle verre de terre alors jette un coup d’oeil
(il n’y a pas de virus)

���?
?��??�, ‘ ?-� ?��� ?��?R’�- � ����? ?�R?? �?�?�? (��R -? ?����)

Joke
Hi, I have some cool joke – worms so have a look at it (no virus)

Zart
Czesc, mam swietnz dowcip – robaka. Obejrzyj go sobie (to nie jest wirus)

Chiste
Hola te mando los gusanilloes. Pues mirarlos (no es un virus)

The worm activates from infected email only if a user clicks on the attached file. The worm then installs itself into the system, runs its spreading and ‘effect’ routines (colored “worms” eating the desktop).

While installing itself the worm copies itself to the Windows directory and to the SYSTEM32 subdirectory with the name “ntkrnl.exe”. It then registers that file in the system registry auto-run key:

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Kernel Loader = %WindowsDir%system32ntkrnl.exe -LOADDRIVERS=TRUE