Class Email-Worm
Platform Win32

Technical Details

This is a virus-worm that spreads via the Internet and local network. It appears
as a “SETUP.EXE” file attached to an e-mail message that has the “Ok…” subject
and the message body contains just a “smile”:


This attached file itself is a Microsoft C++ executable file about
40Kb in length. The majority of the file’s code is occupied by C++ run-time
libraries and data, and just about 7Kb of its code is “pure” worm code.

The worm got its name because of the text string in its code:

CH0LERA – Bacterium BioCoded by GriYo / 29A

This string, as well as other of the worm’s data, are encrypted in the worm’s body.

Installing into the system

When the worm is executed for the first time (being run from an infected
attachment), it gets its module name and installs itself to the Windows
directory with the RPCSRV.EXE name. To force Windows to run this file upon the
next reboot, the worm writes an additional “Run=” instruction to the WIN.INI
file in the Windows directory (under Win9x), or modifies a corresponding key
in the system registry (under WinNT).

To locate the Windows directory, the worm does not call corresponding Windows
functions, but scans all available local drives, looks for subdirectory
names: WINDOWS, WIN95, WIN98, WIN, WINNT, and then looks for a WIN.INI file
in the directory. If such a file is located, the worm installs itself into the directory.

As a result, the worm may create several of its copies on the same computer,
and infect all Windows installations on it. In case a multiboot loader is
installed, and there are several different Windows versions installed, this
trick allows the virus to activate upon any Windows copy start-up.

To hide its activity, the worm displays the fake message:

Cannot open file: it does not appear to be a valid archive.
If you downloaded this file, try downloading the file again.
[ OK ]

Further spreading

Upon the next Windows start-up, the worm copy is activated by the Run command in
the WIN.INI file. It takes control, registers itself in the Windows memory as
a hidden application (invisible service) that also allows the worm to stay
active whenever a user logs off. The worm then runs two more routines in
addition to the installation one. The first of these new routines spreads the
worm through the local network, and the second one sends infected e-mail messages.
The installation routine is also active, and the worm is able to infect a new
Windows copy if it appears on the computer. All the routines are run as
main-process threads, so they do their work in parallel.

The first of the new routines spreads the worm copy through the network. It
enumerates all network drives, scans them for Windows directories, copies
the worm’s RPCSRV.EXE file to there and registers it in the WIN.INI file in
the same remote directory. As a result, upon the next rebooting the worm on a remote
computer will be activated and spread itself further.

The second routine sends infected messages to the Internet addresses. To
send its copy, the worm uses SMTP protocol and sends itself by direct
connection, and as a result, the worm spreading does not depend on the type of
e-mail application that is used in the system.

Once per six seconds, this routine enumerates all active program windows and
looks for Internet applications: Outlook, Cuteftp, Internet Explo, Telnet,
Mirc. If any of these applications is active, it means that the computer is
connected to the Internet (this is necessary because of the direct SMTP
connection used by worm).

The worm then gets SMTP server address and user e-mail addresses from the system
registry keys, builds a new message, attaches its copy with the SETUP.EXE name
and sends it.

The Internet addresses to where the worm sends its copies are collected
from disk files in the Windows directory and subdirectories. The worm scans
all files there, searches for files with extensions .HTM, .TXT, .EML,
.DBX, .MBX, .NCH, .IDX, and then scans these files and gets email-address-like
strings from there. Upon each sending, the worm sends itself to not more than ten addresses.