Kaspersky Threats

Class

Platform

Description

Technical Details

This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is a Windows PE EXE file about 107Kb of length, written in Visual Basic (VB5).

The worm activates from infected email only in case a user clicks on attached file. The worm then installs itself to the system, runs spreading routine and payload.

The infected messages have different texts and attached file names, they are randomly selected by worm while spreading from following variants:

Subjects are:

Cuidado con los virus!!!
Tienes un virus!!!
Me lo baje de Internet
Una co�a de la red

Bodies are:

%virusname% is “Nimda”, “Magistr” or “Sircam”.

Saludos
Me ha llegado el virus %virusname%, de tu ordenador, ya es la segunda vez
Pasa la vacuna que te env�o, de Norton Antivirus
�Y ten mas cuidado la pr�xima vez!

Un Saludo
Por Favor, revise su ordenador, me ha enviado el virus %virusname%
Le env�o la vacuna facilitada por Norton Antivirus

Un Saludo
Hola, perdona, que te moleste, pero me has enviado un virus, el %virusname%
Te env�o la vacuna de panda, �Ten mas cuidado la pr�xima vez!

Hola
Te env�o un fichero que me bajado de Internet, es una broma. mueve �l
Rat�n por toda la pantalla. No se quita ni pulsando control+alt+supr,
Jeje, al final hay que reiniciar.
<

Attach filenames are:

MueveRaton.exe
AntiMagistr.exe
AntiNimda.exe
AntiSircam.exe

To send infected messages the worm scans *.EML, *.NWS, and *.DBX files, gets victim email addresses from there, then connects to SMTP server smtp.terra.es,then sends infected messages.

Installing

While installing the worm copies itself to Windows system directory with the REGWIZ.EXE name (and overwrites original Windows REGWIZ.EXE file in there),and registers this file in system registry auto-run key:

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
regwiz = %systemdir%regwiz.EXE

The worm also sets ReadOnly, Hidden and System attributes for this file.

The worm then displays fake error message:

no es una aplicaci�n Win32 v�lida
[ OK ]

Payload

The worm adds to C:MSDOS.SYS file the command:

BootKeys=0

The effect of this is unability to break or trace booting process under Win9x systems.

The worm then stays in Windows memory as hidden application (system service) and runs payload routine – the mouse cusror is randomly moved on the screen, and mouse becomes unusable.

The worm also runs its internal counter in the registry key:

HKCUSoftwareVB and VBA Program Settingsregwizconfig
ejec = %number%

and increases this valie on each run. When this counter reaches 75, the worm alteres the registry key:

HKCUControl PanelDesktop
ScreenSaveActive = 0

then exits Windows and restarts the machine.

Class	Email-Worm
Platform	Win32
Description	Technical Details This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is a Windows PE EXE file about 107Kb of length, written in Visual Basic (VB5). The worm activates from infected email only in case a user clicks on attached file. The worm then installs itself to the system, runs spreading routine and payload. The infected messages have different texts and attached file names, they are randomly selected by worm while spreading from following variants: Subjects are: Cuidado con los virus!!! Tienes un virus!!! Me lo baje de Internet Una co�a de la red Bodies are: %virusname% is “Nimda”, “Magistr” or “Sircam”. Saludos Me ha llegado el virus %virusname%, de tu ordenador, ya es la segunda vez Pasa la vacuna que te env�o, de Norton Antivirus �Y ten mas cuidado la pr�xima vez! Un Saludo Por Favor, revise su ordenador, me ha enviado el virus %virusname% Le env�o la vacuna facilitada por Norton Antivirus Un Saludo Hola, perdona, que te moleste, pero me has enviado un virus, el %virusname% Te env�o la vacuna de panda, �Ten mas cuidado la pr�xima vez! Hola Te env�o un fichero que me bajado de Internet, es una broma. mueve �l Rat�n por toda la pantalla. No se quita ni pulsando control+alt+supr, Jeje, al final hay que reiniciar. < Attach filenames are: MueveRaton.exe AntiMagistr.exe AntiNimda.exe AntiSircam.exe To send infected messages the worm scans .EML, .NWS, and .DBX files, gets victim email addresses from there, then connects to SMTP server smtp.terra.es,then sends infected messages. Installing* While installing the worm copies itself to Windows system directory with the REGWIZ.EXE name (and overwrites original Windows REGWIZ.EXE file in there),and registers this file in system registry auto-run key: HKLMSoftwareMicrosoftWindowsCurrentVersionRun regwiz = %systemdir%regwiz.EXE The worm also sets ReadOnly, Hidden and System attributes for this file. The worm then displays fake error message: no es una aplicaci�n Win32 v�lida [ OK ] Payload The worm adds to C:MSDOS.SYS file the command: BootKeys=0 The effect of this is unability to break or trace booting process under Win9x systems. The worm then stays in Windows memory as hidden application (system service) and runs payload routine – the mouse cusror is randomly moved on the screen, and mouse becomes unusable. The worm also runs its internal counter in the registry key: HKCUSoftwareVB and VBA Program Settingsregwizconfig ejec = %number% and increases this valie on each run. When this counter reaches 75, the worm alteres the registry key: HKCUControl PanelDesktop ScreenSaveActive = 0 then exits Windows and restarts the machine.

Email-Worm.Win32.Ciosor

Technical Details