Email-Worm.Win32.Fintas

Class Email-Worm
Platform Win32
Description

Technical Details

This is a virus-worm that spreads via the Internet attached to infected files. The worm itself is a Windows PE EXE file about 36Kb in length, and is written in Visual Basic Script.

The worm activates from an infected e-mail only when a user clicks on the attached file. The worm then installs itself to the system, and runs a spreading routine and payload.

Installing

While installing, the worm copies itself:

to the Windows directory, Windows system directory and C: drive root – with the `.EXE name to the Windows TEMP directory – with a name that depends on the worm version:

FF8.EXE

FunnyFlash.EXE

The C:`.EXE file is then registered in the system registry auto-run key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
723 = c:`.exe

and in the Windows SYSTEM.INI file, [boot] section, in the “shell” auto-run command.

Spreading

To send infected messages, the worm uses MS Outlook and sends messages to all addresses found in the Outlook address book.

Subject, Body and Attachment name are different in the known worm versions:

Subject/Body/Attach:

Microsoft Shockwave Flash Movie
Check “Family.exe” then you could see Microsoft family’s Shockwave Flash Movie
FamilyMovie.exe

CoolGame From %UserName%
the cool game about Final Fantasy VIII 🙂
FF8.EXE

FunnyFlashMovie From %UserName%
the flash movie,check it !:)
FunnyFlash.EXE

where %UserName% is the Name of the affected machine.

Fintas.a

The first-known worm version, after e-mail spreading, deletes the files in the following Windows directory: REGEDIT.EXE, SYSTEM.INI, WIN.INI, COMMANDEBDio.sys, then the files: C:IO.SYS, C:NETWORK.LOG. It then copies the worm’s copy to the J: network drive (if it exists).

The worm then creates and spawns two VBS files: “c:passwd.vbs” and “c:leo.vbs”, and then displays the following message:

The LEO.VBS file looks for the following files: .html .htm .asp .php .dll .com .txt .doc .xls .exe and overwrites them with the text:

Hi! I am LEO

The PASSWD.VBS file looks for .PWL files (passwords) and sends them to the “leotam888@china.com” e-mail with a “mypasswd” subject.

Payload – other versions

On the 23rd of any month, the worm runs its payload routine (which takes effect under Win9x systems only). It writes, to a C:MSDOS.SYS file, an instruction that disables the Windows boot-up process pausing and tracing, and then overwrites a C:AUTOEXEC.BAT file with instructions that will format all drives from C: to Z: upon next machine reboot.

Then the worm displays the message: