Email-Worm.Win32.FunnyPics

Class Email-Worm
Platform Win32
Description

Technical Details

This virus spreads via the Internet as an attachment to infected messages. The worm itself is a Windows PE EXE file 14136 bytes in size.

Installation

The worm copies itself to the Windows root directory as brsh32.exe:

%WinDir%brsh32.exe

It then registers this file in the Windows system registry as a new service. This ensures that the worm will be launched each time Windows is rebooted on the victim machine:

[HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices]
 "brsh32Service"="%WinDir%brsh32.exe -q"

The worm will:

  1. spread via email
  2. make remote administration of the victim machine possible via a backdoor

The worm sends itself to email addresses harvested from the victim machine.

When sending infected messages, the worm establishes a direct connection to the recipient’s SMTP server.

Email Subject

The message subject is chosen at random from the list below:

  • are you ready to enjoy?
  • do you wanna laugh out?
  • Download funny pics for free!
  • download screensavers for free!
  • Free pics and screensavers
  • free screensaver
  • funny pics is online again!
  • funnypics special offer
  • huff OUT!
  • humor OnLine
  • hunk of fun!
  • Listen to Dr.Fun
  • pics & screensavers
  • ready? steady? laugh!
  • Save your screen!
  • what you wanna see?

Email Contents

The message body does not change, and is as follows:

Funny Pics Inc. strikes back with more free stuff.Visit our new website with lots of funny pics and new screensavers like this! www.funnypics.com

Attachment

The worm sends a copy of itself in the following attachment: %windir%brsh32.exe. However, it disguises this file as a picture from www.funnypics.com.

The attachment name is chosen at random from the list below:

  • billBates.scr
  • bzzz.scr
  • funnyPic.scr
  • intelAside.scr
  • kennyIsAlive.scr
  • mac0s.scr
  • matrix-SP.scr
  • mrBrown.scr
  • nastyPokemon.scr
  • paradise.scr
  • phantomMenaze.scr
  • southPark.scr
  • SouthParkOuttaSpace.scr
  • starWarz.scr
  • waaazUp.scr
  • x-filez.scr

Payload

The worm will open a TCP port between 8000 and 8255 (chosen at random) and will listen for commands.

This provides a remote malicious user with full access to the victim machine, making it possible to get information from the victim machine, download, launch and delete files.

Removal instructions

  1. Delete the following registry key:
    [HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices]
     “brsh32Service”=”%WinDir%brsh32.exe -q”
  2. Using Task Manager, stop the process called brsh32.exe.
  3. Delete the following file: %WinDir%brsh32.exe.
  4. Perform a full scan of your computer (download trial version of Kaspersky Anti-Virus).