Solutions for:
Home Products
Small Business
Medium Business
Enterprise
Vulnerabilities Threats
Home Threats Email-Worm Win32

Email-Worm.Win32.Goner

Class
Email-Worm
Platform
Win32

Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Email-Worm

Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website). In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated. Email-Worms use a range of methods to send infected emails. The most common are: using a direct connection to a SMTP server using the email directory built into the worm’s code using MS Outlook services using Windows MAPI functions. Email-Worms use a number of different sources to find email addresses to which infected emails will be sent: the address book in MS Outlook a WAB address database .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses emails in the inbox (some Email-Worms even “reply” to emails found in the inbox) Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.

Description

Technical Details

This is a virus-worm that spreads via the Internet attached to infected e-mails, and sends itself via the Internet pager ICQ. It attacks an IRC channel, utilizing a Trojan script and protects itself from anti-virus programs.

The worm itself is a Windows PE EXE file about 38 KB in length and written in Visual Basic. It is packed by the program UPX. After unpacking, it is 148KB in size.

An infected message contains:

The worm activates from an infected e-mail only when a user clicks on an attached file. Then it installs itself to the system and runs its spreading routine and payload. It displays animated windows with the following text:

Then it displays the following message dialogue:

Installation

While installing, the worm copies itself to the Windows system directory with the name GONE.SCR, and registers this file in the system registry auto-run key.

HKLMSoftwareMicrosoftWindowsCurrentVersionRun C:WINDOWSSYSTEMGONE.SCR = C:WINDOWSSYSTEMGONE.SCR

Following this, the worm hides its main window, and continues spreading.

Spreading via E-mail

In order to send infected messages, the worm uses MS Outlook, and sends messages to all addresses found in the Outlook address book.

{Goner3.bmp}

Spreading via ICQ

The worm spreads through the ICQ client. It uses the library ICQMAPI.DLL, which the worm copies from the directory C:PROGRAM FILESICQ to the Windows system directory. It reponds to the client program, and looks for dialogue windows from the list and answers requests. The window lists are as follows:

Send Online File
Send Online File Request
The worm periodically looks for windows and closes them. The titles of the windows are as follows:

User has declined your request
Can't Send File Request
Send Online File [User Is in N/A mode]
Send Online File [User Is Away]
Send Online File [User Is Occupied]
Send Online File [User Is in DND mode]
User has declined your request
Can't Send File Request
Send Online File Request [User Is in N/A mode]
Send Online File Request [User Is Away]
Send Online File Request [User Is Occupied]
Send Online File Request [User Is in DND mode]

Attacking an IRC channel

The worm scans local disk directories for the file MIRC.INI, creating a new file, REMOTE32.INI, in this directory, and adds it to the file MIRC.INI. This script periodically joins a user with random name to the IRC channel #pentagonex on the server twisted.ma.us.dal.net.

Protection from Anti-Virus Programs

While installing in the computer system, the worm scans the running processes, checking their names from the following list:

FINET.EXE
APLICA32.EXE
ZONEALARM.EXE
ESAFE.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFINET32.EXE
PCFWallIcon.EXE
FRW.EXE
VSHWIN32.EXE
VSECOMR.EXE
WEBSCANX.EXE
AVCONSOL.EXE
VSSTAT.EXE
NAVAPW32.EXE
NAVW32.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
LOCKDOWN2000.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
TDS2-98.EXE
TDS2-NT.EXE
SAFEWEB.EXE
C:SAFEWEB

The worm terminates this process in memory, and erases the file from the disk. Then it erases all files in the process directory with files in subdirectories. The worm looks for remaining files, and sets up its removing after restarting the computer. It adds delete commands to the file WININIT.INI

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Related articles
24 April 2024
Securelist
Assessing the Y, and How, of the XZ Utils incident
22 April 2024
Securelist
ToddyCat is making holes in your infrastructure
18 April 2024
Securelist
DuneQuixote campaign targets Middle Eastern entities with “CR4T” malware
17 April 2024
Securelist
SoumniBot: the new Android banker’s unique techniques
15 April 2024
Securelist
Using the LockBit builder to generate targeted ransomware
12 April 2024
Securelist
XZ backdoor story – Initial analysis
Found an inaccuracy in the description of this vulnerability?
If you found a new Threat or Vulnerability, please, let us know by email:
newvirus@kaspersky.com
Found a new Threat or Vulnerability?
If you found a new Threat or Vulnerability, please, let us know by email:
newvirus@kaspersky.com
Solutions for
Home Products
Small Business
Medium Business
Enterprise
Select language
Sorting
Threat
Confirm changes?
Your message has been sent successfully.