Email-Worm.Win32.Hadra

Class Email-Worm
Platform Win32
Description

Technical Details

This is an Internet worm that spreads via e-mails being attached as an EXE file. The
worm itself is a Win32 executable file about 12Kb in length, written in
VisualBasic. The worm code is compressed with a UPX Win32 EXE files compression
utility, and when unpacked, it becomes about 26Kb in size.

When the worm starts (when a user clicks on the attached EXE file), the worm copies
itself to the Windows directory with the MSSERV.EXE name and registers that file
in the Windows registry auto-run keys:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices

All these “Run=” keys then have the string value that runs the worm copy upon each
Windows start-up:

msservice = %WinDir%msserv.exe

where %WinDir% is Windows main directory.

Spreading

The worm then stays in the Windows memory as a hidden application (service),
connects to MS Outlook and registers itself as MS Outlook “NewMail” and
“ItemSend” events handler (i.e., the worm attaches itself to MS Outlook events).

On “NewMail” (a new mail has arrived), the worm looks as if it is its own message
from another infected machine, and then deletes it. The worm opens the
message, looks for the EXE attachment and deletes that message if the EXE attachment has the
same length as the worm’s EXE file.

On “ItemSend” (a message is being sent), the worm looks for already attached
files, gets the first one, replaces it with its own copy, renames the attachment to
.EXE, and then sends it. If the message has no attachment, the worm attaches
itself with eight bytes of a random name and .EXE extenstion.

On Friday 13th, from 13:00 till 14:00, the worm also adds a text to the
beginning of the message body:

[I-Worm.Hydra] …by gl_st0rm of [mions]

Protection

The worm performs several actions to hide itself and to avoid removing its
file and infected registry “Run=” keys. The worm deletes the MSCONFIG.EXE file
in the Windows system directory, looks for active applications and kills them
(terminates these processes):

“AVP Monitor”
“AntiVir”
“Vshwin”
“F-STOPW”
“F-Secure”
“vettray”
“InoculateIT”
“Norman Virus Control”
“navpw32”
“Norton AntiVirus”
“Iomon98”
“AVG”
“NOD32”
“Dr.Web”
“Amon”
“Trend PC-cillin”
“File Monitor”

“Registry Monitor”
“Registry Editor”
“Task Manager”

As a result, the worm disables several types of anti-virus protections, as well
as immediately closes Registry editors upon their start-up.

The worm also kills Kaspersky Anti-Virus (former AVP) anti-virus databases.

Member of SETI Distributed Network

The worm installs and activates the SETI (Search for Extraterrestrial
Intelligence) software on an infected computer (see more information about SETI
at http://setiathome.berkeley.edu).

The SETI software is downloaded by the worm to the Windows directory with the MSSETI.EXE
name from the following FTP sites:

ftp://ftp.cdrom.com/pub/setiathome/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.let.uu.nl/pub/software/winnt/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.cdrom.com/.2/setiathome/setiathome-3.03.i386-winnt-cmdline.exe
ftp://alien.ssl.berkeley.edu/pub/setiathome-3.03.i386-winnt-cmdline.exe
ftp://setidata.ssl.berkeley.edu/pub/setiathome-3.03.i386-winnt-cmdline.exe

The worm also creates, in the Windows directory, the following files:

USER_INFO.SAH and VERSION.SAH with SETI specific information
MSSETI.PIF, RUN_MSSETI.VBS, MSSETI.BAT to run SETI program

and registers RUN_MSSETI.VBS file in Registry auto-run keys:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
msseti = WScript.exe %WinDir%run_msseti.vbs”
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
msseti = WScript.exe %WinDir%run_msseti.vbs”

The USER_INFO.SAH file contains user specific information about SETI user, the
worm writes following IDs to there:

id=2199938
key=1603033966
email_addr=gl_storm@seznam.cz
name=GL_STORM
country=Czech Republic