Class | Email-Worm |
Platform | Win32 |
Description |
Technical DetailsThis is an Internet worm that spreads attached to e-mail messages. The worm works under Win32 systems only. The worm contains components (plugins) in its code The major worm versions are encrypted with a semi-polymorphic encryption loop. The worm contains the text strings:
The Worm Runs The main worm target on a computer is the WSOCK32.DLL library. While infecting
If the worm is not able to infect WSOCK32.DLL (in case it is in use and is locked for writing), the virus creates a copy of that library (a copy of WSOCK32.DLL The worm also creates its copy with a random name in the Windows system directory and registers it in the RunOnce registry key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce {Default} = %WinSystem%WormName or HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce {Default} = %WinSystem%WormName where %WinSystem% is the Windows system directory, and “WormName” is a random eight symbols name, for example:
There is only possible reason for registering an additional worm copy in the “RunOnce” registry key: in case WSOCK32.DLL was not infected during the first worm run, and its infected copy was not created because of some reason, the “RunOnce” worm copy will complete the task upon the next Windows restart. Infected WSOCK32.DLLThe worm intercepts Windows functions that establish a network connection, including the Internet. The worm intercepts data that are sent and received, and scans them PluginsThe worm’s functionality depends on the plugins that are stored in worm body encrypted with a RSA-like strong crypto algorithm with a 128-bit key. There are
so the complete worm functionality depends only on its host that is able to upgrade plugins on a Web page. The plugins on a page are encrypted with RSA-like crypto too. The worm also updates its plugins by the using alt.comp.virus newsgroup. The worm, being active on a machine, connects to a news server (by using one of randomly selected servers – there are more than 70 addresses in the list), converts its plugins to newsgroup messages and posts them there. The Worm’s messages have a random-like Subject, for example:
where first four chores are plugin “name” and following four chores are an encoded plugin “version”. As well as sending, the worm reads such messages from alt.comp.virus, obtains the plugin “name” and “version” and compares them with plugins that are currently used by the worm. In case the newsgroup has a message with a higher plugin version, the worm extracts it and replaces the existing one. So the worm uses alt.comp.virus to upgrade its plugins. The worm also creates these plugins as disk files in the Windows system directory. They also have a random name, but the worm keeps being able to access them. The names may look as follow:
BIBGAHNH.IBG There are several different known plugins that: 1. Infect all ZIP and RAR archives on all available drives from C: till Z:. While infecting, the worm renames EXE files in the archive with a .EX$ extension 2. Send messages with encoded plugins to the “alt.comp.virus” neewsgroup, and obtains new plugins from there. 3. Spread virus to remote machines that have a SubSeven backdoor Trojan installed. The plugin detects such machines on the Net, and using SubSeven commands, uploads a worm copy to the machine and spawns it in there. 4. Encrypt worm copies with a polymorphic encryption loop before sending the copy attached to an e-mail. 5. Depending on system date and time (on September 16 and 24, and on 59 minute of each hour starting from year 2001 – in known plugins) the “spirale” effect is run. The plugin creates random 8-bytes .EXE name in Windows system directory, unpacks “spirale effect” EXE code to there, and registers that file in the system:
6. Affects DOS EXE and Windows PE EXE files. The worm affects them so that they become to be worm droppers. When run they drop worm EXE file to TEMP directory and execute it. While affecting DOS EXE file the plugin adds dropper code and worm body to the end of the file. These files are disinfectable. While affecting Windows PE EXE file the plugin overwrites file code section to get a gap for worm code, and writes worm dropper code to that gap (if is has enough size). The plugin doesn’t touch file header (including entry point address), and does not increase file size. Moreover, it has a anti-CRC (chechsum) routine that fill special data in plugin code so that file CRC becomes the same for few common used CRC algorithms. That means, that some integrity checkers will not detect changes in affected files: the file length and file body CRC stay the same as on clean file. When such PE EXE file is run, the dropper code drops and activates the worm, then restores (unpacks) code section and returns control to the host file. 7. Randomly select a Subject, Message text and Attach name while sending the worm copies with e-mail messages: From:
Subjects:
Message texts:
Attach names:
As well as (depending on the plugin version): The message Subject is a random combination of: Anna + sex Raquel Darian sexy Xena hot Xuxa hottest Suzete cum famous cumshot celebrity rape horny leather ... e.t.c. Attach name:
The attached file name may also be a random eight bytes .EXE name, for example:
|