Email-Worm.Win32.Ivalid

Class Email-Worm
Platform Win32
Description

Technical Details

This is a dangerous worm that spreads via the Internet attached to e-mail messages. The worm itself is a Windows application about 12K in size. To spread, the worm uses SMTP and connects to the “mail.bezeqint.net” e-mail server
in order to send infected messages.

The worm obtains a victim’s e-mail addresses from HTML files. It searches for *.HT* files on the hard drive and looks for e-mail addresses there.

The infected messages contain the following data:

From: “Microsoft Support” [support@microsoft.com]
Subject: Invalid SSL Certificate’,0Dh,0Ah
Attach: SSLPATCH.EXE

Message text:

Hello,

Microsoft Corporation announced that an invalid SSL certificate that web
sites use is required to be installed on the user computer to use the https
protocol. During the installation, the certificate causes a buffer overrun in
Microsoft Internet Explorer and by that allows attackers to get access to
your computer. The SSL protocol is used by many companies that require credit
card or personal information so, there is a high possibility that you have
this certificate installed.

To avoid of being attacked by hackers, please download and install the attached patch. It is strongly recommended to install it because almost all
users have this certificate installed without their knowledge.

Have a nice day,
Microsoft Corporation

In case of an error, or when infected messages are sent, the worm encrypts all EXE files the in current and all parent directories. While encrypting, the worm uses standard Windows crypto API.

The worm also contains the following texts in its body:

I-Worm.Invalid, Written By Dr.T/BCVG Network, 2001
The Black Cat Virii Group, 2001