Class Email-Worm
Platform Win32

Technical Details

This is a virus-worm that spreads via infected e-mails, and infects Windows EXE
files on computers. The worm’s routines have bugs, and in some cases, halt the
computer and/or corrupt files while infecting them.

The worm code has the “copyright” text strings:

Vecna is a punk rocker now…

Infected File Run

The worm can enter a computer via infected e-mails from the local network or
from any other infected file that is executed.

When the worm starts, it extracts from an infected file its “main” code (that
is “pure” virus code – Win32 PE EXE file 9.5 Kb of size), saves it to
the Windows TEMP directory with a randomly selected name (for example,
LNBAMKON.EXE, MMCAAHAN.EXE) and executes that file.

When the virus’ “main” code gains control, it moves its file to the Windows directory
that is referenced in the Registry key:

HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerShell Folders
Common Startup = %startup%

The %startup% directory name depends in Windows version, for example:

Documents and SettingsAll UsersStart MenuProgramsStartup
%WindowsDir%All UsersStart MenuProgramsStartup

The worm moves itself to that %startup% directory with a random name that has
eight randomly selected digits and an .EXE extension, for example:


The worm then executes that copy in the “Startup” directory, and deletes the first
copy in the Windows TEMP directory, for example:

C:VIRUS.EXE – infected file is run
C:WINDOWSTEMPMMCAAHAN.EXE – 1st copy is created and run
C:WINDOWSAll UsersStart MenuProgramsStartup0544102.EXE
– this is 2nd copy, it is created here and executed. The 1st copy is
deleted then.

Because of a bug, in some cases, the worm crashes in the middle of this
process, and the 1st copy is left in the TEMP directory.

When this “file moving” process is complete, the worm installs a “stealth”
hook, and runs the infection and e-mail spreading routines.


The infection routine when gains control, searches for a .EXE and .SCR Windows
executable file on all local and network drives, and infects them. While
infecting, it obtains a block from the file middle, compresses it, and stores
the compressed data and worm code in the file so that the file length does not increase.

The worm also uses a polymorphic mutation engine to make the detection and
disinfection process more complex.

E-mail spreading

To spread itself, the worm connects to a SMTP mail server, and sends infected
messages to e-mail addresses. Both the SMTP server name and e-mail addresses, the
worm obtains from WAB data files (Windows Address Book).

The infected messages are of HTML format and have fields:

From: “Mondo bizarro” []
Subject: Joey is dead, man… 🙁
Text: A tribute to Joey Ramone (1951-2001)
Attach: ramones.mp3.exe

The worm uses one of the security vulnerabilities (Vulnerability identifier:
CAN-2001-0154) that were found in MS Windows in 2001. The result of this
breach is the possibility of spawning an attached EXE file without a user’s action. When
an infected e-mail is opened for reading or preview, the worm’s EXE file is
automatically run.

Microsoft already has released a patch that eliminates this vulnerability.
Additional information may be found here:


The worm hooks FindFile and FindProcess Windows system calls
(FindFirstFileA, FindNextFileA, Process32First, Process32Next). The worm
processes these calls so that its copy in the “startup” directory (see above)
is not reported. As a result, the worm file is not visible in files and
processes lists.