Email-Worm.Win32.Runnelot

Class Email-Worm
Platform Win32
Description

Technical Details

Runnelot is a worm virus spreading via the Internet as an attachment to infected emails. It also infects Win32 EXE files.

The worm itself is a Windows PE EXE file about 9KB in size when compressed by UPX; the decompressed
size is about 20KB. It is written in Assembler.

The worm contains a “copyright” text string:

  Runner "Pilot" 01/2003

Installing

While installing the worm writes its code to the Windows system directory with the “Runner.exe” name
and registers that file in system registry auto-run key:

 HKLMSoftwareMicrosoftWindowsCurrentVersionRun
   Runner = Runner.exe /auto /rsrc32.dll

Infecting EXE files

The worm looks for PE EXE files and writes itself to the beginning of these files. It looks
for victim EXE files in directories located on local and network hard drives.

To release control to host the program the worm creates on disk a disinfected copy and spawns it. In
case of an error the worm displays fake error messages:

  Error of loading WIN32.DLL file

  Loading incomplete. Correct work is not warranted!
  Continue?

  General error 1452 in KERNEL32.DLL

  Program terminated

Spreading: EMail

To send infected messages the worm uses direct access to the default SMTP server. To get victim
email addresses the worm looks for *.HTM* files, it also writes these email addresses to the
“runner.dll” file in the Windows system directory.

The infected messages have different fields that are randomly constructed from several variants:

From: "%str1%%str2%"

where following strings are randomly selected from:

%str1% : Dmitry Eugene Igor Jhon Mark Bill Frank Sam Tim Brad Samuel Dean Tom Robert
Mostovoy Losinsky Kaspersky Danilov Smith Woodruf Brown Steel Driver Seldon Forge Stab McAndrew Gregor

%str2″: @hotmail.com @yandex.ru @yahoo.com @newmail.ru

Subject: %subj1% %subj2%

 where:

 %subj1% : 

   Weclome to Pink World
   Blacks on Blondes
   New porno movies every day
   TONS of porno movies
   Fucking Wifes

 %subj1% :

   New FREE sex soft
   FREE porno-soft
   + many FREE sex games

The body is randomly constructed from randomly selected text strings:

   SUPERGAME!  +  Look as  +  fine      +  blonde        
   SEX SOFT!   +              hot          mom           
                              black        hitchiker teen
                              dirty        girl          
                              amateur      slut          
                              petite       babe          
                              busty        teen          
                              wet          secretary     
                              wild         wife          


   This is a free demo version, and we hope you want visit our web-site   +
   Please visit our web site                                              +
 +
   WWW.EXPLOITEDPUSSY.COM
   WWW.SLEAZYDREAM.COM
   WWW.ALLHOTPORN.COM
   WWW.TEENFILES.NET
   WWW.ADULTMOVIESTATION.NET
   WWW.DISCRETESEX.COM
 +
   to take more sex programs
   to take full version


   150 GIG OF DOWNLOADABLE MOVIES - FREE PASSWORD
   HIGH QUALITY MPEGS - NEW SCENES EVERY DAY - 100k+ PICS TOO
   Full lenght movies
   THE BEST MOVIES ONLINE
   HUGE archive of previous movies available! TONS of movies
 +
   Full screen quality
   Ultra fast downloads
   Updated every day
   All in DVD quality
   WEBMASTERS MAKE MONEY
   GET FULL ACCESS TO OUR MEMBERS AREA FOR 30 MINUTES - FREE
   GET YOUR 30 MINUTES FREE ACCESS
   A new 150mb full lenght movie is added every day
 +
   Install NOW!!!
   Installer in attach
   Test our soft now!

or randomly selected from variants:

   We presents to you ours new sex game as adversting
   Install a locator of FREE sex movies of our site as adversting
   Install porno screen saver as adversting
   This is a new imitator as adversting

Attachment:

   sexy       + girls.      + dll
   hottest      blonde.   
   cumshot      pamela.   
   analsex      lesbians. 
   oralsex      teens.    
   asian        virgins.  
   hardcore     .
   slut
   doggy
   sucking
   messy

Payload

On February 13, March 7,16, April 21, May 8,18, June 11, July 3, August 29, October 30,
November 5,26, December 11,30 the worm overwirtes all files in “Personal” folders
(“My Documents”, “History”, “Cookies”, e.t.c.).