Kaspersky Threats

Class

Platform

Description

Technical Details

This is a virus-worm that spreads via the Internet attached to infected
e-mail, infecting the local network. The worm itself is a Windows PE EXE file
about 107K in length (compressed PCShrink, 202K decompressed), and is written in Delphi.

Infected messages contain:

Subject: Sites Pornos

Body: Tudo bem to te enviando uma lista dos melhores sites pornos da,br>
uma olhada depois me avisa c voce gostou at� mais um Abra��o Do

seu melhor amigo 😉

Attachment: SitesDeSexo.doc.exe

The worm activates from infected e-mail only when a user clicks on an attached
file. The worm then installs itself to the system, runs its spreading routine and
payload.

Installing

While installing, the worm copies itself to the Windows system directory with the
VxBrasil.exe name, and registers that file in the auto-run command in the following WIN.INI file:

[windows]
run=%SystemDir%VxBrasil.exe

where %SystemDir% is the Windows system directory.

Spreading

To send infected messages, the worm uses Windows MAPI functions and “answers”
messages from e-mail boxes.

Local Network

The worm scans network shared drives, looks for directories with a WIN.INI file,
then copies itself there with the “666hacked.exe” name, and registers
this copy in a WIN.INI file in the same “windows/run” key as above.

Other

The worm also installs a backdoor Trojan (“Backdoor.DRA”) on an infected machine.
To do this, it extracts backdoor code from its resources, saves it to
C:ALEVIRUS.EXE and C:BACK.EXE files and spawns it.

The worm creates the dekoy file C:SitesDeSexo.doc, and writes the following text there:

Estes s�o os melhores sites de SEXO da internet confira 🙂

The the worm writes a list of porno sites and opens this file.

Class	Email-Worm
Platform	Win32
Description	Technical Details This is a virus-worm that spreads via the Internet attached to infected e-mail, infecting the local network. The worm itself is a Windows PE EXE file about 107K in length (compressed PCShrink, 202K decompressed), and is written in Delphi. Infected messages contain: Subject: Sites Pornos Body: Tudo bem to te enviando uma lista dos melhores sites pornos da,br> uma olhada depois me avisa c voce gostou at� mais um Abra��o Do seu melhor amigo 😉 Attachment: SitesDeSexo.doc.exe The worm activates from infected e-mail only when a user clicks on an attached file. The worm then installs itself to the system, runs its spreading routine and payload. Installing While installing, the worm copies itself to the Windows system directory with the VxBrasil.exe name, and registers that file in the auto-run command in the following WIN.INI file: [windows] run=%SystemDir%VxBrasil.exe where %SystemDir% is the Windows system directory. Spreading To send infected messages, the worm uses Windows MAPI functions and “answers” messages from e-mail boxes. Local Network The worm scans network shared drives, looks for directories with a WIN.INI file, then copies itself there with the “666hacked.exe” name, and registers this copy in a WIN.INI file in the same “windows/run” key as above. Other The worm also installs a backdoor Trojan (“Backdoor.DRA”) on an infected machine. To do this, it extracts backdoor code from its resources, saves it to C:ALEVIRUS.EXE and C:BACK.EXE files and spawns it. The worm creates the dekoy file C:SitesDeSexo.doc, and writes the following text there: Estes s�o os melhores sites de SEXO da internet confira 🙂 The the worm writes a list of porno sites and opens this file.

Email-Worm.Win32.Sidex

Technical Details