Email-Worm.Win32.Sidex

Class Email-Worm
Platform Win32
Description

Technical Details

This is a virus-worm that spreads via the Internet attached to infected
e-mail, infecting the local network. The worm itself is a Windows PE EXE file
about 107K in length (compressed PCShrink, 202K decompressed), and is written in Delphi.

Infected messages contain:

Subject: Sites Pornos

Body: Tudo bem to te enviando uma lista dos melhores sites pornos da,br>
uma olhada depois me avisa c voce gostou at� mais um Abra��o Do

seu melhor amigo 😉

Attachment: SitesDeSexo.doc.exe

The worm activates from infected e-mail only when a user clicks on an attached
file. The worm then installs itself to the system, runs its spreading routine and
payload.

Installing

While installing, the worm copies itself to the Windows system directory with the
VxBrasil.exe name, and registers that file in the auto-run command in the following WIN.INI file:

[windows]
run=%SystemDir%VxBrasil.exe

where %SystemDir% is the Windows system directory.

Spreading

To send infected messages, the worm uses Windows MAPI functions and “answers”
messages from e-mail boxes.

Local Network

The worm scans network shared drives, looks for directories with a WIN.INI file,
then copies itself there with the “666hacked.exe” name, and registers
this copy in a WIN.INI file in the same “windows/run” key as above.

Other

The worm also installs a backdoor Trojan (“Backdoor.DRA”) on an infected machine.
To do this, it extracts backdoor code from its resources, saves it to
C:ALEVIRUS.EXE and C:BACK.EXE files and spawns it.

The worm creates the dekoy file C:SitesDeSexo.doc, and writes the following text there:

Estes s�o os melhores sites de SEXO da internet confira 🙂

The the worm writes a list of porno sites and opens this file.