Email-Worm.Win32.Silver

Class Email-Worm
Platform Win32
Description

Technical Details

This is a dangerous worm spreading through Internet and IRC channels, as well as infecting local network. The worm itself is Windows application written in Delphi about 90K of size (the worm also may be compressed by a PE EXE compression tool, so result file size can be less than original).

Sending emails

To send infected emails from affected computers the worm tries two different methods. First of all, it looks for Eudora mailer installed in the system. If there is one, the worm scans Eudora outgoing email database (OUT.MBX file), gets email addresses from there and sends infected emails
with attached worm copy to these addresses. The worm’s messages have:

Subject: concerning last week …
Text: Please review the enclosed and get back with me ASAP.
Double click the Icon to open it.

Attach: c:silver.exe

Next the worm tries installed email system not depending on the brand. To do that the worm uses MAPI functions: it connects to installed email system, gets messages from there, reads email addresses and uses them to send its copies. In this case the messages have:

Subject: Re: now this is a nice pic 🙂
Text: Thought you might be interested in seeing her
Attach: naked.jpg.exe

Infecting mIRC and PIRCH clients

To affect IRC clients the worm looks for C:MIRC, C:MIRC32, C:PIRCH98 directories and overwrites IRC scripts in there with a program that sends worm copy to each user who enters affected channel.

The mIRC script also has additional features. When a user sends to IRC channel a message that contains the text “silverrat”, the worm replies to that user with “I have the Silver Rat virus” message (so the worm reports
to the master about infected computers). If the “pyrealrat” text is found in the channel, the script opens the C: drive on affected machine as file server (that gives to worm master access to all data on the C: drive).

Spreading through local network

To infect remote computers on the network the worm scans all drives from C: till Z: and looks for WINDOWS directory in there. If there is one, the worm copies itself to there and registers in Windows auto-run section in
WIN.INI file, or in system registry depending on Windows version (Win9x or WinNT). So the worm is able to infect remote computers in case their drives are shared for reading/writing.

Installing into the system

To install itself into the system the worm copies itself to directories with the names:

to Windows dir: SILVER.EXE, SILVER.VXD, NAKED.JPG.EXE, NAKED.JPG.SCR
to C: drive root dir: SILVER.EXE

The worm then registers itself in auto-run fields in the system registry:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
HKUSoftwareMicrosoftWindowsCurrentVersionRun

All these fields will contains the instruction:

“Silver Rat” = WinDirsilver.exe

where “WinDir” is the name of Windows directory.

As a result the worm copy is executed four times on each Windows startup. To run itself more times (and to send more infected emails as a result) the worm also affects more registry keys.

Affecting registry keys

Windows applications are linked with filename extensions by special records in the system registry. These records point to application that is run to process files with specified extension. When a file is opened, Windows gets its extension and then refers to system registry to get the name of application that processes files of that type.

The worm uses that Windows feature and modifies more that 100 such registry keys – it replaces original reference to applications with a reference to its own copy (SILVER.VXD). The worm does that for three different keys
per application:

shellopencommand
shelleditcommand
Shellplaycommand

The patched registry keys looks like follows:

HKCRAIFFFILEshellopencommand = “C:WINDOWSsilver.vxd 33157 “%1″ %”
HKCRAIFFFILEshellplaycommand = “C:WINDOWSsilver.vxd 53157 “%1″ %”
HKCRASFFILEshellopencommand = “C:WINDOWSsilver.vxd 379157 “%1″ %”

where digits in the line are IDs to run the host file (see below).

The list of affected applications (registry keys that link filename extension with application) is rather large and looks like follows:

 accesshtmlfile      iqyfile             regedit                     fonfile
 accessthmltemplate  IVFfile             regfile                     GatewayFile
 AIFFFILE            jpegfile            SHCmdFile                   htafile
 AllaireTemplate     JSFile              SoundRec                    icsfile
 anifile             ldap                tgafile                     mhtmlfile
 artfile             mailto              txtfile                     MMS
 aspfile             mic                 VBSFile                     MMST
 AudioCD             MIDFile             wab_auto_file               MMSU
 aufile              money               Winamp.File                 NSM
 AVIFile             MOVFile             WinRAR                      MSBD
 Briefcase           MPEGFILE            WinRAR.ZIP                  motiffile
 cdafile             MPlayer             WinZip                      Msi.Package
 Chat                mscfile             wrifile                     Msi.Patch
 CSSfile             msee                WSFFile                     ofc.Document
 curfile             msgfile             x-internet-signup           ofx.Document
 Drive               MSProgramGroup      xbmfile                     pjpegfile
 DrWatsonLog         Net2PhoneApp        xmlfile                     PNM
 Excel.Workspace     NetscapeMarkup      xnkfile                     qwb.Document
 ftp                 news                xslfile                     rtsp
 giffile             nntp                m3ufile                     scpfile
 helpfile            Notes.Link          ASFFile                     scriptletfile
 hlpfile             ossfile             ASXFile                     SSM
 htfile              outlook             BeHostFile                  ThemeFile
 htmlfile            PBrush              ChannelFile                 TIFImage.Document
 http                pcxfile             chm.file                    ttffile
 https               pngfile             CMCD                        WangImage.Document
 icofile             powerpointhtmlfile  Connection Manager Profile  Whiteboard
 icquser             ramfile             eybfile                     WIFImage.Document
 inifile             RealMedia File      fndfile                     WSHFile

The worm stores original keys in the another registry key:

HKLMSoftwareSilver Rat

This key contains the list of all keys that were replaced as it was shown above. This list is used by the worm to run original application: the worm gets application name and command line from that “backup” list, and spawns it.

Such method of system registry affecting is very dangerous. In case the worm copy is remover from the system, Windows cannot pass files to application that are listed above. As a result, Windows stays mostly nonfunctional after that. In case a file from affected list is opened, it reports a error message that the associated SILVER.VXD cannot be found.

The worm pays special attention to system backup files and gets rid of them to prevent restoring the registry files from backup. To do that the worm corrupts (overwrites first 5K of each file with trash data) and deletes the
files:

USER.DA0 and SYSTEM.DA0 in Windows directory
SYSTEM.1ST in root directory of C: drive

“Uninstall” payload

The worm has a payload routine that is run in a case of “uninstalling”.

The worm creates the “uninstall” key in system registry:

HKLMSoftwareMicrosoftWindowsCurrentVersionUninstallSilver Rat
DisplayName = “Silver Rat Virus”
UninstallString = “c:silver.exe /uninstall”

As a result, the worm record is visible in ControlPanel/AddRemovePrograms window as “Silver Rat Virus”. In case “Remove” button is pressed, the worm
displays the message box:

Blood
“I have to return some videos” – American Psycho

and fills with garbage the header line in RecycleBin window (see picture).

Other features

The worm looks for active anti-virus applications and terminates them by their names:

AVP Monitor
Norton AntiVirus Auto-Protect
Norton AntiVirus v5.0
VShieldWin_Class
NAI_VS_STAT
McAfee VirusScan Scheduler
ZoneAlarm
WRQ NAMApp Class

It also looks for anti-virus files (databases) and deletes them:

*.AVC (AVP)
*.DAT (NAI)
BAVAP.VXD, NAVKRNLN.VXD (NAV)

The worm also tries to affect VBS files but fails because of a bug.