Technical Details
This is a dangerous worm spreading through Internet and IRC channels, as well as infecting local network. The worm itself is Windows application written in Delphi about 90K of size (the worm also may be compressed by a PE EXE compression tool, so result file size can be less than original).
Sending emails
To send infected emails from affected computers the worm tries two different methods. First of all, it looks for Eudora mailer installed in the system. If there is one, the worm scans Eudora outgoing email database (OUT.MBX file), gets email addresses from there and sends infected emails
with attached worm copy to these addresses. The worm’s messages have:
Subject: concerning last week …
Text: Please review the enclosed and get back with me ASAP.
Double click the Icon to open it.
Attach: c:silver.exe
Next the worm tries installed email system not depending on the brand. To do that the worm uses MAPI functions: it connects to installed email system, gets messages from there, reads email addresses and uses them to send its copies. In this case the messages have:
Subject: Re: now this is a nice pic 🙂
Text: Thought you might be interested in seeing her
Attach: naked.jpg.exe
Infecting mIRC and PIRCH clients
To affect IRC clients the worm looks for C:MIRC, C:MIRC32, C:PIRCH98 directories and overwrites IRC scripts in there with a program that sends worm copy to each user who enters affected channel.
The mIRC script also has additional features. When a user sends to IRC channel a message that contains the text “silverrat”, the worm replies to that user with “I have the Silver Rat virus” message (so the worm reports
to the master about infected computers). If the “pyrealrat” text is found in the channel, the script opens the C: drive on affected machine as file server (that gives to worm master access to all data on the C: drive).
Spreading through local network
To infect remote computers on the network the worm scans all drives from C: till Z: and looks for WINDOWS directory in there. If there is one, the worm copies itself to there and registers in Windows auto-run section in
WIN.INI file, or in system registry depending on Windows version (Win9x or WinNT). So the worm is able to infect remote computers in case their drives are shared for reading/writing.
Installing into the system
To install itself into the system the worm copies itself to directories with the names:
to Windows dir: SILVER.EXE, SILVER.VXD, NAKED.JPG.EXE, NAKED.JPG.SCR
to C: drive root dir: SILVER.EXE
The worm then registers itself in auto-run fields in the system registry:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
HKUSoftwareMicrosoftWindowsCurrentVersionRun
All these fields will contains the instruction:
“Silver Rat” = WinDirsilver.exe
where “WinDir” is the name of Windows directory.
As a result the worm copy is executed four times on each Windows startup. To run itself more times (and to send more infected emails as a result) the worm also affects more registry keys.
Affecting registry keys
Windows applications are linked with filename extensions by special records in the system registry. These records point to application that is run to process files with specified extension. When a file is opened, Windows gets its extension and then refers to system registry to get the name of application that processes files of that type.
The worm uses that Windows feature and modifies more that 100 such registry keys – it replaces original reference to applications with a reference to its own copy (SILVER.VXD). The worm does that for three different keys
per application:
shellopencommand
shelleditcommand
Shellplaycommand
The patched registry keys looks like follows:
HKCRAIFFFILEshellopencommand = “C:WINDOWSsilver.vxd 33157 “%1″ %”
HKCRAIFFFILEshellplaycommand = “C:WINDOWSsilver.vxd 53157 “%1″ %”
HKCRASFFILEshellopencommand = “C:WINDOWSsilver.vxd 379157 “%1″ %”
where digits in the line are IDs to run the host file (see below).
The list of affected applications (registry keys that link filename extension with application) is rather large and looks like follows:
accesshtmlfile iqyfile regedit fonfile
accessthmltemplate IVFfile regfile GatewayFile
AIFFFILE jpegfile SHCmdFile htafile
AllaireTemplate JSFile SoundRec icsfile
anifile ldap tgafile mhtmlfile
artfile mailto txtfile MMS
aspfile mic VBSFile MMST
AudioCD MIDFile wab_auto_file MMSU
aufile money Winamp.File NSM
AVIFile MOVFile WinRAR MSBD
Briefcase MPEGFILE WinRAR.ZIP motiffile
cdafile MPlayer WinZip Msi.Package
Chat mscfile wrifile Msi.Patch
CSSfile msee WSFFile ofc.Document
curfile msgfile x-internet-signup ofx.Document
Drive MSProgramGroup xbmfile pjpegfile
DrWatsonLog Net2PhoneApp xmlfile PNM
Excel.Workspace NetscapeMarkup xnkfile qwb.Document
ftp news xslfile rtsp
giffile nntp m3ufile scpfile
helpfile Notes.Link ASFFile scriptletfile
hlpfile ossfile ASXFile SSM
htfile outlook BeHostFile ThemeFile
htmlfile PBrush ChannelFile TIFImage.Document
http pcxfile chm.file ttffile
https pngfile CMCD WangImage.Document
icofile powerpointhtmlfile Connection Manager Profile Whiteboard
icquser ramfile eybfile WIFImage.Document
inifile RealMedia File fndfile WSHFile
The worm stores original keys in the another registry key:
HKLMSoftwareSilver Rat
This key contains the list of all keys that were replaced as it was shown above. This list is used by the worm to run original application: the worm gets application name and command line from that “backup” list, and spawns it.
Such method of system registry affecting is very dangerous. In case the worm copy is remover from the system, Windows cannot pass files to application that are listed above. As a result, Windows stays mostly nonfunctional after that. In case a file from affected list is opened, it reports a error message that the associated SILVER.VXD cannot be found.
The worm pays special attention to system backup files and gets rid of them to prevent restoring the registry files from backup. To do that the worm corrupts (overwrites first 5K of each file with trash data) and deletes the
files:
USER.DA0 and SYSTEM.DA0 in Windows directory
SYSTEM.1ST in root directory of C: drive
“Uninstall” payload
The worm has a payload routine that is run in a case of “uninstalling”.
The worm creates the “uninstall” key in system registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionUninstallSilver Rat
DisplayName = “Silver Rat Virus”
UninstallString = “c:silver.exe /uninstall”
As a result, the worm record is visible in ControlPanel/AddRemovePrograms window as “Silver Rat Virus”. In case “Remove” button is pressed, the worm
displays the message box:
Blood
“I have to return some videos” – American Psycho
and fills with garbage the header line in RecycleBin window (see picture).
Other features
The worm looks for active anti-virus applications and terminates them by their names:
AVP Monitor
Norton AntiVirus Auto-Protect
Norton AntiVirus v5.0
VShieldWin_Class
NAI_VS_STAT
McAfee VirusScan Scheduler
ZoneAlarm
WRQ NAMApp Class
It also looks for anti-virus files (databases) and deletes them:
*.AVC (AVP)
*.DAT (NAI)
BAVAP.VXD, NAVKRNLN.VXD (NAV)
The worm also tries to affect VBS files but fails because of a bug.
|