Class
Email-Worm
Platform
Win32

Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Email-Worm

Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website). In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated. Email-Worms use a range of methods to send infected emails. The most common are: using a direct connection to a SMTP server using the email directory built into the worm’s code using MS Outlook services using Windows MAPI functions. Email-Worms use a number of different sources to find email addresses to which infected emails will be sent: the address book in MS Outlook a WAB address database .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses emails in the inbox (some Email-Worms even “reply” to emails found in the inbox) Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.

Description

Technical Details

This is a dangerous worm spreading through Internet and IRC channels, as well as infecting local network. The worm itself is Windows application written in Delphi about 90K of size (the worm also may be compressed by a PE EXE compression tool, so result file size can be less than original).

Sending emails

To send infected emails from affected computers the worm tries two different methods. First of all, it looks for Eudora mailer installed in the system. If there is one, the worm scans Eudora outgoing email database (OUT.MBX file), gets email addresses from there and sends infected emails with attached worm copy to these addresses. The worm's messages have:

Subject: concerning last week ...
Text: Please review the enclosed and get back with me ASAP.
Double click the Icon to open it.

Attach: c:silver.exe

Next the worm tries installed email system not depending on the brand. To do that the worm uses MAPI functions: it connects to installed email system, gets messages from there, reads email addresses and uses them to send its copies. In this case the messages have:

Subject: Re: now this is a nice pic :-)
Text: Thought you might be interested in seeing her
Attach: naked.jpg.exe

Infecting mIRC and PIRCH clients

To affect IRC clients the worm looks for C:MIRC, C:MIRC32, C:PIRCH98 directories and overwrites IRC scripts in there with a program that sends worm copy to each user who enters affected channel.

The mIRC script also has additional features. When a user sends to IRC channel a message that contains the text "silverrat", the worm replies to that user with "I have the Silver Rat virus" message (so the worm reports to the master about infected computers). If the "pyrealrat" text is found in the channel, the script opens the C: drive on affected machine as file server (that gives to worm master access to all data on the C: drive).

Spreading through local network

To infect remote computers on the network the worm scans all drives from C: till Z: and looks for WINDOWS directory in there. If there is one, the worm copies itself to there and registers in Windows auto-run section in WIN.INI file, or in system registry depending on Windows version (Win9x or WinNT). So the worm is able to infect remote computers in case their drives are shared for reading/writing.

Installing into the system

To install itself into the system the worm copies itself to directories with the names:

to Windows dir: SILVER.EXE, SILVER.VXD, NAKED.JPG.EXE, NAKED.JPG.SCR
to C: drive root dir: SILVER.EXE

The worm then registers itself in auto-run fields in the system registry:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
HKUSoftwareMicrosoftWindowsCurrentVersionRun

All these fields will contains the instruction:

"Silver Rat" = WinDirsilver.exe

where "WinDir" is the name of Windows directory.

As a result the worm copy is executed four times on each Windows startup. To run itself more times (and to send more infected emails as a result) the worm also affects more registry keys.

Affecting registry keys

Windows applications are linked with filename extensions by special records in the system registry. These records point to application that is run to process files with specified extension. When a file is opened, Windows gets its extension and then refers to system registry to get the name of application that processes files of that type.

The worm uses that Windows feature and modifies more that 100 such registry keys - it replaces original reference to applications with a reference to its own copy (SILVER.VXD). The worm does that for three different keys per application:

shellopencommand
shelleditcommand
Shellplaycommand

The patched registry keys looks like follows:

HKCRAIFFFILEshellopencommand = "C:WINDOWSsilver.vxd 33157 "%1" %"
HKCRAIFFFILEshellplaycommand = "C:WINDOWSsilver.vxd 53157 "%1" %"
HKCRASFFILEshellopencommand = "C:WINDOWSsilver.vxd 379157 "%1" %"

where digits in the line are IDs to run the host file (see below).

The list of affected applications (registry keys that link filename extension with application) is rather large and looks like follows:

 accesshtmlfile      iqyfile             regedit                     fonfile
 accessthmltemplate  IVFfile             regfile                     GatewayFile
 AIFFFILE            jpegfile            SHCmdFile                   htafile
 AllaireTemplate     JSFile              SoundRec                    icsfile
 anifile             ldap                tgafile                     mhtmlfile
 artfile             mailto              txtfile                     MMS
 aspfile             mic                 VBSFile                     MMST
 AudioCD             MIDFile             wab_auto_file               MMSU
 aufile              money               Winamp.File                 NSM
 AVIFile             MOVFile             WinRAR                      MSBD
 Briefcase           MPEGFILE            WinRAR.ZIP                  motiffile
 cdafile             MPlayer             WinZip                      Msi.Package
 Chat                mscfile             wrifile                     Msi.Patch
 CSSfile             msee                WSFFile                     ofc.Document
 curfile             msgfile             x-internet-signup           ofx.Document
 Drive               MSProgramGroup      xbmfile                     pjpegfile
 DrWatsonLog         Net2PhoneApp        xmlfile                     PNM
 Excel.Workspace     NetscapeMarkup      xnkfile                     qwb.Document
 ftp                 news                xslfile                     rtsp
 giffile             nntp                m3ufile                     scpfile
 helpfile            Notes.Link          ASFFile                     scriptletfile
 hlpfile             ossfile             ASXFile                     SSM
 htfile              outlook             BeHostFile                  ThemeFile
 htmlfile            PBrush              ChannelFile                 TIFImage.Document
 http                pcxfile             chm.file                    ttffile
 https               pngfile             CMCD                        WangImage.Document
 icofile             powerpointhtmlfile  Connection Manager Profile  Whiteboard
 icquser             ramfile             eybfile                     WIFImage.Document
 inifile             RealMedia File      fndfile                     WSHFile

The worm stores original keys in the another registry key:

HKLMSoftwareSilver Rat

This key contains the list of all keys that were replaced as it was shown above. This list is used by the worm to run original application: the worm gets application name and command line from that "backup" list, and spawns it.

Such method of system registry affecting is very dangerous. In case the worm copy is remover from the system, Windows cannot pass files to application that are listed above. As a result, Windows stays mostly nonfunctional after that. In case a file from affected list is opened, it reports a error message that the associated SILVER.VXD cannot be found.

The worm pays special attention to system backup files and gets rid of them to prevent restoring the registry files from backup. To do that the worm corrupts (overwrites first 5K of each file with trash data) and deletes the files:

USER.DA0 and SYSTEM.DA0 in Windows directory
SYSTEM.1ST in root directory of C: drive

"Uninstall" payload

The worm has a payload routine that is run in a case of "uninstalling".

The worm creates the "uninstall" key in system registry:

HKLMSoftwareMicrosoftWindowsCurrentVersionUninstallSilver Rat
DisplayName = "Silver Rat Virus"
UninstallString = "c:silver.exe /uninstall"

As a result, the worm record is visible in ControlPanel/AddRemovePrograms window as "Silver Rat Virus". In case "Remove" button is pressed, the worm displays the message box:

Blood
"I have to return some videos" - American Psycho

and fills with garbage the header line in RecycleBin window (see picture).

Other features

The worm looks for active anti-virus applications and terminates them by their names:

AVP Monitor
Norton AntiVirus Auto-Protect
Norton AntiVirus v5.0
VShieldWin_Class
NAI_VS_STAT
McAfee VirusScan Scheduler
ZoneAlarm
WRQ NAMApp Class

It also looks for anti-virus files (databases) and deletes them:

*.AVC (AVP)
*.DAT (NAI)
BAVAP.VXD, NAVKRNLN.VXD (NAV)

The worm also tries to affect VBS files but fails because of a bug.

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.