Parent class: VirWare
Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:- file viruses
- boot sector viruses
- macro viruses
- script viruses
Class: Email-Worm
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website). In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated. Email-Worms use a range of methods to send infected emails. The most common are: using a direct connection to a SMTP server using the email directory built into the worm’s code using MS Outlook services using Windows MAPI functions. Email-Worms use a number of different sources to find email addresses to which infected emails will be sent: the address book in MS Outlook a WAB address database .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses emails in the inbox (some Email-Worms even “reply” to emails found in the inbox) Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.Read more
Platform: Win32
Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.Description
Technical Details
This is a dangerous worm spreading through Internet and IRC channels, as well as infecting local network. The worm itself is Windows application written in Delphi about 90K of size (the worm also may be compressed by a PE EXE compression tool, so result file size can be less than original).
Sending emails
To send infected emails from affected computers the worm tries two different methods. First of all, it looks for Eudora mailer installed in the system. If there is one, the worm scans Eudora outgoing email database (OUT.MBX file), gets email addresses from there and sends infected emails with attached worm copy to these addresses. The worm's messages have:
Subject: concerning last week ...
Text: Please review the enclosed and get back with me ASAP.
Double click the Icon to open it.
Attach: c:silver.exe
Next the worm tries installed email system not depending on the brand. To do that the worm uses MAPI functions: it connects to installed email system, gets messages from there, reads email addresses and uses them to send its copies. In this case the messages have:
Subject: Re: now this is a nice pic :-)
Text: Thought you might be interested in seeing her
Attach: naked.jpg.exe
Infecting mIRC and PIRCH clients
To affect IRC clients the worm looks for C:MIRC, C:MIRC32, C:PIRCH98 directories and overwrites IRC scripts in there with a program that sends worm copy to each user who enters affected channel.
The mIRC script also has additional features. When a user sends to IRC channel a message that contains the text "silverrat", the worm replies to that user with "I have the Silver Rat virus" message (so the worm reports to the master about infected computers). If the "pyrealrat" text is found in the channel, the script opens the C: drive on affected machine as file server (that gives to worm master access to all data on the C: drive).
Spreading through local network
To infect remote computers on the network the worm scans all drives from C: till Z: and looks for WINDOWS directory in there. If there is one, the worm copies itself to there and registers in Windows auto-run section in WIN.INI file, or in system registry depending on Windows version (Win9x or WinNT). So the worm is able to infect remote computers in case their drives are shared for reading/writing.
Installing into the system
To install itself into the system the worm copies itself to directories with the names:
to Windows dir: SILVER.EXE, SILVER.VXD, NAKED.JPG.EXE, NAKED.JPG.SCRto C: drive root dir: SILVER.EXE
The worm then registers itself in auto-run fields in the system registry:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
HKUSoftwareMicrosoftWindowsCurrentVersionRunAll these fields will contains the instruction:
"Silver Rat" = WinDirsilver.exewhere "WinDir" is the name of Windows directory.
As a result the worm copy is executed four times on each Windows startup. To run itself more times (and to send more infected emails as a result) the worm also affects more registry keys.
Affecting registry keys
Windows applications are linked with filename extensions by special records in the system registry. These records point to application that is run to process files with specified extension. When a file is opened, Windows gets its extension and then refers to system registry to get the name of application that processes files of that type.
The worm uses that Windows feature and modifies more that 100 such registry keys - it replaces original reference to applications with a reference to its own copy (SILVER.VXD). The worm does that for three different keys per application:
shellopencommand
shelleditcommand
ShellplaycommandThe patched registry keys looks like follows:
HKCRAIFFFILEshellopencommand = "C:WINDOWSsilver.vxd 33157 "%1" %"
HKCRAIFFFILEshellplaycommand = "C:WINDOWSsilver.vxd 53157 "%1" %"
HKCRASFFILEshellopencommand = "C:WINDOWSsilver.vxd 379157 "%1" %"where digits in the line are IDs to run the host file (see below).
The list of affected applications (registry keys that link filename extension with application) is rather large and looks like follows:
accesshtmlfile iqyfile regedit fonfile accessthmltemplate IVFfile regfile GatewayFile AIFFFILE jpegfile SHCmdFile htafile AllaireTemplate JSFile SoundRec icsfile anifile ldap tgafile mhtmlfile artfile mailto txtfile MMS aspfile mic VBSFile MMST AudioCD MIDFile wab_auto_file MMSU aufile money Winamp.File NSM AVIFile MOVFile WinRAR MSBD Briefcase MPEGFILE WinRAR.ZIP motiffile cdafile MPlayer WinZip Msi.Package Chat mscfile wrifile Msi.Patch CSSfile msee WSFFile ofc.Document curfile msgfile x-internet-signup ofx.Document Drive MSProgramGroup xbmfile pjpegfile DrWatsonLog Net2PhoneApp xmlfile PNM Excel.Workspace NetscapeMarkup xnkfile qwb.Document ftp news xslfile rtsp giffile nntp m3ufile scpfile helpfile Notes.Link ASFFile scriptletfile hlpfile ossfile ASXFile SSM htfile outlook BeHostFile ThemeFile htmlfile PBrush ChannelFile TIFImage.Document http pcxfile chm.file ttffile https pngfile CMCD WangImage.Document icofile powerpointhtmlfile Connection Manager Profile Whiteboard icquser ramfile eybfile WIFImage.Document inifile RealMedia File fndfile WSHFileThe worm stores original keys in the another registry key:
HKLMSoftwareSilver RatThis key contains the list of all keys that were replaced as it was shown above. This list is used by the worm to run original application: the worm gets application name and command line from that "backup" list, and spawns it.
Such method of system registry affecting is very dangerous. In case the worm copy is remover from the system, Windows cannot pass files to application that are listed above. As a result, Windows stays mostly nonfunctional after that. In case a file from affected list is opened, it reports a error message that the associated SILVER.VXD cannot be found.
The worm pays special attention to system backup files and gets rid of them to prevent restoring the registry files from backup. To do that the worm corrupts (overwrites first 5K of each file with trash data) and deletes the files:
USER.DA0 and SYSTEM.DA0 in Windows directory
SYSTEM.1ST in root directory of C: drive"Uninstall" payload
The worm has a payload routine that is run in a case of "uninstalling".
The worm creates the "uninstall" key in system registry:
HKLMSoftwareMicrosoftWindowsCurrentVersionUninstallSilver Rat
DisplayName = "Silver Rat Virus"
UninstallString = "c:silver.exe /uninstall"As a result, the worm record is visible in ControlPanel/AddRemovePrograms window as "Silver Rat Virus". In case "Remove" button is pressed, the worm displays the message box:
Blood
"I have to return some videos" - American Psychoand fills with garbage the header line in RecycleBin window (see picture).
Other features
The worm looks for active anti-virus applications and terminates them by their names:
AVP Monitor
Norton AntiVirus Auto-Protect
Norton AntiVirus v5.0
VShieldWin_Class
NAI_VS_STAT
McAfee VirusScan Scheduler
ZoneAlarm
WRQ NAMApp ClassIt also looks for anti-virus files (databases) and deletes them:
*.AVC (AVP)
*.DAT (NAI)
BAVAP.VXD, NAVKRNLN.VXD (NAV)The worm also tries to affect VBS files but fails because of a bug.
Read more
Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com
Found an inaccuracy in the description of this vulnerability? Let us know!