Parent class: VirWare
Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:- file viruses
- boot sector viruses
- macro viruses
- script viruses
Class: Email-Worm
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website). In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated. Email-Worms use a range of methods to send infected emails. The most common are: using a direct connection to a SMTP server using the email directory built into the worm’s code using MS Outlook services using Windows MAPI functions. Email-Worms use a number of different sources to find email addresses to which infected emails will be sent: the address book in MS Outlook a WAB address database .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses emails in the inbox (some Email-Worms even “reply” to emails found in the inbox) Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.Read more
Platform: Win32
Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.Description
Technical Details
This is an Internet worm (virus of the worm type) spreading via e-mails, IRC channels, infecting files on local computers and spreading itself to a local network. It also steals system passwords (PWL files) from infected computers, as well as has many harmless and dangerous payload routines. The worm itself is about 80Kb in size Win32 (PE EXE - Portable Executable) program written in Delphi, the "pure" worm code occupies about 20Kb and the rest is Delphi runtime library code, data, and the program's miscellaneous information.
The worm arrives as an e-mail with a fake message (see below) and attached PKZIP.EXE file that is the worm program itself. When the worm is executed, it installs itself into the system, infects files on a local drive, infects available logical drives, infects installed mIRC client, and sends infected e-mails by using the Eudora mail system.
Installing into the system
To install itself into the system, the worm copies itself with the KERNEL.EXE name into the Windows directory (on Win95/98 machines) or to the Windows system directory (on WinNT), and registers itself in the system registry auto-run key:
SOFTWAREMicrosoftWindowsCurrentVersionRun SysClock=kernel.exe
The worm also has an additional installation routine that installs the worm copies to all available drives. This routine is described below.
Infecting a computer
The worm is able to infect about 40 files on a computer, and infects no more than four files on each run. The worm infects files in the Windows directory:
NOTEPAD.EXE, CALC.EXE, DEFRAG.EXE, SCANDSKW.EXE, WRITE.EXE, WINIPCFG.EXE, SCANREGW.EXE, DRWTSN32.EXE, NTBACKUP.EXE, REGEDT32.EXE, TASKMGR.EXE, USRMGR.EXE
The worm then infects programs that are associated with registry keys:
SOFTWAREClassesAccess.Application.8 shellopencommand SOFTWAREClassesAudioCD shellplaycommand SOFTWAREClassesAVIFile shellplaycommand SOFTWAREClassescdafile shellplaycommand SOFTWAREClassesChat shellopencommand SOFTWAREClientsNewsForte Agent shellopencommand SOFTWAREClassesExcel.Sheet.8 shellopencommand SOFTWAREClassesftp shellopencommand SOFTWAREClassesgiffile shellopencommand SOFTWAREClasseshlpfile shellopencommand SOFTWAREClassesEudora DefaultIcon SOFTWAREClassesEudora shellopencommand SOFTWAREClassesMicrosoft Internet Mail Message shellopencommand SOFTWAREClassesMicrosoft Internet News Message shellopencommand SOFTWAREClassesMOVFile shellopencommand SOFTWAREClassesMsi.Package shellopencommand SOFTWAREClassespcANYWHERE32 shellopencommand SOFTWAREClassesQuickView shellopencommand SOFTWAREClassesRealPlayer.RAM.6 shellopencommand SOFTWAREClassesWinamp.File shellopencommand SOFTWAREClassesUnfinished Download shellopencommand SOFTWAREClassesUltraEdit-32 Document shellopencommand SOFTWAREClassesWhiteboard shellopencommand SOFTWAREClassesvcard_wab_auto_file shellopencommand SOFTWAREUlead SystemsUlead PhotoImpact4.0PathIeEdit.exe SOFTWAREKasperskyLabComponents102EXEName
While infecting each file, the worm uses the companion infection method: it renames a victim file with eight-bytes randomly named and .EXE extension (for example: GTGUQPPA.EXE, XOHSKVXQ.EXE, etc.) and places itself with the name of original file. As a result, the worm copy will be executed each time a user or system runs the infected file.
To return control back to the host file, the worm stores the file names in the registry key HKCUAppEventsSchemesApps.DefaultSystemStartWindows, for example:
C:WIN95calc.exe "gtguqppa.exe" C:WIN95mplayer.exe "xohskvxq.exe" e.t.c.
This information can be used to disinfect the computer.
To detect already infected files, the worm uses the FileVersion that is stored in PE EXE file resources. In infected files, this variable is set to "1.3.5.7".
Infecting local and network drives
The worm also copies itself and "registers" to available logical drives: removable, fixed and network. While infecting removable files, the worm looks for the AUTOEXEC.BAT file on them, adds an instruction to run the PKZIP.EXE file upon loading from the drive, and copies itself to the drive with the PKZIP.EXE file name.
Upon infecting hard drives, the worm looks for the PKZIP.EXE file in the root directories on these drives, and copies itself with this name if such a file does not exits there. To run this file, the worm creates the AUTORUN.INF file on the drive and writes a block of instructions to there to run the PKZIP.EXE file (worm copy) upon the next Windows star-tup:
[autorun] open=pkzip.exe
While infecting a remote drive, the worm first of all checks this drive for written permission. To do this, the worm creates the TEMP9385.058 file in there, and deletes it. In case no errors occurred during operation, the worm continues spreading to the drive. It copies itself to there with the PKZIP.EXE name and creates the AUTORUN.INF file in the same way as while affecting fixed drives on local computer. In addition, the worm looks for Windows and WinNT directories on the drive and registers its PKZIP.EXE copy in the WIN.INI file in [windows] "run" instruction. This operation also causes worm-copy execution on the next Windows start-up.
While infecting network drives, the worm also destroys several executable files there, if they exist, and overwrites them with its copy:
Acrobat3ReaderAcrord32.exe Eudora95Eudora.exe Program FilesMicrosoft OfficeOfficeOutlook.exe Program FilesInternet ExplorerIexplore.exe Program FilesWinZipWinZip32.exe Program FilesMicrosoft OfficeOfficeWinWord.exe Program FilesNetscapeProgramNetscape.exe
Infecting mIRC client and spreading via IRC channels
This routine is executed depending on the system time, not each time the infected files run. It looks for mIRC client installed in the system by accessing mIRC script file in the directories:
C:MIRCSCRIPT.INI C:MIRC32SCRIPT.INI C:Program FilesMIRCSCRIPT.INI C:Program FilesMIRC32SCRIPT.INI
If no such files exist, the worm leaves infection routine. Otherwise it overwrite the SCRIPT.INI file with instruction that sends the C:PKZIP.EXE file to everybody entering the affected channel.
Sending infected emails
This routine is executed depending on the system time, as well as mIRC infection routine. First of all the worm gets the Eudora directory name by accessing the registry key: SoftwareQualcommEudoraCommandLine. The worm then scans the Eudora outgoing mails database (the OUT.MBX files), gets addresses from there and stores them in the list the infected message will be sent to. It seems that the worm also adds the "support@microsoft.com" email address to this list.
The worm then prepares the C:USER.MSG file that will be used then to initialize Eudora sendmail system. The worm writes to there all necessary data to send the message with infected attach:
To: addresses list from OUT.MBX file, plus "support@microsoft.com" Subject: here's what u requested X-Attachments: c:pkzip.exe; Message body: You had requested this a while back, so here you are. enjoy.
The worm then opens the C:USER.MSG file by a Windows function that activates Eudora sendmail.
Stealing password files
While installing into the system and infecting files the worm also looks for Windows password files (.PWL files), reads passwords data from there and attaches to infected file body.
The worm does not send the passwords to any Internet address, but just keeps them attached to the infected files. As a result the stolen passwords leave the computer only in case the worm spreads its copies to Internet or IRC channels.
Payload routines
The worm has many payload routines that are activated depending on the system date and time. The worm by these routines:
- Halts the computer by launching unlimited number of threads.
- Overwrites the .DEFAULTSoftwareMicrosoftRegEdt32Settings registry key with "AutoRefresh=0" value.
- Changes the Internet Explorer settings. By rewriting the SOFTWAREMicrosoftInternet ExplorerMain registry keys the worms sets the "Start Page" to "http://www.whitehouse.com/" and "Search Page" to "http://www.bigboobies.com", and disables Internet cache updating.
By rewriting the SOFTWAREMicrosoftInternet ExplorerSearchUrl and SOFTWAREMicrosoftInternet ExplorerTypedURLs registry keys the worm sets the "http://www.gayextreme.com/queer/handle-it.html" Web page to first position of recently used Web pages; sets "SearchURL" to "http://www.fetishrealm.com/fatgirls/pic3.htm";
- By rewriting the SoftwareMirabilisICQBookmarks registry key sets:
"Main Page" to "http://www.biggfantac.com/terra/index.html", "Customer Support" to "http://www.pornoparty.net" "Menu" to "http://www.gayextreme.com/queer/handle-it.html"
- Deletes all keys from
SOFTWAREMicrosoftWindowsCurrentVersionUninstall or SOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZones
- Sets Windows settings:
RegisteredOwner = "Idiot with a Virus" RegisteredOrganization and ProductID = "Registry Rage Virus L1999"
- Creates C:POEM1.TXT or C:POEM2.TXT files, writes one of the texts to there (see below), and opens them with NOTEPAD.EXE. The texts looks as follows:
To earn for the body and the mind whatever adheres and goes forward and is not dropt by death; I will effuse egotism and show it underlying all, and I will be the bard of personality, And I will show of male and female that either is but the equal of the other, And I will show that there is no imperfection in the present, and can be none in the future, And I will show that whatever happens to anybody it may be turn'd to beautiful results, And I will show that nothing can happen more beautiful than death ... - Walt Whitman Nothing divine dies. All good is eternally reproductive. The beauty of nature reforms itself in the mind, and not for barren contemplation, but for new creation. All men are in some degree impressed by the face of the world; some men even to delight. This love of beauty is Taste. Others have the same love in such excess, that, not content with admiring, they seek to embody it in new forms. The creation of beauty is Art. - Ralph Waldo Emerson
The worm's payload routines also erase or modify miscellaneous Windows settings, minimize Backup and ScanDisk settings, erase Registry backup, e.t.c.
Read more
Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com