Email-Worm.Win32.SysClock

Class Email-Worm
Platform Win32
Description

Technical Details

This is an Internet worm (virus of the worm type) spreading via e-mails,
IRC channels, infecting files on local computers and spreading itself to
a local network. It also steals system passwords (PWL files) from infected
computers, as well as has many harmless and dangerous payload routines. The
worm itself is about 80Kb in size Win32 (PE EXE – Portable Executable)
program written in Delphi, the “pure” worm code occupies about 20Kb and the
rest is Delphi runtime library code, data, and the program’s miscellaneous
information.

The worm arrives as an e-mail with a fake message (see below) and attached
PKZIP.EXE file that is the worm program itself. When the worm is
executed, it installs itself into the system, infects files on a local drive,
infects available logical drives, infects installed mIRC client, and sends
infected e-mails by using the Eudora mail system.

Installing into the system

To install itself into the system, the worm copies itself with the
KERNEL.EXE name into the Windows directory (on Win95/98 machines) or to
the Windows system directory (on WinNT), and registers itself in the system
registry auto-run key:


SOFTWAREMicrosoftWindowsCurrentVersionRun SysClock=kernel.exe

The worm also has an additional installation routine that installs the worm
copies to all available drives. This routine is described below.

Infecting a computer

The worm is able to infect about 40 files on a computer, and infects no
more than four files on each run. The worm infects files in the
Windows directory:


NOTEPAD.EXE, CALC.EXE, DEFRAG.EXE, SCANDSKW.EXE, WRITE.EXE, WINIPCFG.EXE,
SCANREGW.EXE, DRWTSN32.EXE, NTBACKUP.EXE, REGEDT32.EXE, TASKMGR.EXE,
USRMGR.EXE

The worm then infects programs that are associated with registry keys:


SOFTWAREClassesAccess.Application.8 shellopencommand
SOFTWAREClassesAudioCD shellplaycommand
SOFTWAREClassesAVIFile shellplaycommand
SOFTWAREClassescdafile shellplaycommand
SOFTWAREClassesChat shellopencommand
SOFTWAREClientsNewsForte Agent shellopencommand
SOFTWAREClassesExcel.Sheet.8 shellopencommand
SOFTWAREClassesftp shellopencommand
SOFTWAREClassesgiffile shellopencommand
SOFTWAREClasseshlpfile shellopencommand
SOFTWAREClassesEudora DefaultIcon
SOFTWAREClassesEudora shellopencommand
SOFTWAREClassesMicrosoft Internet Mail Message shellopencommand
SOFTWAREClassesMicrosoft Internet News Message shellopencommand
SOFTWAREClassesMOVFile shellopencommand
SOFTWAREClassesMsi.Package shellopencommand
SOFTWAREClassespcANYWHERE32 shellopencommand
SOFTWAREClassesQuickView shellopencommand
SOFTWAREClassesRealPlayer.RAM.6 shellopencommand
SOFTWAREClassesWinamp.File shellopencommand
SOFTWAREClassesUnfinished Download shellopencommand
SOFTWAREClassesUltraEdit-32 Document shellopencommand
SOFTWAREClassesWhiteboard shellopencommand
SOFTWAREClassesvcard_wab_auto_file shellopencommand
SOFTWAREUlead SystemsUlead PhotoImpact4.0PathIeEdit.exe
SOFTWAREKasperskyLabComponents102EXEName

While infecting each file, the worm uses the companion infection method: it renames a victim file with eight-bytes randomly named and .EXE
extension (for example: GTGUQPPA.EXE, XOHSKVXQ.EXE, etc.) and places
itself with the name of original file. As a result, the worm copy will be
executed each time a user or system runs the infected file.

To return control back to the host file, the worm stores the file names in
the registry key HKCUAppEventsSchemesApps.DefaultSystemStartWindows,
for example:


C:WIN95calc.exe “gtguqppa.exe”
C:WIN95mplayer.exe “xohskvxq.exe”
e.t.c.

This information can be used to disinfect the computer.

To detect already infected files, the worm uses the FileVersion that is
stored in PE EXE file resources. In infected files, this variable is set to
“1.3.5.7”.

Infecting local and network drives

The worm also copies itself and “registers” to available logical drives:
removable, fixed and network. While infecting removable files, the worm
looks for the AUTOEXEC.BAT file on them, adds an instruction to run the
PKZIP.EXE file upon loading from the drive, and copies itself to the drive
with the PKZIP.EXE file name.

Upon infecting hard drives, the worm looks for the PKZIP.EXE file in the root
directories on these drives, and copies itself with this name if such a file
does not exits there. To run this file, the worm creates the AUTORUN.INF
file on the drive and writes a block of instructions to there to run the
PKZIP.EXE file (worm copy) upon the next Windows star-tup:


[autorun]
open=pkzip.exe

While infecting a remote drive, the worm first of all checks this drive for
written permission. To do this, the worm creates the TEMP9385.058 file in
there, and deletes it. In case no errors occurred during operation, the worm
continues spreading to the drive. It copies itself to there with the
PKZIP.EXE name and creates the AUTORUN.INF file in the same way as while
affecting fixed drives on local computer. In addition, the worm looks for
Windows and WinNT directories on the drive and registers its PKZIP.EXE
copy in the WIN.INI file in [windows] “run” instruction. This operation
also causes worm-copy execution on the next Windows start-up.

While infecting network drives, the worm also destroys several executable
files there, if they exist, and overwrites them with its copy:


Acrobat3ReaderAcrord32.exe
Eudora95Eudora.exe
Program FilesMicrosoft OfficeOfficeOutlook.exe
Program FilesInternet ExplorerIexplore.exe
Program FilesWinZipWinZip32.exe
Program FilesMicrosoft OfficeOfficeWinWord.exe
Program FilesNetscapeProgramNetscape.exe

Infecting mIRC client and spreading via IRC channels

This routine is executed depending on the system time, not each time the
infected files run. It looks for mIRC client installed in the system by
accessing mIRC script file in the directories:


C:MIRCSCRIPT.INI
C:MIRC32SCRIPT.INI
C:Program FilesMIRCSCRIPT.INI
C:Program FilesMIRC32SCRIPT.INI

If no such files exist, the worm leaves infection routine. Otherwise it
overwrite the SCRIPT.INI file with instruction that sends the C:PKZIP.EXE
file to everybody entering the affected channel.

Sending infected emails

This routine is executed depending on the system time, as well as mIRC
infection routine. First of all the worm gets the Eudora directory name by
accessing the registry key: SoftwareQualcommEudoraCommandLine. The worm
then scans the Eudora outgoing mails database (the OUT.MBX files), gets
addresses from there and stores them in the list the infected message will
be sent to. It seems that the worm also adds the “support@microsoft.com”
email address to this list.

The worm then prepares the C:USER.MSG file that will be used then to
initialize Eudora sendmail system. The worm writes to there all necessary
data to send the message with infected attach:


To: addresses list from OUT.MBX file, plus “support@microsoft.com”
Subject: here’s what u requested
X-Attachments: c:pkzip.exe;
Message body:
You had requested this a while back, so here you are.
enjoy.

The worm then opens the C:USER.MSG file by a Windows function that
activates Eudora sendmail.

Stealing password files

While installing into the system and infecting files the worm also looks
for Windows password files (.PWL files), reads passwords data from there
and attaches to infected file body.

The worm does not send the passwords to any Internet address, but just
keeps them attached to the infected files. As a result the stolen passwords
leave the computer only in case the worm spreads its copies to Internet or
IRC channels.

Payload routines

The worm has many payload routines that are activated depending on the
system date and time. The worm by these routines:

– Halts the computer by launching unlimited number of threads.

– Overwrites the .DEFAULTSoftwareMicrosoftRegEdt32Settings registry
key with “AutoRefresh=0” value.

– Changes the Internet Explorer settings. By rewriting the
SOFTWAREMicrosoftInternet ExplorerMain registry keys the worms sets the
“Start Page” to “http://www.whitehouse.com/” and “Search Page” to
“http://www.bigboobies.com”, and disables Internet cache updating.

By rewriting the SOFTWAREMicrosoftInternet ExplorerSearchUrl and
SOFTWAREMicrosoftInternet ExplorerTypedURLs registry keys the worm sets
the “http://www.gayextreme.com/queer/handle-it.html” Web page to first
position of recently used Web pages; sets “SearchURL” to
“http://www.fetishrealm.com/fatgirls/pic3.htm”;

– By rewriting the SoftwareMirabilisICQBookmarks registry key sets:


“Main Page” to “http://www.biggfantac.com/terra/index.html”,
“Customer Support” to “http://www.pornoparty.net”
“Menu” to “http://www.gayextreme.com/queer/handle-it.html”

– Deletes all keys from


SOFTWAREMicrosoftWindowsCurrentVersionUninstall or
SOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZones

– Sets Windows settings:


RegisteredOwner = “Idiot with a Virus”
RegisteredOrganization and ProductID = “Registry Rage Virus L1999”

– Creates C:POEM1.TXT or C:POEM2.TXT files, writes one of the texts to
there (see below), and opens them with NOTEPAD.EXE. The texts looks as
follows:


To earn for the body and the mind whatever adheres and goes forward
and is not dropt by death;
I will effuse egotism and show it underlying all, and I will be the
bard of personality,
And I will show of male and female that either is but the equal of
the other,
And I will show that there is no imperfection in the present, and
can be none in the future,
And I will show that whatever happens to anybody it may be turn’d to
beautiful results,
And I will show that nothing can happen more beautiful than death …
– Walt Whitman
Nothing divine dies. All good is eternally reproductive. The beauty of
nature reforms itself in the mind, and not for barren contemplation,
but for new creation.
All men are in some degree impressed by the face of the world; some men
even to delight. This love of beauty is Taste. Others have the same love
in such excess, that, not content with admiring, they seek to embody
it in new forms. The creation of beauty is Art.
– Ralph Waldo Emerson

The worm’s payload routines also erase or modify miscellaneous Windows
settings, minimize Backup and ScanDisk settings, erase Registry backup,
e.t.c.