Email-Worm.Win32.Tetris

Technical Details

This is an IRC worm that spreads via IRC channels. The worm itself is a Win32 application about 70Kb in size. It has two main routines: infection and game, both of which are activated upon infected-program running. The first one infects a computer so that it will spread the worm copies further to IRC
chats; the second one displays a “Tetris” game that is used to mask the worm’s activity: this routine emulates real and complete “Tetris”-like game.

To spread itself, the worm looks for an mIRC client in four directories:

C:Mirc
C:Program Filesmirc
D:mirc
D:Program Filesmirc

If one is found, the worm creates additional files:

C:Windowsscript.bak – mIRC script program
C:backup.vbs – VBS program that later will complete installation
C:Windowssystem.exe – copy of worm EXE file

The “C:backup.vbs” is then registered in the auto-run registry key as:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
SysFile = C:Backup.vbs

As a result, it is run each time the system starts up, and then copies files:

C:Windowsscript.bak to mIRC directory with “script.ini” name
C:Windowssystem.exe to C:tetris.exe

The “script.ini” file is a short mIRC program that sends C:tetris.exe file to everybody who enters infected channel.