Email-Worm.Win32.Valcard

Class Email-Worm
Platform Win32
Description

Technical Details

This is a virus-worm that spreads via the Internet attached to infected
e-mails. The worm itself is a Windows PE EXE file about 97Kb in length
(compressed by UPX, about 132K when decompressed), and it is written in Visual Basic.

Spreading

To send infected messages, the worm uses MS Outlook, and sends messages to all
addresses found in the Outlook address book. The infected messages appear as follows:

The Subject is randomly selected from the following variants:

Secret Admirer
Somebody Loves You
Romance from Afar
Love at first sight
…when sleepers wake and yet still dream…
Be Mine ?!
Yours Always
Happy Valentines
From Me To You
Thy eternal summer shall not fade
I can express no kinder sign of love, than this kind kiss
Poetry is an echo, asking a shadow to dance
O, beauty, till now I never knew thee!
Romantic gesture
Good night, sweet prince, and flights of angels sing thee to thy rest

The message Body, followed by a “user name”, is selected from the following variants:

Happy Valentines
I hope you like the card I’ve attached,
even if you don’t feel the same.

Febuary Feelings
It’s that time of year again.
But I’m still only sedning a card to you.
Happy Valentines
I hope you like the card I’ve attached,
even if you don’t feel the same.

Hi
I feel like a child sending you this card
but I just had to do it.
Happy Valentines
I hope you like the card I’ve attached,
even if you don’t feel the same.

…and every breath I ever took,
every tear I ever wept,
Every star I wished upon,
Seemed nothing until now.
Happy Valentines
I hope you like the card I’ve attached,

In this life we cannot do great things.
We can only do small things with great love.
Happy Valentines
I hope you like the card I’ve attached,
even if you don’t feel the same.

Attachment: ValentineCard.exe

Installing

The worm activates from infected e-mail only when a user clicks on an attached
file. The worm then installs itself to the system, runs a spreading routine and
payload.

While installing, the worm copies itself to the Windows system directory with the
“ValentineCard.exe” name, and registers that file in the system registry auto-run
key:

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
14th = %SystemDir%ValentineCard.exe

where %SystemDir% is Windows system directory.

Payload

Upon being installed, the worm writes a “not a first run” registry key:

HKLMSoftwareMicrosoftWindowsCurrentVersion
Valentine = true

and then operates depending on this key’s presense. Because of a bug, on any run
(first run, second run,…), the worm does the same thing: it creates
“C:evil.jpg”, writes sound data to there and opens it. Because the file has
a wrong extension (“.jpg” picture, not “.wav” sound), the system fails to accept
it. In case this file is renamed to “.wav”, it plays the “Somebody loves you”
phrase.

The worm should also (but fails) create the “C:1.wav” file, and open its window.
The worm’s program window should have a moving title:

I Love You !

on the “About” button, it should display the following message:

Flash Player
Flash Player 4.0
Copywrite (C) 1996-1999 Macromedia, Inc.
http://www.macromedia.com

On Thursdays, the worm should (but fails) restart Windows.