Email-Worm.Win32.Vybab

Class Email-Worm
Platform Win32
Description

Technical Details

This worm spreads via the Internet as an attachment to infected messages. It can also infect EXE files.

It is a PE EXE file written in Borland Delphi and is approximately 140 KB in size.

Installation

When installing itself to the system, the worm creates a file named 123.txt in the Windows directory. This file contains the following text string:

babyv ; made of Ran

It also creates files in the root directory and the Windows directory. The names of these files are created from three random characters and one of the following extensions:

bat
exe
htm
rar
doc
xls

These files do not contain the body of the worm.

The worm copies itself to a temporary file named seeyou.rar in the C: root directory.

It also creates a file named echo.vbs in the Windows temporary directory. This file contains the script which enables the worm to propagate via email.

Propagation via email

Each time the worm or one of the infected files is launched, the worm sends itself to all addresses in the MS Outlook address book. Infected emails have the following characterstics:

Message header:

Microsoft Pack3, ;o)

Message text:

Hi:
This is Microsoft client server center
Check This!

Infecting EXE files

When the worm is launched for the first time, it infects EXE files located in the Program Files directory, and in the directory which the worm was launched from. It writes itself to the beginning of those files.

After this the worm searches all directories on all accessible drives and infects all EXE files found.

When an infected file is launched, the virus copies itself into the root directory of every available drive and sends itself via email. The original uninfected file is saved in the Windows temporary directory and will re-establish control once the worm finishes the infection process.