Email-Worm.Win32.Winevar

Class Email-Worm
Platform Win32
Description

Technical Details

This is the worm virus spreading via the Internet being attached to infected emails. The worm
was found in-the-wild in Korea at the end of November 2002.

The worm itself is a Windows PE EXE file about 91Kb of length written in Microsoft Visual C++.
Most of text strings in worm body are encrypted.

Installing

While installing the worm copies itself to Windows system directory with the random selected
name:

WIN%rnd%.PIF

where %rnd% is random number, and registers that file in system registry auto-run key:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices

There are two values written to all those keys:

.default = %worm file name%
%worm name% = %worm file name%

where %worm name% is worm file name without extentions, %worm file name% is full file name, for
example:

.default = “C:\TEMP\WIND2C2.pif”
“WINA2B3” = “C:\WINDOWS\SYSTEM\WINA2B3.pif”

It seems that “.default” duplicate is written to registry key because of a bug in worm code.

Later the worm also copies itself with EXPLORER.PIF name to the Desktop.

Spreading

To get victim emails the worm looks for *.HTM and *.DBX files and extracts emails addresses
from there except emails that have “@microsoft.” part in email address. To send infected
messages the worm uses direct connection to default SMTP server.

While sending itself the worm appends to its copy following information:

– country region ID (for example: [KOR], [RUS] – for Korea and Russia)
– current date and time
– user name and company name (as it is stored in registration information)

By using these data that is possible to trace particular worm copy “migration” process.

The infected messages have different data in email fields. Below the %RegisteredOwner% and
%RegisteredOrganization%

Subject is randomly (depending on worm “generation”) selected from variants:

Re: AVAR(Association of Anti-Virus Asia Reseachers)
N’4 %RegisteredOrganization%
N’4 Trand Microsoft Inc.

The last (third) variant is selected in case there is no “RegistreredOrganization” key in
system registry. The “N`4” combination is not decrypted “Re:” string, it seems that the worm
author just forgot to decrypt that string in corresponding routine.

The message body is also selected depending on worm generation:

%RegisteredOwner% – %RegisteredOrganization%

or:

AVAR(Association of Anti-Virus Asia Reseachers) – Report.
Invariably, Anti-Virus Program is very foolish.

Attached file names can be different, for example:

MUSIC_1.HTM, MUSIC_2.CEO
WIN40B1.TXT, WIN40B1.GIF

Where “WIN” names have random number at the end (in this case – “40B1”). At the same time
depending on email client the appearence of these attached files in the infected message may be
different.

To run from infected message the worm uses two security breaches:

Microsoft VM ActiveX Component
Incorrect MIME Header Can Cause IE to Execute E-mail Attachment

Payload

The worm looks for anti-virus programs, firewalls and debuggers and tries to terminate them, as
well as to kill their files. In some cases (in all cases?) if an anti-virus is found, the worm
erases all files on all drives, probably because of a mistake in its code.

The worm drops to Windows system directory “WIN%Rnd%.TMP” file, writes “Win32.Funlove” virus to
there and executes this file. Thus the worm infects the machine with “Win32.Funlove” virus.

The worm displays the message:

Make a fool of oneself
What a foolish thing you have done!

In an endless loop the worm opens the http://www.symantec.com Web site (it seems that worm
tries to run DoS attack on that server).

The worm also has following encrypted text strings:

~~ Drone Of StarCraft~~
http://www.sex.com/