Email-Worm.Win32.XCod

Class Email-Worm
Platform Win32
Description

Technical Details

This is Email/IRC worm. The worm body itself is Win32 PE EXE file written in VisualBasic. The worm has too many bugs to be described well.

It copies itself to:

C:windowsinstall_.exe
C:windowssystemsysboot_.exe

and registers itself in Registry keys:

HKEY_CLASSES_ROOTexefileshellopencommand
“C:windowssystemsystray_.exe” %1 %*

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
SystemTray = C:Windowssystemsystray_.exe
SystemTray = C:Windowssystemsysboot_.exe

(the last line overlaps first one, so first line disappear in system registry).

HKEY_LOCAL_MACHINESoftwareWinsysinfo
Program Name = X-Coderz
CurrentVersionNumber = X-Coderz.VBS.03.A

(it intends to write more lines to there, but fails).

The messages sent by Email (it also fails to do that) contain the INSTALL_.EXE attached file, the message text and subject are selected from variants:


Hey
Hey, How Are Things? I’m Writing This E-Mail To Let You Know Of An
Attachment Im Sending With The Next Mail You Will Probably Find. It Very
Useful. I did! See You Soon

Hey Its Me Again,Here You Go Its The Installation Program For An Adults
Only Explicit Screensaver (Pornographic)

Hey Its Me Again,Here You Go Its The Installation Program For An Outlook
Express Security Upgrade

Hey Its Me Again,Here You Go Its The Installation Program For A Microsoft
Explorer Patch V7.5 (Required For Many Sites)

Hey Its Me Again,Here You Go Its The Installation Program For A Cool Game
I Found On The Web, Try It!

Hey Its Me Again,Here You Go Its The Installation Program For An
Excellent MP3 Player With Plug-Ins LIMITED EDITION

To spread itslef throug IRC channels the worm affects the mIRC client in C:Mirc directory. The worm writes
(successfully) the SCRIPT.INI file with commands that send to IRC channels the worm copy with “installx2.exe” name, and send to there the message too:


You gotta see this. Talk about hard core, jesus!! This is kinky at its
best… you gotta see this, just look at it!!

The worm deletes Norton Anti-Virus data files: C:Program FilesNorton AntiVirus*.dat

On June 22 the worm intends to display (but fails) the message box:

X-Coderz VBS Virus 0.3
X-Coderz Have Taken Control

then:

X-Coderz???
Remove Virus From Your System?

and then:

X-Coderz
FUCK YOU!!!!!!