Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Worm_winevar.a

  • 28-11-2002 12:44pm
    #1
    GoneShootin
    Closed Accounts Posts: 8,478 ✭✭✭


    2. Destructive Internet Worm - WORM_WINEVAR.A (Medium Risk)
    WORM_WINEVAR.A is a destructive Internet worm that runs on all Windows platforms. It uses its own Simple Mail Transfer Protocol (SMTP) engine to propagate via email. It sends email messages with random subjects to addresses listed in the HTML files of the infected user's system. When sending email it uses a known exploit that causes the attachment to automatically execute when the message is viewed or previewed on Internet Explorer-based email clients, such as Microsoft Outlook and Outlook Express. This exploit is known as Automatic Execution of Embedded MIME type. This worm is capable of terminating monitoring programs and antivirus products from system memory, and it deletes all files in local drives.

    Upon execution, this worm creates a copy of itself in the Windows system folder as WIN<Random numeric value>.PIF. Due to the use of the random string, a new copy of this worm is created in the Windows system folder every time it is executed. It also drops a copy of itself in the Desktop folder as EXPLORER.PIF.

    It then creates autostart entries in the registry using the generated file name as the name of the entries. These registry entries allow the dropped copy to execute at startup. After the worm installs itself, it gathers email addresses from HTML files on the system. The email addresses saved in the registry entry are removed upon every subsequent execution and replaced with newly found email addresses. It then uses the default SMTP server to send out email messages containing an attached copy of itself to all the gathered addresses.

    On the next bootup, this worm displays a message box containing the following text strings:

    Header:Make a fool of oneself
    Body:What a foolish thing you have done!
    Once the user clicks the OK button, this worm deletes all files from local drives, except files that are currently running on the system.

    If no Internet connection is detected, this worm simply drops the file AAVAR.PIF in the Windows system folder, which is a slightly modified version of PE_FUNLOVE.4099. It executes the dropped virus to infect all .EXE files in all folders, except the Windows and Program Files folders.

    The subject lines of the email messages sent by the worm are constructed in two ways. The first subject format is used 33% of the time, meaning that, it generates this subject once in every 3 email messages (where <Registered Owner> is the registered owner of the machine and <Registered Organization> is the organization of the owner):


    Subject: AVAR (Association of Anti-Virus Asia Researcher)
    Message Body: <Registered Owner> - <Registered Organization>
    Attachments:
    WIN<random numeric value>.GIF (120 bytes) MUSIC_2.CEO
    WIN<random numeric value>.TXT (12.6 KB) MUSIC_1.HTM
    The second subject line format is used 66% of the time. It generates 2 email messages of this subject format in every 3 (where <Registered Owner> is the registered owner of the machine and <Registered Organization> is the organization of the owner):

    Subject: <Registered Organization>
    Message Body: <Registered Owner> - <Registered Organization>
    Attachments:
    WIN<random numeric value>.GIF (120 bytes) MUSIC_2.CEO
    WIN<random numeric value>.TXT (12.6 KB) MUSIC_1.HTM
    However, at the time of this writing, the virus has a bug that cannot completely decode the second email subject resulting in its first four generated characters being unintelligible. Therefore, most of the email it sends arrive with the subject format N`4_<Registered Organization>.


Comments

  • #2
    daveirl
    Closed Accounts Posts: 14,483 ✭✭✭✭daveirl


    This post has been deleted.


  • #3
    milltown
    Registered Users, Registered Users 2 Posts: 4,616 ✭✭✭milltown


    But you have to admit it sounds pretty ingenious.


  • #4
    daveirl
    Closed Accounts Posts: 14,483 ✭✭✭✭daveirl


    This post has been deleted.


  • #5
    theciscokid
    Closed Accounts Posts: 1,006 ✭✭✭theciscokid


    sounds beautiful, you gotta admire the will for making these,

    the expertise is incredible requiring god like knowledge of computer software and hardware,..

    i know its bad but we should embrace their talents


  • #6
    daveirl
    Closed Accounts Posts: 14,483 ✭✭✭✭daveirl


    This post has been deleted.


  • Advertisement
  • #7
    theciscokid
    Closed Accounts Posts: 1,006 ✭✭✭theciscokid


    Originally posted by daveirl
    If anything the opposite is true and they take too little expertise to code. Most of them use wide open exploits in Outlook and anyone with a test editor, google and a weekend to spare could write one.

    well that is true dave, but we're not talking kiddie **** here now are we, a proper virus/trojan/worm to be crafted well takes time and incredible skill (lots of it), simply exploiting outlook (why ppl still use that for personal use i dunno) doesn't make for a serious issue, and most in the wild aren't anything to worry over


Advertisement