Virus Alert: I-Worm.Updater

06 Dec 2001
Virus News

Kaspersky Lab reports the detection of the latest Internet worm, I-Worm.Updater. This virus was reported last week.

Updater is written in Visual Basic Script, and the worm itself is an EXE file about 12Kb in length, compressed in a UPX utility.

The worm spreads via e-mail by gaining access to the Outlook address book. The worm, unbeknownst to a user, sends infected messages to all addresses found in Outlook.

Several message sections contain varying features.

The Subject line consists of one part taken from four sections, and is randomly selected from the following:

Section 1: "Have you ", "You Should ", "Just ", "Why Not you ", "How to ", "Re: ", "Fwd : ", " "
Section 2: "Check ", "Check out ", "Watch out ", "Open ", "Look at "
Section 3: "this ", "my ", "For this ", "The "
Section 4: "Picture", "Program", "Patch", "Nude pic", "Report", "Documment", "Quotation", "Transaction", "Bank Account", "WTC Tragedy", "Osama Vs Bush", "Account", "Private Pic"

For example: You Should (section 1) Look at (section 2) this (section 3) Osama Vs Bush (section 4)

Body:

Hi:
This is the file you ask for, Please save it to disk and open this file, it's very important.

The worm's file attachment can be named one of the following:

"Setup.EXE", "install.exe", "Readme.exe", "Files.exe", "Picture.exe", "Quotation.Doc.exe", "Letter.Doc.exe", "Picture.jpg.exe"

Updater has some troublesome side effects. The worm creates a malicious script progrm, UPDATE.VBS, copies the program to the Windows autoloading catalogue, and releases it upon completion. This program searches for files with .EXE, .DOC, and .VBS extentions on disks, and creates a file companion for them containing the worm's copy. These file companions have the same names as the original files, plus a "second" .VBS extension. For example:

MPLAYER.EXE.vbs
REPORT.DOC.vbs

For a more detailed description of I-Worm.Updater, click here.

Defense procedures thwarting the Updater Internet worm have already been added to the latest Kaspersky Anti-Virus database update.