"Cuerpo": A Stealth Worm with Perfected Spreading Technology

30 Aug 2001
Virus News

Kaspersky Lab, an international data-security software developer, announces the detection of the new polymorphicInternet worm, "Cuerpo." KL has already received several reports of infections perpetrated by this malicious program.

It is important to note that because of the effective integrated virus-intercepting technology of the Kaspersky Anti-Virus "Script Checker," no additional anti-virus database updates are necessary.

"Cuerpo" infects only those computers operating MS Windows 95/98/ME with Internet Explorer installed. The worm is delivered to a computer as an e-mail without any consistent features (theme, attached file name, message body). In addition to this, "Cuerpo's" program code contains polymorphic behavior and also doesn't have any consistent appearance.

The malicious program code is contained simultaneously in two parts of the message: in the invisible signature (in HTML script) and the attached file. Both of this worm's variants take advantage of a well-known breach in Internet Explorer's (Scriptlet.TypeLib) security system. If the corresponding patch has not been installed on a computer, blocking this breach, "Cuerpo's" first variant penetrates a computer directly when the message is read. This type of method has been used previously by the Internet worms "KakWorm," "BubbleBoy," and a series of others. The second worm variant is activated only if a user opens the attached file.

Upon future start-up, the worm initiates system-penetrating procedures and spreads. The main peculiarity of "Cuerpo" is the simultaneous use of two means of mass spreading from infected computers. Firstly, similar to other Internet worms, "Cuerpo" gains access to Outlook and sends out its copies to all addresses found here, sending them by HTTP query to a remote Web site. At this point, the packet automatically is processed and sends one more "Cuerpo" copy to all located addresses. At the time of writing, the malicious Web site was still in operation, however, Kaspersky Lab has taken measures to close it quickly.

Amongst other side effects on an infected computer, "Cuerpo" changes the Internet Explorer starting address to a blank page, and in four days, the starting address again changes to "http://www.freedonation.com."

More detailed information pertaining to "Cuerpo" can be found in the Kaspersky Virus Encyclopedia.

Users may download the Internet Explorer system patch from the Microsoft company site here.