Kaspersky Lab Int. Newsletter

WINDOWS VIRUSES

NETWORK WORMS

WINDOWS VIRUSES

Win32.Devir

This is a per-process memory resident parasitic poly-morphic Win32-virus. The virus infects PE EXE files that have .EXE filename extensions. When run, the virus infects files in current directory only.

The virus also stays in the system memory as a component of the infected host program, gains access to KERNEL functions and intercepts 10 of them: file opening, copying, moving functions, etc. When a PE EXE file is accessed by these functions, the virus infects it. As a result, the virus will infect all PE EXE programs that are accessed by infected the host program, and the virus will be active until the moment the host program exits. The virus also hooks, selecting a new directory function, and infects PE EXE files in there.

The PE EXE infection method is a complex and is similar to the Win32.Driller virus. The block of host file code that is overwritten by the virus poly-morphic routine in some cases may be also compressed during infection.

The virus also contains a backdoor routine that opens an Internet connection, waits for its author's instructions and then follows them: sends/receives files, executes programs, reports system information, etc.

The virus contains the following "copyright" text:

Intruder v.0.1 by Deviator//HAZARD

NETWORK WORMS

Worm.Cheese

This is an Internet worm that replicates between systems that were previously hacked by the "Ramen" Linux worm, and not the "Lion" or "Adore" worms as it is stated in other various descriptions, or the worm itself. (see the text below) "Cheese" will also act as a "security patch" that removes the backdoors added by previous attacks, but it will not remove or patch the vulnerabilities used to hack the respective systems; thus, the machines will still remain vulnerable to the original attack(s) used to compromise them. The worm contains the following text:

> # removes rootshells running from /etc/inetd.conf
> # after a l10n infection... (to stop pesky haqz0rs
> # messing up your box even worse than it is already)
> # This code was not written with malicious intent.
> # Infact, it was written to try and do some good.

No matter how good the original intention of the author was, "Cheese" remains a piece of replicative "malware" that eats up resources such as CPU, memory, disk space or Internet bandwidth from infected systems; thus, remaining a "bad thing".
[ More... ]

Worm.Sadmind

This is an Internet-worm that replicates between Sun Sparc computers running the Solaris/SunOS operating system, and attacks Microsoft IIS v4 and 5 Web servers. Cracked Micrsoft IIS servers will have their start page replaced with one that appears as the following:

The worm was apparently written by someone with strong pro-Chinese views: "PoizonBOx" is a group of hackers that attacks and defaces US Web sites over the Internet.
[ More... ]

Worm.SadMind.b

Version "Worm.SadMind.b" of the worm is functionally identical to the .A version, except for a couple of executable utilities that seem to have been recompiled.

Worm.SadMind.c

Version "Worm.SadMind.c" of the worm differs from the other versions by the fact that the file "index.html" that is used to overwrite local "index.html" files on Solaris systems after cracking 2000 IIS servers was changed. Hacked IIS servers will appear the same way as those hacked by version .A and .B.

I-Worm.HappyTime

This Internet worm spreads in e-mail messages using MS Outlook Express as well as MSMAPI service. The worm is written in Visual Basic Script language (VBS).

The worm arrives to a computer as an e-mail message in HTML format or as plain text message with an attached HTML file. In the first case, the script code in the HTML message body automatically executes upon message opening, and the worm gains control. In the other case, a user must open the attached HTML file (double-click on it) to activate the worm.

Being activated, the worm doesn't start immediately spreading; but rather begins infecting a computer.

It modifies the desktop wallpaper with an HTML file that contains the worm code inside. If the desktop has had a background picture before infection, this picture will be shown as the background of the infected HTML and in most cases, it will not be apparent to the user that the wallpaper has been changed; thus, the worm gains control each time the desktop is displayed (for example, upon Window startup) or refreshed.

Additionally, the worm infects all .HTT files in the "WEB" subfolder of the Windows folder. Windows uses these files to customize some folders in view in Explorer when the Web mode is enabled (for example, the Program Files folder). Infection of these files causes the execution of the worm code each time a specific folder is displayed.
[ More... ]

I-Worm.Moncher

This is an Internet worm that spreads via e-mails attached as a EXE or ZIP file. The worm itself is a Win32 executable file about 37Kb in length, and written in Visual Basic. The worm is also able to spread via IRC channels.

When the worm's EXE file is being run from an attachment or from an IRC download directory, it registers itself in the system to run each time Windows starts up, and it sends infected messages. To hide itself, the worm displays two fake messages:

INSTALL
Install complete.

ERROR!
Unable to run program!

When the VBS script is run, it connects to MS Outlook, obtains the addresses from the MS Outlook Address Book, and sends messages there. The message Subject, Body and Attachment appear as follows:

Subject: With Love
Body: Whit all my love for you. :)
Attach: Winhlp.exe ��� MonCherry.zip

The worm infects the mIRC client if it is installed in the C:\MIRC directory. The worm writes a script to the SCRIPT.INI file in there that sends an infected WINHLP.EXE file to each user that enters the infected IRC channel.

On January 13th, the worm overwrites the C:\AUTOEXEC.BAT file with a DOS batch program that will format the C: drive upon the next reboot.
[ More... ]

I-Worm.Puron

This is a virus-worm that spreads via infected e-mails, and infects Windows EXE files on computers. The worm's routines have bugs, and in some cases, halt the computer and/or corrupt files while infecting them.

The worm code has the "copyright" text strings:

(c)Vecna
Vecna is a punk rocker now...

The infection routine when gains control, searches for a .EXE and .SCR Windows executable file on all local and network drives, and infects them. While infecting, it obtains a block from the file middle, compresses it, and stores the compressed data and worm code in the file so that the file length does not increase.

The worm also uses a polymorphic mutation engine to make the detection and disinfection process more complex.

To spread itself, the worm connects to a SMTP mail server, and sends infected messages to e-mail addresses. Both the SMTP server name and e-mail addresses, the worm obtains from WAB data files (Windows Address Book).

The infected messages are of HTML format and have fields:

From: "Mondo bizarro" [mourning@obituary.org]
Subject: Joey is dead, man... :-(
Text: A tribute to Joey Ramone (1951-2001)
Attach: ramones.mp3.exe

The worm uses one of the security vulnerabilities (Vulnerability identifier: CAN-2001-0154) that were found in MS Windows in 2001. The result of this breach is the possibility of spawning an attached EXE file without a user's action. When an infected e-mail is opened for reading or preview, the worm's EXE file is automatically run.
[ More... ]

I-Worm.Hydra

This is an Internet worm that spreads via e-mails being attached as an EXE file. The worm itself is a Win32 executable file about 12Kb in length, written in VisualBasic. The worm code is compressed with a UPX Win32 EXE files compression utility, and when unpacked, it becomes about 26Kb in size.

When the worm starts (when a user clicks on the attached EXE file), the worm copies itself to the Windows directory with the MSSERV.EXE name and registers that file in the Windows registry auto-run keys.

The worm then stays in the Windows memory as a hidden application (service), connects to MS Outlook and registers itself as MS Outlook "NewMail" and "ItemSend" events handler (i.e., the worm attaches itself to MS Outlook events).

On "NewMail" (a new mail has arrived), the worm looks as if it is its own message from another infected machine, and then deletes it. The worm opens the message, looks for the EXE attachment and deletes that message if the EXE attachment has the same length as the worm's EXE file.

On "ItemSend" (a message is being sent), the worm looks for already attached files, gets the first one, replaces it with its own copy, renames the attachment to .EXE, and then sends it. If the message has no attachment, the worm attaches itself with eight bytes of a random name and .EXE extenstion.

On Friday 13th, from 13:00 till 14:00, the worm also adds a text to the beginning of the message body:

[I-Worm.Hydra] ...by gl_st0rm of [mions]

The worm performs several actions to hide itself and to avoid removing its file and infected registry "Run=" keys. The worm deletes the MSCONFIG.EXE file in the Windows system directory, looks for active applications and kills them (terminates these processes):

"AVP Monitor"
"AntiVir"
"Vshwin"
"F-STOPW"
"F-Secure"
"vettray"
"InoculateIT"
"Norman Virus Control"
"navpw32"
"Norton AntiVirus"
"Iomon98"
"AVG"
"NOD32"
"Dr.Web"
"Amon"
"Trend PC-cillin"
"File Monitor"
"Registry Monitor"
"Registry Editor"
"Task Manager"

As a result, the worm disables several types of anti-virus protections, as well as immediately closes Registry editors upon their start-up.

The worm also kills Kaspersky Anti-Virus (former AVP) anti-virus databases
[ More... ]

I-Worm.Mari

This is an Internet worm that spreading via e-mails being attached as an EXE file. The worm itself is a Win32 executable file about 12Kb in length, written in VisualBasic. To spread, the worm connects to MS Outlook, obtains the e-mail addresses from the address book, then sends messages to these addresses. The infected messages contain the following:

Subject: Hi!
Body: check this out!!!
Attach: system32.exe

The worm also installs itself to the system. It copies itself to \Windows and to \WinNT directory with SYSTEM32.EXE name. The worm copies itself to the directory on the current drive, and fails to spread further if it is run not on the C: drive (in the instance when the temporary directory where the worm copy is saved from an infected message is not on the C: drive). The worm also fails to infect the system in case Windows is installed in a directory with another name.

The worm then stays in the Windows memory as a hidden (service) process and creates the "marijuana" icon in-tray:

Upon a mouse click on the icon, the worm displays the message:

IMPORTANT: PLEASE READ

I think i speak for every pot smoker in North America when i say: *Legalize Marijuana*...I mean if people with AIDS, Cancer and other deaises can use it then why cant the rest of us (pot smokers) use it?, I dont think that's very fair (Do you?). If it's legal to grow and use in places like: Australia (for personal use) then why not in North America? If doctors are useing it as a treatment for illness then it must not be *THAT* harmful (So why can't other people use it?). I really do think the federal goverment should consider legalization of marijuana. Well that's really all i have to say on the matter, but i do hope somebody, somewhere listens to what i have to say and does not just regard this as just another *virus* because it's more then that, it's a message, a message for freedom, the freedom to smoke up and have the chose to do so *WITHOUT* fear of punishment from the law and the goverment. Thank you for your time.

At 4:20 and 16:20, the worm displays the message box:

[