Skip to main content

Virus Alert: I-Worm.Updater

December 7, 2001

Kaspersky Labs reports the detection of the latest Internet worm, I-Worm.Updater. This virus was reported last week. Updater is written in Visual Basic Script, and the worm itself is an EXE file about 12Kb in length, compressed in a UPX utility. The worm spreads via e-mail by gaining access to the...

Kaspersky Lab reports the detection of the latest Internet worm, I-Worm.Updater. This virus was reported last week.

Updater is written in Visual Basic Script, and the worm itself is an EXE file about 12Kb in length, compressed in a UPX utility.

The worm spreads via e-mail by gaining access to the Outlook address book. The worm, unbeknownst to a user, sends infected messages to all addresses found in Outlook.

Several message sections contain varying features.

The Subject line consists of one part taken from four sections, and is randomly selected from the following:

Section 1: "Have you ", "You Should ", "Just ", "Why Not you ", "How to ", "Re: ", "Fwd : ", " "
Section 2: "Check ", "Check out ", "Watch out ", "Open ", "Look at "
Section 3: "this ", "my ", "For this ", "The "
Section 4: "Picture", "Program", "Patch", "Nude pic", "Report", "Documment", "Quotation", "Transaction", "Bank Account", "WTC Tragedy", "Osama Vs Bush", "Account", "Private Pic"

For example: You Should (section 1) Look at (section 2) this (section 3) Osama Vs Bush (section 4)

Body:

Hi:
This is the file you ask for, Please save it to disk and open this file, it's very important.

The worm's file attachment can be named one of the following:

"Setup.EXE", "install.exe", "Readme.exe", "Files.exe", "Picture.exe", "Quotation.Doc.exe", "Letter.Doc.exe", "Picture.jpg.exe"

Updater has some troublesome side effects. The worm creates a malicious script progrm, UPDATE.VBS, copies the program to the Windows autoloading catalogue, and releases it upon completion. This program searches for files with .EXE, .DOC, and .VBS extentions on disks, and creates a file companion for them containing the worm's copy. These file companions have the same names as the original files, plus a "second" .VBS extension. For example:

MPLAYER.EXE.vbs
REPORT.DOC.vbs

For a more detailed description of I-Worm.Updater, click here.

Defense procedures thwarting the Updater Internet worm have already been added to the latest Kaspersky Anti-Virus database update.

Virus Alert: I-Worm.Updater

Kaspersky Labs reports the detection of the latest Internet worm, I-Worm.Updater. This virus was reported last week. Updater is written in Visual Basic Script, and the worm itself is an EXE file about 12Kb in length, compressed in a UPX utility. The worm spreads via e-mail by gaining access to the...
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Innovating the industry with a Cyber Immunity approach, Kaspersky safeguards consumers, businesses, critical infrastructure, and governments from cyberthreats, with over a billion devices protected to date.

Kaspersky ensures Cybersecurity True to Business, focusing on providing clear outcomes, protecting revenue, easing workloads and preventing downtime. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services for organizations of every size, from small businesses to large enterprises, combining proven AI-driven protection technologies with simple management and expert support.

Recognized in independent tests and trusted by millions of individuals worldwide and nearly 200,000 organizations, Kaspersky helps detect threats earlier, respond faster and operate with greater confidence and freedom, protecting what matters most to our clients. Learn more at www.kaspersky.com.

Related Articles Press Releases