Skip to main content

Virus Alert: I-Worm.Updater

December 7, 2001

Kaspersky Labs reports the detection of the latest Internet worm, I-Worm.Updater. This virus was reported last week. Updater is written in Visual Basic Script, and the worm itself is an EXE file about 12Kb in length, compressed in a UPX utility. The worm spreads via e-mail by gaining access to the...

Kaspersky Lab reports the detection of the latest Internet worm, I-Worm.Updater. This virus was reported last week.

Updater is written in Visual Basic Script, and the worm itself is an EXE file about 12Kb in length, compressed in a UPX utility.

The worm spreads via e-mail by gaining access to the Outlook address book. The worm, unbeknownst to a user, sends infected messages to all addresses found in Outlook.

Several message sections contain varying features.

The Subject line consists of one part taken from four sections, and is randomly selected from the following:

Section 1: "Have you ", "You Should ", "Just ", "Why Not you ", "How to ", "Re: ", "Fwd : ", " "
Section 2: "Check ", "Check out ", "Watch out ", "Open ", "Look at "
Section 3: "this ", "my ", "For this ", "The "
Section 4: "Picture", "Program", "Patch", "Nude pic", "Report", "Documment", "Quotation", "Transaction", "Bank Account", "WTC Tragedy", "Osama Vs Bush", "Account", "Private Pic"

For example: You Should (section 1) Look at (section 2) this (section 3) Osama Vs Bush (section 4)

Body:

Hi:
This is the file you ask for, Please save it to disk and open this file, it's very important.

The worm's file attachment can be named one of the following:

"Setup.EXE", "install.exe", "Readme.exe", "Files.exe", "Picture.exe", "Quotation.Doc.exe", "Letter.Doc.exe", "Picture.jpg.exe"

Updater has some troublesome side effects. The worm creates a malicious script progrm, UPDATE.VBS, copies the program to the Windows autoloading catalogue, and releases it upon completion. This program searches for files with .EXE, .DOC, and .VBS extentions on disks, and creates a file companion for them containing the worm's copy. These file companions have the same names as the original files, plus a "second" .VBS extension. For example:

MPLAYER.EXE.vbs
REPORT.DOC.vbs

For a more detailed description of I-Worm.Updater, click here.

Defense procedures thwarting the Updater Internet worm have already been added to the latest Kaspersky Anti-Virus database update.

Virus Alert: I-Worm.Updater

Kaspersky Labs reports the detection of the latest Internet worm, I-Worm.Updater. This virus was reported last week. Updater is written in Visual Basic Script, and the worm itself is an EXE file about 12Kb in length, compressed in a UPX utility. The worm spreads via e-mail by gaining access to the...
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Related Articles Press Releases