FRISK Software International


Summary of W32/Ardurk.A@mm
Length: 13.312 bytes
Infectable objects: HTML files with .HTM extension
Discovered: 7 May 2003
Definition files: 7 May 2003
Risk Level: Low
Distribution:Low
Payload: Shares each harddrive on the users computer
 
Jump to:
Brief description
Technical description

Brief Description
The W32/Ardurk.A@mm is a mass-mailing worm, which infects .HTM files. The worm shares each drive it finds on the infected computer. It will drop additional copies on the users computer for each .HTM file it will infect, which is does by adding an OBJECT tag inside the .HTM files which when executed run the virus as well. It creates a run key under:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Namesd"="path_to_virus\virus_name.extension"

This worm looks for e-mail addresses, both contained within the Windows address book, as well as by examining the content of .HTM files present on the users computer.


Technical Description
The Ardurk.A@mm is a mass-mailing worm, with additional spreading methods. Apparently written in assembly language, it has the size of 13.312 bytes. The first thing the worm does, is to decrypt its body which is encrypted with a simple XOR encryption. It scans the memory for the API functions needed along with mapping the relevant DLL files to memory. The worm retreives the NetBIOS name of the infected computer, as well as obtaining the address of the SMTP server used by the infected computer, by applying a common technique involving the lookup of a subkey, contained within the following registry key:
"Software\Microsoft\Internet Account Manager\Accounts".

The worm retreives the system directory of the infected computer, and copies the original worm file there under the same name. This copy is registered as a service on the infected system and later executed leaving it running in memory.
With the creation of service several registry keys are affected some of which are displayed below:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_(original_name_of_virus.extension)]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_(original_name_of_virus.extension)\0000]
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"ConfigFlags"=dword:00000000
"DeviceDesc"="(original_name_of_virus.extension)"
"Legacy"=dword:00000001
"Service"="(original_name_of_virus.extension)"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\(original_name_of_virus.extension)]
"DisplayName"="(original_name_of_virus.extension)"
"ErrorControl"=dword:00000000
"ImagePath"=(Path to virus in hex format)
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000110

After comparing the command line parameters to a string contained within the worms body, the worm displays a fake error message with the following format:

Caption:
"Error System Seting"
Text:
"The object can't accept the call because its initialize function or equivalent has not be called."

After that the original copy terminates, leaving the copy running as a service in memory. The main routines of the worm come into action when it has been successfully installed on the system.

After the initial installation, with the worm now running as a service it starts to performing its main routines. The first thing is to register an EXE class object with OLE, which are later referenced when the worm infects .HTM files. A new class object is registered for each HTM file the worm infects. The worm searches each drive and any subfolders for files with an .HTM extension. When such a file is located, the worm creates another copy of itself under a random name and registers a object class for that copy by creating a registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{Worm_generated_class_ID}]
Value="path_to_file\random_file_name.exe"

The .HTM file is infected by adding the following tag, at the top of the file:
<OBJECT type="application/x-oleobject"CLASSID="CLSID:Worm_generated_class_ID"></OBJECT>

As well as infecting .HTM files, the worm will harvest e-mail addresses from those files in order to send out infected e-mails later on.
To worm creates a run-key in the registry, to ensure further that its executed each time the machine is rebooted:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Namesd"="path_to_virus\virus_name.extension"


The worm shares all drive it finds on the infected machine, with a default "null session access", which means that all the drives on an infected machine are open for anonymous access, the worm accomplishes this by adding entries under the following key:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\Shares]
"drive_name"="(string in hex = CSCFlags=0, MaxUses=4294967295, Path="drive_name":\, Permissions=0, Remark="drive_name", Type=0.
The worm verifies the presence of a network connection, by making a hidden request to a remote website. If the presence of a network is detected, the worm will attempt to execute its e-mail spreading routine. The worm has its own SMTP routine, enabling it to connect to an remote mail server and send out e-mails containing infected attachments. E-mails sent by the W32/Ardurk.A@mm usually have the following format:

From: At times the From: address is a faked, it can either be faked as a non-existant e-mail address or an e-mail address the worm has harvested from the infected computer.

Subject: CARTOON (random number)

Attachment: CARTOON_(random number).exe

Body: The body is an HTML file, with the following text strings:
CARTOON (random number)
The #1 Site for: Cartoons, Hentai & Anime HORNY LITTLE TOONS
EXCLUSIVE HENTAI CONTENT
EROTIC ANIME MOVIES
NEVER SEEN BEFORE CARTOON SLUTS
JAPANESE MANGA TOONS
ENTER CARTOON (random number) HERE!!
To unsubscribe click here (where here is a link to an external website)


Analysis / Description: Sindri Bjarnason - Virus analyst FRISK Software International
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is