The worm consists of two parts, the dropper and the email worm itself. The droppers part in this is to conceal the actual virus, or at least try to. It attempts to do that by keeping the worm code crypted in the resource section, when executed the dropper loads the crypted worm code file, decrypts it and puts it in the windows directory, the worm is dropped as a DLL, to ensure it goes to the right directory on every windows platform it uses the return value from the API function GetWindowsDirectoryA. It is vital for the worm file to be in the windows directory because the dropper uses the LoadLibraryA function to put the worm code in memory and then calls a certain function from the code to execute the worm.
After the worm code has been initiated it does the following things.
It creates value called "Norton Antivirus AV" in the following registry key and it points to the worm file that the dropper dropped in the windows directory under the name FVProtect.exe.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
It creates a Mutex, undier the name "_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_" ,to know if it is already running. If so it terminates the current process.
Creates several files in the windows directory, both ready templates and copies of the worm.
'zip3.tmp'
'details.txt . pif'
'zip2.tmp'
'data.rtf .scr'
'zip1.tmp'
'document.txt .exe'
'base64.tmp'
Double extensions are used for some of those files, the purpose is to fool the user to click on it thinking that it is not an executable.
Then it creates a thread that skims drives from drive C: to Z:, skipping CD-Roms drive. It uses crude method to locate certain directories names, if it encounters any of those below it will copy itself into those directories
my shared folder
kazaa
mule
donkey
morpheus
lime
bear
icq
shar
upload
http
htdocs
ftp
download
It uses one of those names for the copied files. It still uses double extensions for many of the files to increase the likelihood of getting executed by unsuspecting user.
Kazaa Lite 4.0 new.exe
Britney Spears Sexy archive.doc.exe
Kazaa new.exe
Britney Spears porn.jpg.exe
Harry Potter all e.book.doc.exe
Britney sex xxx.jpg.exe
Harry Potter 1-6 book.txt.exe
Britney Spears blowjob.jpg.exe
Harry Potter e book.doc.exe
Britney Spears cumshot.jpg.exe
Harry Potter.doc.exe
Britney Spears fuck.jpg.exe
Harry Potter game.exe
Britney Spears.jpg.exe
Harry Potter 5.mpg.exe
Britney Spears and Eminem porn.jpg.exe
Matrix.mpg.exe
Britney Spears Song text archive.doc.exe
Britney Spears full album.mp3.exe
Eminem.mp3.exe
Britney Spears.mp3.exe
Eminem Song text archive.doc.exe
Eminem Sexy archive.doc.exe
Eminem full album.mp3.exe
Eminem Spears porn.jpg.exe
Ringtones.mp3.exe
Eminem sex xxx.jpg.exe
Ringtones.doc.exe
Eminem blowjob.jpg.exe
Altkins Diet.doc.exe
Eminem Poster.jpg.exe
American Idol.doc.exe
Cloning.doc.exe
Saddam Hussein.jpg.exe
Arnold Schwarzenegger.jpg.exe
Windows 2003 crack.exe
Windows XP crack.exe
Adobe Photoshop 10 crack.exe
Microsoft WinXP Crack full.exe
Teen Porn 15.jpg.pif
Adobe Premiere 10.exe
Adobe Photoshop 10 full.exe
Best Matrix Screensaver new.scr
Porno Screensaver britney.scr
Dark Angels new.pif
XXX hardcore pics.jpg.exe
Microsoft Office 2003 Crack best.exe
Serials edition.txt.exe
Screensaver2.scr
Full album all.mp3.pif
Ahead Nero 8.exe
netsky source code.scr
E-Book Archive2.rtf.exe
Doom 3 release 2.exe
How to hack new.doc.exe
Learn Programming 2004.doc.exe
WinXP eBook newest.doc.exe
Win Longhorn re.exe
Dictionary English 2004 - France.doc.exe
RFC compilation.doc.exe
1001 Sex and more.rtf.exe
3D Studio Max 6 3dsmax.exe
Keygen 4 all new.exe
Windows 2000 Sourcecode.doc.exe
Norton Antivirus 2005 beta.exe
Gimp 1.8 Full with Key.exe
Partitionsmagic 10 beta.exe
Star Office 9.exe
Magix Video Deluxe 5 beta.exe
Clone DVD 6.exe
MS Service Pack 6.exe
ACDSee 10.exe
Visual Studio Net Crack all.exe
Cracks & Warez Archiv.exe
WinAmp 13 full.exe
DivX 8.0 final.exe
Opera 11.exe
Internet Explorer 9 setup.exe
Smashing the stack full.rtf.exe
Ulead Keygen 2004.exe
Lightwave 9 Update.exe
The Sims 4 beta.exe
While skimming the drive it also searches for files with the following extensions and harvests email addresses from those files to use for mass-mailing.
.xml
.wsh
.jsp
.msg
.oft
.sht
.dbx
.tbb
.adb
.dhtm
.cgi
.shtm
.uin
.rtf
.vbs
.doc
.wab
.asp
.php
.txt
.eml
.html
.htm
The mailing routine does not send messages to addresses that include the some of the words below, the reason for this was probably delaying detection of the worm.
@microsof,
@antivi,
@symantec,
@spam,
@avp,
@f-secur,
@bitdefender,
@norman,
@mcafee,
@kaspersky,
@f-pro,
@norton,
@fbi,
buse@,
@messagel,
@skynet,
@pandasof,
@freeav,
@sophos,
@antivir,
@viruslis,
noreply@,
spam@,
reports@
Here is the list for possible e-mail subjects.
Re: Encrypted Mail
Re: Extended Mail
Re: Status
Re: Notify
Re: SMTP Server
Re: Mail Server
Re: Delivery Server
Re: Bad Request
Re: Failure
Re: Thank you for delivery
Re: Test
Re: Administration
Re: Message Error
Re: Error
Re: Extended Mail System
Re: Secure SMTP Message
Re: Protected Mail Request
Re: Protected Mail System
Re: Protected Mail Delivery
Re: Secure delivery
Re: Delivery Protection
Re: Mail Authentification
Re: Virus Sample
Re: Submit a Virus Sample
Re: Sex pictures
Re: A!p$ghsa
Re: Its me
Re: Question
Re: Request
Internet Provider Abuse
Is that your password?
Administrator
Spam
Mail Authentication
You cannot do that!
Re: Your document
Error
I cannot forget you!
I cannot believe that.
Stolen document
Your day
Note that the subjects below can contain "Re: " or "Re: Re: " infront of them.
hi
hello
thanks!
approved
corrected
patched
improved
Notice again
important
read it immediately
The words "my", "approved" and "important" are randomly put in front of the following strings for the subject line, those strings can also be used in the body of the e-mail.
document
file
details
information
letter
product
website
application
screensaver
bill
word document
excel document
data
message
text
document_all
The body can contain one of the following sentences.
Authentication required.
Bad Gateway: The message has been attached.
Delivered message is attached.
You have downloaded these illegal cracks?.
Encrypted message is available.
ESMTP [Secure Mail System #334]: Secure message is attached
First part of the secure mail is available.
Follow the instructions to read the message.
For further details see the attachment.
For more details see the attachment.
Do not visit this illegal websites!
Are you a spammer? (I found your email on a spammer website!?!)
Forwarded message is available.
Thanks!
I have attached it to this mail.
Here is it!
I have attached your document.
I have received your document. The corrected document is attached.
New message is available.
Now a new message is available.
Partial message is available.
Please authenticate the secure message.
Please confirm my request.
Please confirm the document.
Please read the attached file!
Please read the attachment to get the message.
Please read the document.
Please read the important document.
Please see the attached file for details.
Protected Mail System Test.
Protected message is attached.
Protected message is available.
Rquested file.
Secure Mail System Beta Test.
See the file.
SMTP: Please confirm the attached message.
Waiting for a Response. Please read the attachment.
Waiting for authentification.
You got a new message.
You have received an extended message. Please read the instructions.
Your details.
Your document is attached to this mail.
Your document is attached.
Your document.
Your file is attached.
You have written a very good text, excellent, good work!
Please r564g!he4a56a3haafdogu#mfn3o
Your requested mail has been attached.
The sample file you sent contains a new virus version of buppa.k. Please update your virus scanner with the attached dat file.
The sample file you sent contains a new virus version of mydoom.j. Please clean your system with the attached signature.
Message has been sent as a binary attachment
The file is protected with the password ghj001.
I have attached your file. Your password is jkl44563.
I noticed that you have visited illegal websites.
My favourite page.
your big love, ;-)
Here is my phone number.
Congratulations! your best friend.
I found this document about you.
Your mail account is expired. See the details to reactivate it.
Try this game ;-)
I hope the patch works.
Your mail account has been closed. For further details see the document.
Please answer quickly!
Please confirm!
Thank you for your request, your details are attached!
You were registered to the pay system. For more details see the attachment.
Let'us be short: you have no experience in writing letters!!!
See the ghg5%&6gfz65!4Hf55d!46gfgf
Please r564g!he4a56a3haafdogu#mfn3o
¯do0¯i4grjj40j09gjijgpndT
0i09u5rug08r89589gjrg
And the following fake e-mail scanning reports are sometimes attached at the end of the virus body.
+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com
+++ Attachment: No Virus found
+++ Bitdefender AntiVirus - www.bitdefender.com
+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com
+++ Attachment: No Virus found
+++ Kaspersky AntiVirus - www.kaspersky.com
+++ Attachment: No Virus found
+++ Panda AntiVirus - www.pandasoftware.com
++++ Attachment: No Virus found
++++ Norman AntiVirus - www.norman.com',0
++++ Attachment: No Virus found
++++ F-Secure AntiVirus - www.f-secure.com
++++ Attachment: No Virus found
++++ Norton AntiVirus - www.symantec.de
The attachment can be one of the following.
about_you
abuselist
all_doc01
all_in_all
approved
archive
corrected
d4334938
data
data02
data20
datfiles
detail3
details
doc01
document
document_all02c
document01
document04
document43
game_xxo
improved
letter
letter32
list
mails9
msg
my_details
my_list01
my_numbers
part6
pgp_sess01
Postcard
priv
private_01
pwd02
readme
signature
summary2004
websites03
word_doc
www.myx4free
your_doc
your_document
The attachments can have dual extensions separated by numerous spaces and might look something like the example below. The first extension can be either ".doc" or ".txt". And the second extension can be one of the following ".zip",".scr",".exe",".pif".
|
