When W32/Swen.A@mm is activated it goes through the following list of applications and tries to terminate them. Some of those applications are security and antivirus applications.
zonealarm, zapro, wfindv32, webtrap, vsstat, vshwin32, vsecomr, vscan, vettray, vet98, vet95, vet32, vcontrol, vcleaner, tds2, tca, sweep, sphinx, serv95, safeweb, rescue, regedit, rav, pview, pop3trap, persfw, pcfwallicon, pccwin98, pccmain, pcciomon, pavw, pavsched, pavcl, padmin, outpost, nvc95, nupgrade, nupdate, normist, nmain, nisum, navw, navsched, navnt, navlu32, navapw32, nai_vs_stat, msconfig, mpftray, moolive, luall, lookout, lockdown2000, kpfw32, jedi, iomon98, iface, icsupp, icssuppnt, icmoon, icmon, icloant, icload95, ibmavsp, ibmasn, iamserv, iamapp, gibe, f-stopw, frw, fp-win, f-prot95, fprot95, f-prot, fprot, findviru, f-agnt95, espwatch, esafe, efinet32, ecengine, dv95, claw95, cfinet, cfind, cfiaudit, cfiadmin, ccshtdwn, ccapp, bootwarn, blackice, blackd, avwupd32, avwin95, avsched32, avp, avnt, avkserv, avgw, avgctrl, avgcc32, ave32, avconsol, autodown, apvxdwin, aplica32, anti-trojan, ackwin32, _avp.
It also prevents the applications from being executed while it is in memory. When the user tries to execute one of these applications under these circumstances a dialog box is displayed with a fake error message. It then checks if there are any debuggers running on the machine, if so it displays a dialog box containing the following text: "Try to pull my legs?" and terminates its process.
It copies itself to the windows directory under a random name and modifies the registry in such a way that it will be executed if a program is run and on every reboot. The modified values are below.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[random name] "="[worm random name] autorun
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command]
[worm random name] \"%1\" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\command]
[worm random name] \"%1\" /S
[HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\config\command]
[worm random name] \"%1\""
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command]
[worm random name] \"%1\" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command]
[worm random name] \"%1\" %*
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command]
[worm random name] \"%1\" %*"
It then drops a file called administrator.bat into the windows directory, this file consists of the following lines:
@ECHO OFF
IF NOT "%1"=="" [worm random name] %1
It puts a new key under a random name under this key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ [random name] ]
There it keeps information about the worm, email server and email address. It also has the following values in there:
"Install Item"=[random]
"Unfile"=[random]
"CacheBox Outfit"="yes"
"Email Address"="The email address of the infected user"
"Server"="The mail servers ip address"
"Installed"="... by Begbie"
"Counter Visited"="yes"
It disables registry modifications by denying the user the ability to run regedit and installation of reg files, see key below:
[HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\command]
"[worm random name] showerror"
The following key is also modified so that registry tools are disabled, this is done to ensure that the user will not be able to change the registry keys.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000001
Spreading with Kazaa.
If Kazaa is installed the worm will copy itself to the download directory and enable sharing if disabled. It will assemble the file name from the following list:
Kazaa Lite, KaZaA media desktop, KaZaA, WinRar, WinZip, Winamp, Mirc, Download Accelerator, GetRight FTP, Windows Media Player
[key generator, hack, hacked, warez, upload, installer]
Bugbear, Yaha, Gibe, Sircam, Sobig, Klez
[remover, removal tool, cleaner, fixtool]
AOL hacker, Yahoo hacker, Hotmail hacker, 10.000 Serials, Jenna Jameson, HardPorn, Sex, XboX Emulator, Emulator PS2, XP update, XXX Video, Sick Joke, XXX Pictures, My naked sister, Hallucinogenic Screensaver, Cooking with Cannabis, Magic Mushrooms Growing, Virus Generator.
Spreading with IRC.
It overwrites script.ini with its own script. If someone joins a channel where the infected user is located the script will try to DCC send that person a copy of the worm.
Infecting over local networks.
It checks every drive on the machine and if it finds a remote drive it calls the network infection routine. It then scans for one of the following directories on the remote machine.
Win98
Win95
WinMe
Windows
If it finds a windows directory it tries to place a copy of itself in the Startup directory to ensure that the worm is executed on startup on the remote machine.
Spreading via email.
It pretends to be a patch from Microsoft that patches the system for newly discovered vulnerabilities. It gathers email addresses from .eml, .wab, .dbx, .mbx and .asp files. The worm scans for these files. The author has obviously tried to make the email as convincing as possible.
It also sends out a fake email message falsely reporting that a message could not be delivered. If the user has not installed the IFrame exploit patch from Microsoft the attachment will run. Those email message can look something like the one below.
From: Email Storage Service
To: Internet User
Subject: Mail: Returned To Sender.
Hi,
I'm sorry to have to inform you that the message returned below could not be delivered to the following addresses.
Undelivered to [random name]@[choosen from a list that is kept in the virus body]
This is the list that the domain part of the email is generated from:
Puremail,
America,
Netmail,
Freemail,
Yahoo,
Aol,
Bigfoot,
Rocketmail,
Microsoft,
Freemail,
Netmail.
.com or .net
The From field is created from these strings:
Admin,
Administrator,
Postmaster,
Microsoft.
Email,
Message,
Mail,
Storage,
Delivery,
Service,
System.
The To field is assembled from the following strings:
Email,
Mail,
Inet,
Net,
Internet,
Network.
Client
Receiver,
User.
The subject is crafted from these strings:
Returned,
Undeliverable,
Undelivered.
Mail,
Message.
Returned To
Sender,
Mailer,
User.
User unknown.
Bug,
Error,
Abort,
Failure,
Letter,
Advice,
Message,
Announcement,
Report,
Notice.
And the body is crafted from the strings below:
Hi.
This is the qmail program
Message from
I'm sorry
I'm sorry to have to inform you that
I'm afraid
the message returned below could not be delivered
Message follows:
I wasn't able to deliver your message
to the following addresses:
to one or more destinations.
Undelivered
Undeliverable
Message
Mail
|
