W32/Winur.worm.a

This page shows details and results of our analysis on the malware W32/Winur.worm.a

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum Engine

5600.1067

File Length

61,440 bytes

Description Added

2003-02-04

Description Modified

2003-02-10

Malware Proliferation

Characteristics

This threat is proactively detected as "New P2P Worm" with the 4215-4245 DAT files when scanning with program heuristics enabled.

This worm spreads via network shares, peer-to-peer file-sharing software, and floppy diskettes. The worm contains a payload to initiate a Denial of Service attack against 3 white supremacist websites. The worm propagates via KaZaa using filenames found on the infected system, and the following names:

  • .exe
  • Adobe Photoshop cracker.exe
  • Age of Empire crack.exe
  • Age of Mythology cracker.exe
  • All Microsoft games cracker.exe
  • Anastacia game.exe
  • AOL hacker.exe
  • AOL password stealer.exe
  • Britney spears game.exe
  • Bugbear remover.exe
  • Christina Aguilera game.exe
  • Die another Day DVD full.exe
  • Die another day flash movie(1).exe
  • Die another day flash movie.exe
  • Dvd ripper.exe
  • EA games Keygen.exe
  • Esafe desktop protection crack.exe
  • Frontpage cracker.exe
  • Hotmail account hacker in 30 minutes.exe
  • Hotmail hacker.exe
  • Hotmailhacker v1.0.exe
  • ICQ hacker.exe
  • ICQ password stealer.exe
  • Jack the ripper v1.0.exe
  • Jackie chan dvd collection.exe
  • James Bond game - Die another day.exe
  • John the ripper v1.0.exe
  • Justin Timberlake Debute movie.exe
  • Klez fixtool.exe
  • Lord of the rings VCD.exe
  • Love calculator.exe
  • Mcafee virusscanner crack.exe
  • Microangelo cracker.exe
  • Most important hacker tool ever!.exe
  • msconfig.exe
  • MSN Messenger commercial cracker.exe
  • MSN Password stealer.exe
  • MXlinx 0.30 crack.exe
  • Nikki cox game and movie.exe
  • Norton antivirus cracker.exe
  • Office XP license cracker.exe
  • pornmovie (hardcore sex adult asian).exe
  • Red Alert cracker - All versions.exe
  • Rollercoaster tycoon cracker.exe
  • shortcut to northwind.lnk.exe
  • Shriek DVD crack patch.exe
  • Stop the war (intro).exe
  • Super 2000key keygen.exe
  • Theme park world cracker.exe
  • UnIcOrn Gift.exe
  • Warcraft 3 cracker.exe
  • Website hacker v1.0.exe
  • Windows Me crack.exe
  • Windows XP license cracker.exe
  • Yaha Fixtool.exe
Peer-to-peer Propagation
When run, the worm creates a hidden directory, c:\winrun, and copies itself to that directory using the aforementioned filenames, as well as filenames found in the Shell Folders Personal, My Music, and My Video. This WINRUN folder is then set as the default share for the KaZaa and WinMX file-sharing applications.

The worm also copies itself to c:\klez_removal.exe and creates a registry run key to load itself at startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "msconfig" = C:\winrun\msconfig.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    RunServices "winrun" = C:\winrun\msconfig.exe
The following additional registry keys are created:
  • HKEY_CURRENT_USER\Software\KaZaa\
    Advanced "ScanFolder" = REG_DWORD:1
  • HKEY_CURRENT_USER\Software\KaZaa\
    InstantMessaging "IgnoreAll" = REG_DWORD:1
  • HKEY_CURRENT_USER\Software\KaZaa\
    LocalContent "DisableSharing" = REG_DWORD:0
  • HKEY_CURRENT_USER\Software\KaZaa\
    ResultsFilter "adult_filter_level" = REG_DWORD:0
  • HKEY_CURRENT_USER\Software\KaZaa\
    ResultsFilter "bogus_filter" = REG_DWORD:0
  • HKEY_CURRENT_USER\Software\KaZaa\
    ResultsFilter "firewall_filter" = REG_DWORD:0
  • HKEY_CURRENT_USER\Software\KaZaa\
    ResultsFilter "virus_filter" = REG_DWORD:0
  • HKEY_CURRENT_USER\Software\KaZaa\
    Settings "FolderWarning" = REG_DWORD:0
  • HKEY_CURRENT_USER\Software\KaZaa\
    Settings "Quarantine" = C:\WINDOWS\Start Menu\Programs\StartUp
  • HKEY_CURRENT_USER\Software\KaZaa\
    UserDetails "AutoConnected" = REG_DWORD:1
  • HKEY_LOCAL_MACHINE\Software\Microsoft\MessengerService\
    Policies "IMWarning" = (M)Warning: The person who you are talking to is infected with a virus. Send him the removal tool that can be found in C:\klez_removal.exe(M)
The last key is designed to display a warning message on the local MSN Messenger user's system to encourage them to send the worm to that user.

Floppy Propagation
A copy of the worm is saved to the A: drive as:

  • IMPORTANT - READ THIS.DOC < 62 spaces > .exe
Payload
On the 24th of the month, several message boxes are displayed:

On the 5th, 15th, and 25th of the month, a Denial of Service attack is initiated against 3 white supremacist websites and the following network share propagation is attempted.

Network Share Propagation
The worm creates the file c:\Autostart.bat, which redirects the output of the NET VIEW command to the file c:\ntwrk32.dll. This file provides the virus a list of systems in the current workgroup for the worm to spread to. Using the share c, the worm copies itself to the following paths:

  • windows\Start Menu\Programs\StartUp\msoffice32.exe
  • windows\start menu\Programma's\Opstarten\msoffice32.exe
  • Documents and Settings\All Users\Start menu\
    programs\startup\msoffice32.exe
  • Documents and Settings\All Users\Menu Start\
    Programma's\Opstarten\msoffice32.exe
During testing, the worm failed to spread successfully using this propagation method to anything other than the local system. The .bat and .dll files created by the worm, may get deleted after the function is carried out.

Symptoms

- Presence of the aforementioned files, and message boxes.
- Firewall program alerting you that PING is attempting to access the Internet on the 5th, 15th, or 25th of the month.

Method of Infection

This worm spreads through the KaZaa, and WinMX file-sharing applications. It also may spread through network share propagation.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants