Overview
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
|
Minimum DAT
4305 (2003-11-19) Updated DAT4323 (2004-02-11) |
Minimum Engine
5.1.00 File Length23,040 bytes |
Description Added
2003-11-17 Description Modified2003-11-19 |
Malware Proliferation
Characteristics
This is a detection for an internet worm that spreads by email, IRC and network shares.
After execution, the worm copies itself to %sysdir% as Explore.exe
and eCard.zip.
This ZIP file is corrupted and can't be unpacked with common uncompressors like WinZIP, RAR or the integrated ZIP support in Windows XP.
The following registry key is changed to run the virus at startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "Explorer.exe Explore.exe"
Network spreading:
This worm browses network connections to spread to other machines that allow write access to the C drive using the credentials of the infected user. It copies itself as WINUPDATE.EXE. and adds a call to that file in the AUTOEXEC.BAT.
Email spreading:
The worm harvests email addresses from files on the local system with the following file-extensions :
*.HTM
*.WAB
*.EML
*.ODS
*.MMF
*.NCH
*.MBX
*.TBB
*.CPP
*.DPR
*.FRM
*.BAS
*.DOC
*.RTF
*.VBS
*.TXT
*.HTML
*.ASP
It uses its own SMTP engine to send emails directly to the MTA of the destination domain.
The From address is always 'Superzone eCard'
'ecard@superzone.com'
Subject: 'Superzone eCard from Secret Admirer'
An attachment named eCard.zip
contains the worm.
Example:
IRC spreading:
If MIRC is installed on the local system, the worm drops a SCRIPT.INI into the MIRC folder. The worms offers the coruppted eCard.zip to anyone joining a channel where the infected user is present. This script is detected as MIRC/Generic
.
The worm drops a file called CROW.TXT to C:\. This text file contains the string :
"i love u crow .... i do. "
Symptoms
- Existence of the registry keys mentioned above.
- Outgoing traffic on port 25 TCP (SMTP)
- Traffic to port 139 TCP (NetBIOS)
- Existance of the files mentioned above.
Method of Infection
W32/Wozer.worm@MM spreads by email and IRC, and copies itself to network shares.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
But in some particular cases, the following steps need to be taken.
Please go to the Microsoft Recovery Console and restore a clean MBR.
On Windows XP:
- Insert the Windows XP CD into the CD-ROM drive and restart the computer.
- When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
- Select the Windows installation that is compromised and provide the administrator password.
- Issue 'fixmbr' command to restore the Master Boot Record
- Follow onscreen instructions.
- Reset and remove the CD from CD-ROM drive.
On Windows Vista and 7:
- Insert the Windows CD into the CD-ROM drive and restart the computer.
- Click on "Repair Your Computer".
- When the System Recovery Options dialog comes up, choose the Command Prompt.
- Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
- Follow onscreen instructions.
- Reset and remove the CD from CD-ROM drive.
Variants