W32/Cissi.worm

This is an internet worm that spreads via email and network shares.  The worm can also act as a backdoor using the IRC network.

When run, the worm copies itself as:

• %WinSys%\CISSI.exe

Where %WinSys% is the Windows system directory.

It modifies the following registry key in order to run itself at Windows startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  "Shell" = "Explorer.exe %WinSys%\CISSI.exe"

The worm searches for email addresses by scanning the content of files with the following extensions:

• .htt
• .rtf
• .doc
• .xls
• .ini
• .mdb
• .txt
• .htm
• .html
• .wab
• .pst
• .fdb
• .cfg
• .ldb
• .eml
• .abc
• .ldif
• .nab
• .adp
• .mdw
• .mda
• .mde
• .ade
• .sln
• .dsw
• .dsp
• .vap
• .php
• .asp
• .shtml

The worm writes harvested email addresses to the file:

• %WinSys%\CISSI.dll

The worm uses its own SMTP engine to send emails.  The email has the following characteristics:

Subject : (one of the following)

• Heres a poem for you
• Ive written a poem for you
• Love poems for you :)
• Look what i wrote for you
• Poems for you
• Roses are red,
• You are mine,
• I love you until im dead,
• It will all be fine.
• I do miss you
• I do love you
• what you want me to do?
• I never want to go.
• Where did you run?
• Where did you hide?
• I stand here undone
• I stand here inside
• How could u do that
• Why did you say that
• How do you feel inside
• I wish i just could hide

Attachment: (one of the following)

• LovePoem.pif
• Poem_collection.pif
• Zipped_poems.exe
• My Poems.txt.exe
• Poems.pif
• Sad Stories and Poems.pif
• My Story.pif
• The Poems.pif
• Poems for you.pif
• Only Poems.txt.pif

Body: (none)

The worm uses NetBIOS functions to connect to randomly generated IP addresses.  It uses a predefined user name and password list to try to gain access.  It generates large outbound connections to NetBIOS, port 139.

The worm connects to IRC server irc.undernet.org on port 6667.  It uses randomly generated user name to login to a predefined channel.  Once connected, it can listen for IRC commands and perform various backdoor activities, such as downloading and executing files.

- Existence of the files and registry keys mentioned above
- Unusual outbound connection to port 139

The worm spreads via SMTP mail and network shares.

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

• Insert the Windows XP CD into the CD-ROM drive and restart the computer.
• When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
• Select the Windows installation that is compromised and provide the administrator password.
• Issue 'fixmbr' command to restore the Master Boot Record
• Follow onscreen instructions.
• Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

• Insert the Windows CD into the CD-ROM drive and restart the computer.
• Click on "Repair Your Computer".
• When the System Recovery Options dialog comes up, choose the Command Prompt.
• Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
• Follow onscreen instructions.
• Reset and remove the CD from CD-ROM drive.