W32/Updatr.gen@MM

This page shows details and results of our analysis on the malware W32/Updatr.gen@MM

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4176 (2001-12-12)

Updated DAT

4346 (2004-03-31)

Minimum Engine

5400.1158

File Length

12,288

Description Added

2001-12-06

Description Modified

2002-01-22

Malware Proliferation

Characteristics

This threat is detected heuristically as NEW BACKDOOR, NEW MALWARE, or NEW WORM (depending on the DAT version) with the 4100 DATs (or newer) when scanning compressed files with program heuristics turned on. AVERT has received very few samples of this threat.

This mass-mailing worm sends itself to all recipients found in the Outlook Address book and creates a VBScript which saves many copies of itself to all local and mapped network drives. As the worm sends itself using both the TO: and BCC: fields, recipients are likely to receive the virus in pairs. It arrives in an email message with the following information:

The subject is derived by randomly combining several strings. There are 4 groupings of these strings and one group, or phrase, is chosen from each in succession:

Group1 = "Have you ", "You Should ", "Just ", "Why Not you ", "How to ", "Re: ", "Fwd : "
Group2 = "Check ", "Check out", "Watch out ", "Open ", "Look at "
Group3 = "this ", "my ", "For this ", "The ", "Subject ", "Picture ", "Program "
Group4 = "Report", "Documment", "Quotation", "Transaction", "Bank Account", "WTC Tragedy", "Osama Vs Bush", "Account", "Private Pic"

For example: Just Watch out For this Documment or You Should Watch out The Private Pic

Body: Hi:
This is the file you ask for, Please save it to disk and open this file,
it's very important.

Attachment: Setup.EXE
or Attachment: install.exe
or Attachment: Readme.exe
or Attachment: Files.exe
or Attachment: Picture.exe
or Attachment: Quotation.Doc.exe
or Attachment: Letter.Doc.exe
or Attachment: Picture.jpg.exe

Clicking on the attachment infects your machine. The worm sends itself using MAPI to all recipients in the Microsoft Outlook Address book. It saves a copy of itself to the WINDOWS directory as UPDATE.EXE and creates a registry run key to load itself at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Update=C:\WINDOWS\Update.exe

A fake error message is displayed:

A VBScript file is written to C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\Update.vbs which will run upon restart under Win9x/ME. This script file simply seeks out all DOC, EXE, and TXT files on local and mapped network drives. It does not alter these files, but rather it saves a copy of the VBS file in the same directory as those files found, using the same file name but adding VBS to the end.

ie. Winword.exe.vbs

On the 12th day of the month, the VBScript will display a message box:

Symptoms

Presence of %WinDir%\UPDATE.EXE (12,288 bytes in length)

Method of Infection

This worm arrives as an email attachment. Clicking on this attachment causes the virus to mail itself to all recipients found in your Outlook Address book.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants