W32/Pkasa@MM

This Visual Basic worm propagates via various channels:

• mass-mailing itself to recipients listed in the Outlook Address Book
• copying itself to local and network drives
• sending itself (within ZIP archive) over mIRC
• KaZaa file-sharing networks
• floppy worm

In testing, the worm would not run on NT/2000 machines.

When executed, the worm is intended to terminate various processes running on the victim machine (anti-virus and security product related).

Mass-Mailing Propagation

The virus mails all recipients in the Outlook Address Book attaching a zipped copy of itself to each email. At a single mailing, each recipient may receive a differently formatted message. Messages may be formatted as follows:

• Thank You !
• The E.A.S.E System Can Make You Money At Home!!
• Free Software, Download it now !!
• Confirmation Email - Required !
• Free MP3. OGG/VORBIS Hit Songs !!
• Re: Your Daily Report
• You are Losing Income
• Download DVD Movie Now !! Its Free..!
• WHY NOT CHECK IT OUT? IT'S FREE!

• BONUS.ZIP
• REPORT.ZIP
• FREEPIC.ZIP
• FREEJOIN.ZIP
• FFA.ZIP

The ZIP (approximately 116,540 bytes) contains a copy of the worm (file size: 127,488 bytes). The filename of the worm within the ZIP varies, for example:

• SEXY.EXE
• REPORT.EXE
• FISTING.EXE
• FREEJOIN.EXE

• Have I peaked your curiosity?
  This is something that I think that anyone who is serious about marketing and being on the internet should check out.
  
  Save it Now !
  
  
• Hello!
  
  Need a quick $100 today?
  Need a quick $500 this week?
  Need to QUICKLY build a $5,000 monthly income?
  
  
  Download the attachment now !
  
  
• The Mastercard Stored Value Card is good anywhere in the world that Mastercard is accepted! APPLY NOW AND GET $20 FREE!!
  Download it Now And Get free Bonus!

For example:

Worm Propagation

The worm makes multiple copies of itself on local and network drives. The worm recurses local and network drives and for each of the following filetypes, the worm copies itself to that directory as %Filename%.%Ext%.SCR (where %Filename% and %Ext% are original filename and extension respectively):

• EXE
• SCR
• LNK
• DOC
• XLS
• JPG
• MP3
• MPG
• HTM
• HTML

The worm also copies itself to floppy and network drives with enticing filenames, with a .JPG.EXE or .JPG.SCR double extension. For example:

• ASIAN106.JPG.EXE
• SEXYGIRLS749.JPG.EXE
• LESBIAN606.JPG.SCR

KaZaa Propagation

The worm makes multiple copies of itself in the folder typical used for sharing files over the KaZaa file-sharing network:

The filenames used entice users into running the worm on their machine:

• AMATEURE686146203Jpg.exe
• ANTIVIRAL.EXE
• ASIAN462572179Jpg.exe
• AVUPDATE.EXE
• FREE_FIREWALL.EXE
• Fetish227628495Jpg.exe
• Fisting282627155Jpg.exe
• Girls673729390Jpg.exe
• LIVEUPDATE.EXE
• Lolita16451450Jpg.exe
• MCAFEE.EXE
• NAVUPDATE.EXE
• NUDE85872349Jpg.exe
• PASSWORD.EXE
• PIC909599469Jpg.exe
• Preeteens322361381Jpg.exe
• SEXSHOW.EXE
• SEXY789731202Jpg.exe
• XPPatch.exe

mIRC Propagation

The worm drops a MIRC.INI script into the mIRC folder in an attempt to propagate via mIRC channels. It attempts to send a zipped copy of itself as FREEPIC.ZIP (file size: xx bytes), with a message suggesting the archive contains free pornographic images.

The dropped MIRC.INI script (2223 bytes) is detected as MIRC/Generic by McAfee products using the 4149 DATs or greater.

• outgoing messages matching description above
• display of fake message box above
• multiple copies of the worm present on local/network drives of name %Filename%.%Ext%.SCR (as described above)

When executed on the victim machine, the worm displays the following fake error message box:

Aside from its propagation mechanisms (described above), the worm copies itself onto the local machine multiple times:

• %WinDir%\KERNELW32.EXE
• %WinDir%\BLANK.SCR

Plus into C:\ with varying filename, for example:

• c:\SEXY.EXE
• C:\FISTING.EXE

It then sets the following Registry key to hook system startup:

It also adds a hook into the local WIN.INI file:

A new section is also added to the WIN.INI file:

A hook to the BLANK.SCR copy of the worm is inserted in the SYSTEM.INI file, within the [boot] section, using SCRNSAVE.EXE to load the worm:

The worm drops a ZIP compression utility as C:\ZIP.COM (via a debug script). A batch file (T.BAT) is dropped in %WinDir% which uses this utility to create the ZIP archive. NB: the exact filename of the archive and the copy of the worm in C:\ may change.

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations