Details
I-Worm.Thonic.a

This worm spreads via the Internet as an attachment to infected messages.
The worm itself is a Windows PE EXE file, and it is 5482 bytes in size.
It searches for and infects PE files with the extensions .exe, .cpl, scr.
The worm intercepts calls to the following Windows API functions: WinExec, MoveFile and SetCurrentDir calls. When they are called, the worm searches for files and infects them.
When infecting files, the worm writes itself to the end of the files under the name .Nameles.
It cannot spread independently by email.
Propagation via email is carried out by a VBS script. The script in 875 bytes in size, and saved as C:\\VQmSXjvyc.vbs.
The executable file infects notepad.exe and copies it to the C: root directory as funnystuff.avi.exe
The script then executes, sending the file funnystuff.avi.exe by mail.
It contains the text:
Win32.Nameless Mist - AzagTH0TH
Infected messages:
Infected messages have the following attributes:
Message header:
Free MyDoom.B Patch !
Message body:
Very urgent !
You should run this patch to protect your Windows OS immediately to
avoid this danger virus variant.

Thank You,

Microsoft Technical
Support Staff

Any rights not expressly granted herein are reserved.

Contact Microsoft with questions or problems.

(c) 2004 Microsoft Corporation. All rights reserved
Attachment name:
C:\funnystuff.avi.exe
The worm will be activated only if the user launches the infected file by clicking twice on the attachment. It then infects executable system files.
It uses Windows MAPI to send messages.
Message mailing
When sending infected messages, the worm accesses MS Outlook and sends itself to all addresses harvested from the address book.

Details
I-Worm.Tanatos.b
Tanatos.b (aka Bugbear.b) is a worm virus spreading via the Internet as an email attachment. The worm also infects Windows EXE files, spreads over local networks and has a built-in backdoor routine.
The worm itself is a Windows PE EXE file about 72KB in length when compressed by UPX and encrypted over UPX compression. The decompressed size is about 170KB. The worm’s code is written in Microsoft Visual C++.
Tanatos.b has the following text strings in its body:
w32shamur
W32.Shamur
tanatos

Installing
While installing the worm copies itself to the Windows start-up directory under a random name. No regstry keys are affected.
The worm also creates following files in the Windows system directory:
gpflmvo.dll - keylogger DLL (about 6K of size)
zpknpzk.dll - its internal data file
shtchs.dll - its internal data file

Tanatos also creates the following file in the Windows directory: %rnd name%.dat - its internal data file

and the next file in the Temp directory:
vba%rnd%.tmp file - worm installed copy

Spreading
To send infected messages the worm uses a built-in SMTP engine. The worm searches for victim emails in following files on the available disks:
*.ODS, INBOX.*, *.MMF, *.NCH, *.MBX, *.EML, *.TBB, *.DBX

The infected messages have different Subject, Body, and File Attachment names that are selected from many variants:
Subject:

The file attachment name is randomly selected by several methods:
1. The worm looks for *.INI files in ??? and in case a “%filename%.INI” file is found, the worm sends itself with the “%filename%.%ext” name where %ext% is randomly selected from the list: “.scr”, “.pif”, “.exe”.

2. The worm randomly selects attached file names from following variants:
readme, Setup, Card, Docs, news, image, images, pics, resume, photo, video, music, song, data

The file name extension is also randomly selected from the same variants:
“.scr”, “.pif”, “.exe”.

3. The worm looks for *.BMP, *.DOC, *.GIF, *.JPG, *.RTF and other files and uses their full names as the %filename% for the infected attachment. In this case they have double extensions, for example:
doc1.doc.exe
euro.gif.scr
table.xls.pif

4. “setup.exe”

The infected emails randomly have the IFrame security breach that runs upon the opening the an infected email. In the rest of the messages the worm activates only when a user clicks on the attached file.
Infecting EXE files
While infecting a file the worm writes itself to the end of the file. The worm’s copy is “incorporated” into the victim machine’s file structure as a “standard” .EXE file in the “Program Files” directory. Copy names include:
winzip\winzip32.exe
kazaa\kazaa.exe
ICQ\Icq.exe
DAP\DAP.exe
Winamp\winamp.exe
AIM95\aim.exe
Lavasoft\Ad-aware 6\Ad-aware.exe
Trillian\Trillian.exe
Zone Labs\ZoneAlarm\ZoneAlarm.exe
StreamCast\Morpheus\Morpheus.exe
QuickTime\QuickTimePlayer.exe
WS_FTP\WS_FTP95.exe
MSN Messenger\msnmsgr.exe
ACDSee32\ACDSee32.exe
Adobe\Acrobat 4.0\Reader\AcroRd32.exe
CuteFTP\cutftp32.exe
Far\Far.exe
Outlook Express\msimn.exe
Real\RealPlayer\realplay.exe
Windows Media Player\mplayer2.exe
WinRAR\WinRAR.exe
adobe\acrobat 5.0\reader\acrord32.exe
Internet Explorer\iexplore.exe

in Windows directory:
winhelp.exe
notepad.exe
hh.exe
mplayer.exe
regedit.exe
scandskw.exe

Infecting - networks
The Tanatos.b worm accounts for all network resources, then copies itself to available resource (drives) startup folders using random .EXE names or the name, “setup.exe”. The worm also looks for “standard” .EXE files (the same list as above) on shared resource drives, and infects them.
Backdoor
Tanatos.b opens port 1080
- reports disk and file info
- copies, deletes requested file
- reports active applications
- terminates requested application
- runs local file by master’s request
- receives a file from master and runs it
- logs keyboard and sends it to master
- opens HTTP server

Other
Tanatos.b terminates active debuggers, anti-virus and firewall processes:
ZONEALARM.EXE WFINDV32.EXE WEBSCANX.EXE VSSTAT.EXE VSHWIN32.EXE VSECOMR.EXE
VSCAN40.EXE VETTRAY.EXE VET95.EXE TDS2-NT.EXE TDS2-98.EXE TCA.EXE
TBSCAN.EXE SWEEP95.EXE SPHINX.EXE SMC.EXE SERV95.EXE SCRSCAN.EXE
SCANPM.EXE SCAN95.EXE SCAN32.EXE SAFEWEB.EXE RESCUE.EXE RAV7WIN.EXE
RAV7.EXE PERSFW.EXE PCFWALLICON.EXE PCCWIN98.EXE PAVW.EXE PAVSCHED.EXE
PAVCL.EXE PADMIN.EXE OUTPOST.EXE NVC95.EXE NUPGRADE.EXE NORMIST.EXE
NMAIN.EXE NISUM.EXE NAVWNT.EXE NAVW32.EXE NAVNT.EXE NAVLU32.EXE
NAVAPW32.EXE N32SCANW.EXE MPFTRAY.EXE MOOLIVE.EXE LUALL.EXE LOOKOUT.EXE
JEDI.EXE IOMON98.EXE IFACE.EXE ICSUPPNT.EXE ICSUPP95.EXE ICMON.EXE
ICLOADNT.EXE ICLOAD95.EXE IBMAVSP.EXE IBMASN.EXE IAMSERV.EXE IAMAPP.EXE
FRW.EXE FPROT.EXE FP-WIN.EXE FINDVIRU.EXE F-STOPW.EXE F-PROT95.EXE
F-PROT.EXE F-AGNT95.EXE ESPWATCH.EXE ESAFE.EXE ECENGINE.EXE DVP95_0.EXE
DVP95.EXE CLEANER3.EXE CLEANER.EXE CLAW95CF.EXE CLAW95.EXE CFINET32.EXE
CFINET.EXE CFIAUDIT.EXE CFIADMIN.EXE BLACKICE.EXE BLACKD.EXE AVWUPD32.EXE
AVWIN95.EXE AVSCHED32.EXE AVPUPD.EXE AVPTC32.EXE AVPM.EXE AVPDOS32.EXE
AVPCC.EXE AVP32.EXE AVP.EXE AVNT.EXE AVKSERV.EXE AVGCTRL.EXE
AVE32.EXE AVCONSOL.EXE AUTODOWN.EXE APVXDWIN.EXE ANTI-TROJAN.EXE ACKWIN32.EXE
_AVPM.EXE _AVPCC.EXE _AVP32.EXE LOCKDOWN2000.EXE

The Tanatos.b worm also gets cached passwords and sends them to its “master”.

Details
I-Worm.Talorm
Talorm is a worm virus spreading via the Internet as an attachment to infected emails and copies itself to IRC channels. The worm itself is a CHM file (compressed HTML file) about 17KB in length.
Infected messages have the following features:
The Subject Line text is randomly selected from the following variants:
- Fotos de Thalia
- Free Pics
- Fotos XXX de Thalia
- Fotos Exitantes de Thalia

The body text is randomly selected from the following variants:
- Checa estas fotos de Thalia
- Hola que tal? ya viste las super fotos exitantes de Thalia
- Como tas! aqui te mando unas fotos de Thalia
- Para mis mejores Amigos fotos de Thalia
- Fotos XXX de Thalia
- unas fotos bien padres de Thalia
- Imagenes insolitas de Thalia
- Apuesto a que no has visto desnuda a Thalia
- HOLA! TE RETO A CHECAR ESTAS FOTOS BIEN CHIDAS DE Thalia
- Fotos Exitantes de la cantante Thalia

Attach: Thalia.chm

An example of a “Talorm” email message:

The worm activates from infected emails only when a user clicks on the attached file. If this happens Talorm then installs itself to the system and runs its spreading routine.
The worm then overwrites a registry key with new text:
HKLM\Software\Microsoft\Windows\CurrentVersion
RegisteredOwner = Thalia”

and displays the message:

Installing
While installing the worm copies itself to the Windows directory with the “Thalia.chm” name and registers this file in the system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Thalia = %WinDir%\Thalia.CHM

Spreading: EMail
To send infected messages the worm uses MS Outlook and sends messages to all addresses found in each victim machine’s Outlook address book.
Spreading: IRC
The worm looks for the mIRC subdirectory in the “Program Files” directory and writes a new “script.ini” file to this location. This script file has instructions that send worm copies to every user who joins an infected IRC channel.

Details
I-Worm.Sysnom

This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 21Kb in length (compressed by UPX, decompressed size is about 45K), and is written in Visual Basic.
Infected messages contain:
Subject: Good News
Attachment: SoftwareKey.exe
The body is selected from the following three variants:
Wanna remove the I-worms CodeRed, BadTrans, Goner, Updater, etc?
Good news for you because we’re giving you a software which removes the latest internet worms in your pc.
Included is your free software from AVP.
Hi! You are a winner of a trip to Iceland.
Included in this message is a software which can help you claim your prize.
See you there!!! Iceland.com
Hi! You have just won yourself a plane ticket to Bali, Indonesia!
Click the attachment to see how to claim your price.
This message is courtesy of YouCanSeeTheWorld.com.
The worm is activated from an infected e-mail only when a user clicks on the attached file. The worm then installs itself to the system, and copies itself to C:\WINDOWS directory with the following names:
C:\WINDOWS\SoftwareKey.exe
C:\WINDOWS\SYSNOM.EXE
C:\WINDOWS\SCANREGW.EXE (opriginal SCANREGW file is overwritten by worm copy)
and registers one file in the system registry auto-run key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run System Monitor = c:\WINDOWS\SYSNOM.EXE
The worm then displays the following message:

and starts its e-mail spreading routine. To send infected messages, the worm uses MS Outlook, sending messages to all addresses found in the Outlook address book.
The worm then opens the “http://www.avp.ch” site with IEXPLORER.EXE, and starts a DoS attack on the “indovirus.8m.com” site.
The worm does not manifest itself in any other ways.

Details
I-Worm.Sysid

This is an Internet worm that spreads in infected e-mails by using MS Outlook. The worm itself is a Windows executable written in Delphi and compressed by Aspack PE EXE compression utility. The worm’s file size (compressed) is about 200K, the original (uncompressed) size is about 400K.
The worm installs itself into the system, and then periodically accesses MS Outlook and sends infected messages. There are no payload routines found in the worm code.
The worm hides its activity pretending to be a “Personal ID Generator” utility. This utility uses strings in Chinese coding, so it cannot be truly visible under non-Chinese Windows.
At the same time as the worm displays the “Personal ID Generator” window, it installs itself into Windows. To do this, it gets the names of the Windows and Windows system directories and copies itself to there with the “SYSID.EXE” name. In case the worm cannot detect the Windows directory, it uses hard-coded names:
C:\WINNT\SYSTEM32\SYSID.EXE
C:\WINNT\SYSID.EXE
C:\WINDOWS\SYSTEM\SYSID.EXE
C:\WINDOWS\SYSID.EXE
To run each time Windows starts, the worm registers its copy in the system registry in the auto-run section:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
WindowsVersion = “sysid”
The worm uses a trick to hide this record. Upon being activated, the worm deletes that record from the registry, and upon exiting, restores it. To stay active as long as possible, the worm leaves its copy in the Windows memory as a hidden application (service). So the worm is active up to the moment Windows is shut down, and worm’s record in the system registry is not visible. At the moment Windows is shut down, the worm restores the registry record.
As a result, the worm record cannot be read by standard RegEdit - it simply does not exist when Windows has completed its start-up procedure, and up to the moment Windows is rebooted:
Upon each restart, Windows gets a worm file name from the system registry and runs it; the worm then deletes that record and stays in the system memory awaiting Windows restart. At that moment, the worm’s registry record does not exist.
Upon Windows shut down, the worm restores its registry record, and it is ready to run the worm again upon the next Windows restart. At that moment, the registry record exists, but it cannot be read by standard utilities.
To spread via e-mail messages, the worm runs a file helper. This file is a VisualBasicScript application, and is created by the worm in the Windows system directory with the WINVER.VBS name. The VBS program in this file gains access to MS Outlook, obtains randomly selected names from the AddressBook, and creates and sends messages to these addresses. The number of addresses infected depends on the total number of addresses in the AddressLists. In case there is less than 200 addresses, the worm sends messages to 10% of them; otherwise, (more than 200 messages) the worm sends infected e-mails to 2% of them.
The infected message body is empty. The message Subject is randomly selected from all subject variants found in the “Sent items” Outlook list.
The message has four attached files. First is the worm EXE copy with a name randomly selected from 100 variants (see below); second, the attached file is randomly selected from .JPEG, .JPG, .DOC and .XLS files found in “C:\My Documents\” folder. Two other attached files are e-mail messages randomly selected from the “Sent items” list.
The list of possible worm EXE names appears as follows:
pdd2000.exe
Tools.exe
Pcc99.exe
98fix.exe
Book.exe
Phone.exe
Car.exe
Game.exe
Office98fix.exe
Graphics.exe
ScreenSaver.exe
Joke.exe
Window.exe
Mp3Player.exe
WinAmp.exe
Mouse.exe
FTP_Pro.exe
WWW.exe
Ghost7.exe
MazeGame.exe
3DS.exe
Source.exe
Action.exe
Color.exe
Color_Joke.exe
GameStyle.exe
HAHA.exe
MyResume.exe
EasyGame.exe
Jonny.exe
BallGame.exe
MazeGame.exe
MAC9.exe
Desk_Demo.exe
Girl.exe
GirlGame.exe
GoodGame.exe
FreedMan.exe
Hurry Up.exe
Take a Rest.exe
Take Easy.exe
Do not over time.exe
Meeting.exe
Milk.exe
PlayBoy.exe
BadGirl.exe
BadBoy.exe
PenHouse.exe
Tape.exe
Display.exe
Click Me.exe
Apple.exe
New Product Show.exe
My Resume.exe
Boss Game.exe
Boy and Girl.exe
WinZip9.exe
Good Job.exe
New Language.exe
Key User.exe
My Letter.exe
My Sister.exe
My Mother.exe
My Father.exe
My Picture.exe
Merry.exe
Happy.exe
Happy New Year.exe
How Are You.exe
586 Tech.exe
Cell Phone.exe
Sex Picture.exe
The Young King.exe
Oscar.exe
The Happy Prince.exe
The Star Child.exe
Question.exe
Issues For Today.exe
Acknowledgments.exe
Game99.exe
True or False.exe
Good Art.exe
News.exe
Stock News.exe
Music.exe
MP3.exe
Choose Games.exe
Life-Styles.exe
Life-Cycles.exe
Sometimes.exe
Summary.exe
Market.exe
MP3 Tools.exe
Cheat.exe
New Joke.exe
New System.exe
New Job.exe
New Chance.exe
Make More Money.exe
Help Yourself.exe

Details
I-Worm.SysClock

This is an Internet worm (virus of the worm type) spreading via e-mails, IRC channels, infecting files on local computers and spreading itself to a local network. It also steals system passwords (PWL files) from infected computers, as well as has many harmless and dangerous payload routines. The worm itself is about 80Kb in size Win32 (PE EXE - Portable Executable) program written in Delphi, the “pure” worm code occupies about 20Kb and the rest is Delphi runtime library code, data, and the program’s miscellaneous information.
The worm arrives as an e-mail with a fake message (see below) and attached PKZIP.EXE file that is the worm program itself. When the worm is executed, it installs itself into the system, infects files on a local drive, infects available logical drives, infects installed mIRC client, and sends infected e-mails by using the Eudora mail system.
Installing into the system
To install itself into the system, the worm copies itself with the KERNEL.EXE name into the Windows directory (on Win95/98 machines) or to the Windows system directory (on WinNT), and registers itself in the system registry auto-run key:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysClock=kernel.exe

The worm also has an additional installation routine that installs the worm copies to all available drives. This routine is described below.
Infecting a computer
The worm is able to infect about 40 files on a computer, and infects no more than four files on each run. The worm infects files in the Windows directory:
NOTEPAD.EXE, CALC.EXE, DEFRAG.EXE, SCANDSKW.EXE, WRITE.EXE, WINIPCFG.EXE,
SCANREGW.EXE, DRWTSN32.EXE, NTBACKUP.EXE, REGEDT32.EXE, TASKMGR.EXE,
USRMGR.EXE

The worm then infects programs that are associated with registry keys:
SOFTWARE\Classes\Access.Application.8 \shell\open\command
SOFTWARE\Classes\AudioCD \shell\play\command
SOFTWARE\Classes\AVIFile \shell\play\command
SOFTWARE\Classes\cdafile \shell\play\command
SOFTWARE\Classes\Chat \shell\open\command
SOFTWARE\Clients\News\Forte Agent \shell\open\command
SOFTWARE\Classes\Excel.Sheet.8 \shell\open\command
SOFTWARE\Classes\ftp \shell\open\command
SOFTWARE\Classes\giffile \shell\open\command
SOFTWARE\Classes\hlpfile \shell\open\command
SOFTWARE\Classes\Eudora \DefaultIcon
SOFTWARE\Classes\Eudora \shell\open\command
SOFTWARE\Classes\Microsoft Internet Mail Message \shell\open\command
SOFTWARE\Classes\Microsoft Internet News Message \shell\open\command
SOFTWARE\Classes\MOVFile \shell\open\command
SOFTWARE\Classes\Msi.Package \shell\open\command
SOFTWARE\Classes\pcANYWHERE32 \shell\open\command
SOFTWARE\Classes\QuickView \shell\open\command
SOFTWARE\Classes\RealPlayer.RAM.6 \shell\open\command
SOFTWARE\Classes\Winamp.File \shell\open\command
SOFTWARE\Classes\Unfinished Download \shell\open\command
SOFTWARE\Classes\UltraEdit-32 Document \shell\open\command
SOFTWARE\Classes\Whiteboard \shell\open\command
SOFTWARE\Classes\vcard_wab_auto_file \shell\open\command
SOFTWARE\Ulead Systems\Ulead PhotoImpact\4.0\Path\IeEdit.exe
SOFTWARE\KasperskyLab\Components\102\EXEName

While infecting each file, the worm uses the companion infection method: it renames a victim file with eight-bytes randomly named and .EXE extension (for example: GTGUQPPA.EXE, XOHSKVXQ.EXE, etc.) and places itself with the name of original file. As a result, the worm copy will be executed each time a user or system runs the infected file.
To return control back to the host file, the worm stores the file names in the registry key HKCU\AppEvents\Schemes\Apps\.Default\SystemStart\Windows, for example:
C:\WIN95\calc.exe “gtguqppa.exe”
C:\WIN95\mplayer.exe “xohskvxq.exe”
e.t.c.

This information can be used to disinfect the computer.
To detect already infected files, the worm uses the FileVersion that is stored in PE EXE file resources. In infected files, this variable is set to “1.3.5.7″.
Infecting local and network drives
The worm also copies itself and “registers” to available logical drives: removable, fixed and network. While infecting removable files, the worm looks for the AUTOEXEC.BAT file on them, adds an instruction to run the PKZIP.EXE file upon loading from the drive, and copies itself to the drive with the PKZIP.EXE file name.
Upon infecting hard drives, the worm looks for the PKZIP.EXE file in the root directories on these drives, and copies itself with this name if such a file does not exits there. To run this file, the worm creates the AUTORUN.INF file on the drive and writes a block of instructions to there to run the PKZIP.EXE file (worm copy) upon the next Windows star-tup:
[autorun]
open=pkzip.exe

While infecting a remote drive, the worm first of all checks this drive for written permission. To do this, the worm creates the TEMP9385.058 file in there, and deletes it. In case no errors occurred during operation, the worm continues spreading to the drive. It copies itself to there with the PKZIP.EXE name and creates the AUTORUN.INF file in the same way as while affecting fixed drives on local computer. In addition, the worm looks for \Windows and \WinNT directories on the drive and registers its PKZIP.EXE copy in the WIN.INI file in [windows] “run” instruction. This operation also causes worm-copy execution on the next Windows start-up.
While infecting network drives, the worm also destroys several executable files there, if they exist, and overwrites them with its copy:
Acrobat3\Reader\Acrord32.exe
Eudora95\Eudora.exe
Program Files\Microsoft Office\Office\Outlook.exe
Program Files\Internet Explorer\Iexplore.exe
Program Files\WinZip\WinZip32.exe
Program Files\Microsoft Office\Office\WinWord.exe
Program Files\Netscape\Program\Netscape.exe

Infecting mIRC client and spreading via IRC channels
This routine is executed depending on the system time, not each time the infected files run. It looks for mIRC client installed in the system by accessing mIRC script file in the directories:
C:\MIRC\SCRIPT.INI
C:\MIRC32\SCRIPT.INI
C:\Program Files\MIRC\SCRIPT.INI
C:\Program Files\MIRC32\SCRIPT.INI

If no such files exist, the worm leaves infection routine. Otherwise it overwrite the SCRIPT.INI file with instruction that sends the C:\PKZIP.EXE file to everybody entering the affected channel.
Sending infected emails
This routine is executed depending on the system time, as well as mIRC infection routine. First of all the worm gets the Eudora directory name by accessing the registry key: Software\Qualcomm\Eudora\CommandLine. The worm then scans the Eudora outgoing mails database (the OUT.MBX files), gets addresses from there and stores them in the list the infected message will be sent to. It seems that the worm also adds the “support@microsoft.com” email address to this list.
The worm then prepares the C:\USER.MSG file that will be used then to initialize Eudora sendmail system. The worm writes to there all necessary data to send the message with infected attach:
To: addresses list from OUT.MBX file, plus “support@microsoft.com”
Subject: here’s what u requested
X-Attachments: c:\pkzip.exe;
Message body:
You had requested this a while back, so here you are.
enjoy.

The worm then opens the C:\USER.MSG file by a Windows function that activates Eudora sendmail.
Stealing password files
While installing into the system and infecting files the worm also looks for Windows password files (.PWL files), reads passwords data from there and attaches to infected file body.
The worm does not send the passwords to any Internet address, but just keeps them attached to the infected files. As a result the stolen passwords leave the computer only in case the worm spreads its copies to Internet or IRC channels.
Payload routines
The worm has many payload routines that are activated depending on the system date and time. The worm by these routines:
- Halts the computer by launching unlimited number of threads.
- Overwrites the \.DEFAULT\Software\Microsoft\RegEdt32\Settings registry key with “AutoRefresh=0″ value.
- Changes the Internet Explorer settings. By rewriting the SOFTWARE\Microsoft\Internet Explorer\Main registry keys the worms sets the “Start Page” to “http://www.whitehouse.com/” and “Search Page” to “http://www.bigboobies.com”, and disables Internet cache updating.
By rewriting the \SOFTWARE\Microsoft\Internet Explorer\SearchUrl and \SOFTWARE\Microsoft\Internet Explorer\TypedURLs registry keys the worm sets the “http://www.gayextreme.com/queer/handle-it.html” Web page to first position of recently used Web pages; sets “SearchURL” to “http://www.fetishrealm.com/fatgirls/pic3.htm”;
- By rewriting the \Software\Mirabilis\ICQ\Bookmarks registry key sets:
“Main Page” to “http://www.biggfantac.com/terra/index.html”,
“Customer Support” to “http://www.pornoparty.net”
“Menu” to “http://www.gayextreme.com/queer/handle-it.html”

- Deletes all keys from
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ or
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
- Sets Windows settings:
RegisteredOwner = “Idiot with a Virus”
RegisteredOrganization and ProductID = “Registry Rage Virus L1999″

- Creates C:\POEM1.TXT or C:\POEM2.TXT files, writes one of the texts to there (see below), and opens them with NOTEPAD.EXE. The texts looks as follows:
To earn for the body and the mind whatever adheres and goes forward
and is not dropt by death;
I will effuse egotism and show it underlying all, and I will be the
bard of personality,
And I will show of male and female that either is but the equal of
the other,
And I will show that there is no imperfection in the present, and
can be none in the future,
And I will show that whatever happens to anybody it may be turn’d to
beautiful results,
And I will show that nothing can happen more beautiful than death all
- Walt Whitman
Nothing divine dies. All good is eternally reproductive. The beauty of
nature reforms itself in the mind, and not for barren contemplation,
but for new creation.
All men are in some degree impressed by the face of the world; some men
even to delight. This love of beauty is Taste. Others have the same love
in such excess, that, not content with admiring, they seek to embody
it in new forms. The creation of beauty is Art.
- Ralph Waldo Emerson

The worm’s payload routines also erase or modify miscellaneous Windows settings, minimize Backup and ScanDisk settings, erase Registry backup, e.t.c.

Details
I-Worm.Swen

Swen is a very dangerous worm-virus that spreads across the Internet via email (in the form of an infected file attachment), the Kazaa file sharing network, IRC channels, and open network resources.
Swen is written in Microsoft Visual C++ and is 105KB (106496 Bytes) in size.
The worm activates when a victim launches the infected file (double clicking on the file attachment) or when a victim machine’s email application is vulnerable to the IFrame.FileDownload vulnerability (also exploited by the Internet worms Klez and Tanatos). Once run, Swen installs itself in the system and begins its propogation routine.
You can download the patch released in March 2001 for the IFrame vulnerability: Microsoft Security Bulletin MS01-20.
The worm blocks many anti-virus programs and firewalls. Its algorithm and parts of the code text are almost identical to that of another Internet worm called I-Worm.Gibe, although the programming language used is different.

Installation
When first launched, the worm may display the “Microsoft Internet Update Pack” message box. Then it imitates patch installation:

The worm then copies itself under one of the names below into the Windows directory. The name may consist of several parts.
First possibility:
Kazaa Lite
KaZaA media desktop
KaZaA
WinRar
WinZip
Winamp
Mirc
Download Accelerator
GetRight FTP
Windows Media Player

Key generator
Hack
Hacked
Warez
Upload
Installer
Upload
Installer
Second possibility:
Bugbear
Yaha
Gibe
Sircam
Sobig
Klez
Remover
RemovalTool
Cleaner
Fixtool
Third possibility:
Aol Hacker
Yahoo Hacker
Hotmail Hacker
10.000 Serials
Jenna Jameson
Hardporn
Sex
Xbox Emulator
Emulator Ps2
Xp Update
Xxx Video
Sick Joke
Xxx Pictures
My Naked Sister
Hallucinogenic Screensaver
Cooking With Cannabis
Magic Mushrooms Growing
Virus Generator
The new file is registered in the Windows system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
random sequence= %windir%\file name autorun
An identification key is created, which contains the worms’ configuration settings:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer
random sequence
The worm then creates a file named after the infected host machine with a BAT extension in the Windows folder. The file contains following the commands:
@ECHO OFF
IF NOT “%1″==”" .exe %1
Then the worm changes the key values in HKLM\Software\Classes in such a way so as to hook onto execution every time the BAT, COM, EXE, PIF, REG and SCR file types are launched.
HKCR\batfile\shell\open\command
Default = %windir%\ “%1″ %*

HKCR\comfile\shell\open\command
Default = %windir%\ “%1″ %*

HKEY_CLASSES_ROOT\exefile\shell\open\command
Default = %windir%\ “%1″ %*

HKCR\piffile\shell\open\command
Default = %windir%\ “%1″ %*

HKCR\regfile\shell\open\command
Default = %windir%\ showerror

HKCR\scrfile\shell\config\command
Default = %windir%\ “%1″

HKCR\scrfile\shell\open\command
Default = %windir%\ “%1″ /S
Disables user capability to edit the system registry:
HKCU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools = 01 00 00 00
When first launched, the worm accesses the following remote website:
http://ww2.fce.vutbr.cz/bin/counter.gif/link=bacillus&width=6&set=cnt006
This counter indicates the number of infected computers.
When attempting to execute a new copy of the worm on the already infected machine the worm displays the following message:

The worm scans all disks for files with extensions DBX, MDX, EML, WAB and also that contain either HT or ASP in the extension. Swem then extracts any email addresses that it can find and saves them in a file named germs0.dbv.
The worm attempts to connect to one of 350 servers identified in the file swen1.dat, in order to send infected emails. If connection is impossible the worm then displays the following error message about a MAPI 32 Exception:

and requests a correct email address, as well as a correct SMTP server.

Propagation via Email
The worm mails itself to all available addresses using a direct connection to an SMTP server. The infected emails are in HTML format and contain an attachment (the actual worm).

Sender name (consists of several parts):
Microsoft
MS

(may not be used)
Corporation

(may not be used)
Program
Internet
Network

(always included with part 3)
Security

(may not be used)
Division
Section
Department
Center

(may not be used)
Public
Technical
Customer

(may not be used)
Bulletin
Services
Assistance
Support
For example:
Microsoft Internet Security Section
MS Technical Assistance
Sender address (consists of 2 parts):
before “@”: random sequence (example: tuevprkpevcg-gxwi@, dwffa@);
after “@”: consists of 2 parts (though only one may be used):
news
newsletter
bulletin
confidence
advisor
updates
technet
support

msdn
microsoft
ms
msn
For example: “newsletter.microsoft” or simply “support”. If two parts are used, then they are separated by “.”, or “_”.
After the “.” the domain is either “com” or “net”.
Subject (consists of various parts):
Latest
New
Last
Newest
Current

Net
Network
Microsoft
Internet

Security
Critical

Upgrade
Pack
Update
Patch
Body:
MS Client (Consumer,Partner,User - chosen at random)
this is the latest version of security update, the
“September 2003, Cumulative Patch” update which resolves
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express.
Install now to protect your computer
from these vulnerabilities, the most serious of which could
allow an attacker to run code on your system.
This update includes the functionality =
of all previously released patches.

System requirements: Windows 95/98/Me/2000/NT/XP
This update applies to:
- MS Internet Explorer, version 4.01 and later
- MS Outlook, version 8.00 and later
- MS Outlook Express, version 4.01 and later

Recommendation: Customers should install the patch =
at the earliest opportunity.
How to install: Run attached file. Choose Yes on displayed dialog box.
How to use: You don’t need to do anything after installing this item.
Signature:
Microsoft Product Support Services and Knowledge Base articles =
can be found on the Microsoft Technical Support web site.
http://support.microsoft.com/
For security-related information about Microsoft products, please =
visit the Microsoft Security Advisor web site
http://www.microsoft.com/security/
Thank you for using Microsoft products.
Please do not reply to this message.
It was sent from an unmonitored e-mail address and we are unable =
to respond to any replies.
———————————————-
The names of the actual companies and products mentioned =
herein are the trademarks of their respective owners.
Attachment name:
patch[random number].exe
install[random number].exe
q[random number].exe
update[random number].exe
The actual content of the body may be less complicated, depending on various circumstances.
The Subject may contain:
Letter
Advise
Message
Announcement
Report
Notice
Bug
Error
Abort
Failed
User Unknown
The body may contain:
Hi!
This is the qmail program
Message from [random value]
I’m sorry
I’m sorry to have to inform that
I’m afraid
I’m afraid I wasn’t able to deliver your message to the following addresses
the message returned below could not be delivered
I wasn’t able to deliver your message
to one or more destinations
In some cases the worm may send copies of itself in archived form - ZIP or RAR.

Propagation via Kazaa
Swen propagates via the Kazaa file-sharing network by copying itself under random names in the file exchange directory in Kazaa Lite. It also creates a subdirectory in the Windows Temp folder with random names making several copies of itself with random names as well.
This folder is identified in the Windows system registry as Local Content for Kazaa file-sharing system.
HKCU\Software\Kazaa\LocalContent
dir99 = 012345:%Windir%\%temp%\folder name
As a result, the new files created by Swen become available to other Kazaa network users.

Propagation via IRC channels
The worm scans for installed mIRC client. If it’s detected Swen then modifies the script.ini file by adding its propagation procedures. Whereupon the scrip.ini file sends the infected file from the Windows directory to all users that connect to the now-infected IRC channel.

Propagation via LAN
The worm scans all available drives. If it finds a network drive it copies itself there in the following folders under a random name:
windows\all users\start menu\programs\startup
windows\start menu\programs\startup
winme\all users\start menu\programs\startup
winme\start menu\programs\startup
win95\all users\start menu\programs\startup
win95\start menu\programs\startup
win98\all users\start menu\programs\startup
win98\start menu\programs\startup
document and settings\all users\start menu\programs\startup
document and settings\default user\start menu\programs\startup
document and settings\administrator\start menu\programs\startup
winnt\profiles\all users\start menu\programs\startup
winnt\profiles\default user\start menu\programs\startup
winnt\profiles\administrator\start menu\programs\startup

Other
The worm attempts to block the launch and work of various anti-virus software and firewalls:
_avp
ackwin32
anti-trojan
aplica32
apvxdwin
autodown
avconsol
ave32
avgcc32
avgctrl
avgw
avkserv
avnt
avp
avsched32
avwin95
avwupd32
blackd
blackice
bootwarn
ccapp
ccshtdwn
cfiadmin
cfiaudit
cfind
cfinet
claw95
dv95
ecengine
efinet32
esafe
espwatch
f-agnt95
findviru
fprot
f-prot
fprot95
f-prot95
fp-win
frw
f-stopw
gibe
iamapp
iamserv
ibmasn
ibmavsp
icload95
icloadnt
icmon
icmoon
icssuppnt
icsupp
iface
iomon98
jedi
kpfw32
lockdown2000
lookout
luall
moolive
mpftray
msconfig
nai_vs_stat
navapw32
navlu32
navnt
navsched
navw
nisum
nmain
normist
nupdate
nupgrade
nvc95
outpost
padmin
pavcl
pavsched
pavw
pcciomon
pccmain
pccwin98
pcfwallicon
persfw
pop3trap
pview
rav
regedit
rescue
safeweb
serv95
sphinx
sweep
tca
tds2
vcleaner
vcontrol
vet32
vet95
vet98
vettray
vscan
vsecomr
vshwin32
vsstat
webtrap
wfindv32
zapro
zonealarm

When these are launched Swen displays the following fake error mesage:

Details
I-Worm.Suppl

This is a virus-worm that spreads via Internet channels attached to e-mail messages as the SUPPL.DOC MS Word97 document. It was posted to several newsgroups in September 1999. This document was created by using the Russian MS Word97 edition, which means that the worm has Russian or xUSSR origin.
To install itself to the system, the worm uses a method that does not work under WinNT, and as a result, the worm is able to infect and spread itself from Win9x systems only.
The worm has a very dangerous payload: in one week after infecting a computer, the worm erases, on local and remote drives, the files with the following extensions:
DOC XLS TXT RTF DBF ZIP ARJ RAR

The method of erasing is the same that was used by “ZippedFiles” worm, and damaged files are not recoverable.
Installing
The infected document has just one macro Document_Open that is automatically executed when MS Word opens the document. This macro copies its document to the Windows system directory with the ANTHRAX.INI name, then drops its DLL component (that is stored in the infected document) to the same directory with the DLL.TMP name. This DLL component is dropped via a compressed temporary DLL.LZH file.
The worm then adds renaming instructions to the WININIT.INI file. These instructions rename the WSOCK32.DLL with WSOCK33.DLL name and replace the WSOCK32.DLL with worm’s DLL.TMP library. This trick causes Windows to replace its WSOCK32.DLL with a worm copy upon the next Windows restart.
On initializing its DLLs Windows loads infected (worm’s) DLL instead of original ones, and as a result, the worm gets access to network functions.
Spreading
On next Windows restart, the infected WSOCK32.DLL is loaded into the system memory and gets control. The worm at this moment gets access and intercepts all necessary library functions that the original WSOCK32 library does. For all of them except two, the worm just forwards requests to original functions, and for this purpose, the worm also loads the WSOCK33.DLL (original library) into the Windows memory.
The two functions are processed by the virus: their names are “send” and “connect”. By using these functions, the worm intercepts sent emails from the infected computer, and attaches its copy to these e-mails as the SUPPL.DOC file.

Details
I-Worm.Stopin.a

This is a virus-worm that spreads via the Internet attached to infected e-mail. The worm itself is a Windows PE EXE file about 30Kb in length (compressed by UPX, decompressed size is about 85K), written in Borland C++.
Infected messages contain:
Subject: Secret for youall
Body:
Hi Friend,
I send you my last work.
Mail me if you have some suggests.
See you soon. Best Regards.
Attachment: My_Work.exe

The worm activates from an infected e-mail only when a user clicks on the attached file. The worm then installs itself to the system, runs its spreading routine and payload.
Installing
While installing, the worm copies itself to the Windows system directory with the MSGDI32.EXE name and registers this file in the system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft GDI 32 bits = %SystemDir%\MSGDI32.EXE
The worm then displays a fake error message and exits:

While installing, the worm also looks for and terminates the following applications:
AVP32.EXE
AVPCC.EXE
AVPM.EXE
WFINDV32.EXE
F-AGNT95.EXE
NAVAPW32.EXE
NAVW32.EXE
NMAIN.EXE
PAVSCHED.EXE
ZONEALARM.EXE

Spreading
Upon next start-up (being run by Registry “Run=” key), the worm activates its e-mail spreading routine. To send infected messages, the worm uses Win32 MAPI functions. To get victim e-mail addresses, the worm looks for and scans the following files:
*.HTM
*.HT*
*.DOC

Payload
On the 7th of any month, the worm displays the following message:

On the 11th of any month, it displays the following text:
Can we try to stop the conflicts ? YES OF COURSE !’
On the 28th, it creates the “StopIntifada.htm” file, writes the following text to there and opens it:
Stop Violence between Palestinians and Israeli
HOW TO STOP THE VIOLENCE
-THE ISRAELIS:
To take the israelis tank out of the palestinians autonomous city.
Don’t bomb civil place after a terrorist bomb attack.
To arrest and to kill the leaders of terrorist groups.
-THE PALESTINIANS:
To stop to provoke the israelis army.
To stop the terrorist attacks.
-THE BOTH:
To try to accept the other people.
TO ORGANIZE A MEETING BETWEEN ARIEL SHARON AND YASSER ARAFAT !
Thanx to read this.

Details
I-Worm.Stator

This is an Internet worm that spreads via infected e-mails. The worm is able to spread only from computers that have TheBat! e-mail client installed.
The worm obtains victims’ e-mail addresses from TheBat! database. To send itself from an infected computer, the worm uses SMTP protocol and connects to the smtp.mail.ru e-mail server.
The message Subject and Body are in Russian, and the attached file is a Win32 EXE file (PE EXE file) with the “photo1.jpg.pif” name.
The translated text appears as follows:
Hello!
Your address was given to me by a common friend of ours (the first address that came to his mind)
I am a newcomer to the Internet and have just got this mailbox!
So that this is the very first time I am writing an e-mail!!!
He said that if I had any questions, I could ask youall
I am pretty cute and sociable.
(have a look at the photo)
I’m waiting for a reply from you!!!
Write me a bit about yourself and what you would like to know about me.
Good bye! Good bye!
:)))))))))

Sveta Kovaleva
The worm also installs itself to the system and infects a few files in the system, as well as sends passwords and other confidential information out of the computer.
To hide its activity, the worm displays a JPEG image of a girl.
Infecting the system
When the worm starts (being activated from an infected message), it installs itself to the system in several ways.
First, the worm infects five files in the Windows directory:
MPLAYER.EXE, WINHLP32.EXE, NOTEPAD.EXE, CONTROL.EXE, SCANREGW.EXE
The worm infects them in a {companion:Comp} way: the original files are renamed with a .VXD extension, and then the worm copies itself instead of the original file with an .EXE extension.
The worm then drops several of its copies - SCANREGW_EXE and LOADPE.COM - to the Windows system directory and IFNHLP.SYS to the Windows directory. The LOADPE.COM file is then registered in the auto-run Registry key:
HKCR\exefile\shell\open\command = LOADPE.COM
Later when any Win32 EXE file is started, this worm copy is activated, and infects an EXE file in the same companion manner.
The SCANREGW.EXE file (this worm’s copy) in the Windows system directory is then registered in the auto-run Registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
ScanRegistry = %SystemDir%\scanregw.exe
Information that is sent out
The worm sends out the following data from an infected computer (to its “master”):
Remote access password and logins
Local network logins and passwords
BCSoft NetLaunch, PySoft AutoConnect and CureFtp information (if installed)
Netscape, TheBat! system parameters (if installed)
List of FAR ftp servers (if installed)
FIDO TMail passwords (if installed)
as well as system configuration and other information about the system
The message containing this information has the following fields:
From: Stat-generator v1.3 <%email_from%@mail.ru>
To: <%email_to%@pisem.net>
Subject: PLICT`01. Stat from %IP_address%
Attach: STAT.PGP
where:
%IP_address% is the IP address of an infected machine.
%email_from% is seven bytes long random string (for example, “syekqwc”, “kryfmta”, “nubipwd”)
%email_to% is seven bytes of a specially generated address that depend on the month and day number (for example, “pwdkryf”, “rzhpxfn”). So the e-mail address to where the information is sent depends on the month number and current day.

Details
I-Worm.Staple

This is Internet worm that spreads via E-mail by sending infected messages from affected computers. While spreading the worm uses MS Outlook and sends itself to addresses that are stored in MS Outlook Address Book.
The worm arrives on computer as email message with attached VBS file, that is worm itself. The message in original worm version has:
The Subject: RE:Injustice
Message body:
Dear [address],
Did you send the attached message, I was not expecting
this from you!
Attached file name: injustice.TXT.vbs
Being activated by a user (by double click on attached file) the worm opens MS Outlook, gets access to the Address Book, gets up to 50 addresses from each adresslist and sends messages with its attached copy to all of them. The message subject, body and attached file name are the same as above.
Additionaly, each time worm activated it sends infected messages to 25 addresses, that are specified inside worm body.
To prevent duplicate sending of infected messages to the same addresses, the worm marks each address used.
After all the worm opens six Internet Explorer windows with different links and also displays message:
HELP US TO STOP THE BLOOD SHED!!
PLEASE ACCEPT MY APOLOGIES FOR DISTURBING YOU.
Remember that one day YOU may be in this situation.
We need every possible help.
Israeli soldiers killed in cold blood 12 year old Palestinian child
Mohammad Al-Durra, as his father tried to protect him in vain with
his own body. As a result of the indiscriminate and excessive use of
machine gun fire by Israeli soldiers, journalists and bystanders
watched helplessly as the child was savagely murdered.
Palestinian Red Crescent Society medic Bassam Balbeisi
attempted to intervene and spare the child’s life but live
ammunition to his chest by Israeli fire took his life in the process.
The child and the medic were grotesquely murdered in cold blood.
Mohammad’s father, Jamal, was critically injured and permanently
paralyzed. Similarly, approximately 40 children were slain, without
the media taking notice or covering these tragedies.
THESE CRIMINAL ACTS CANNOT BE FORGIVEN OR FORGOTTEN!!!!

Details
I-Worm.SSIWG

This is “LoveLetter” -like Internet worm spreading via e-mail by sending infected messages from infected computers. While spreading, the worm uses MS Outlook and sends itself to all addresses that are stored in the MS Outlook Address Book.
The known worm version has a mistake (one instruction is mistyped), and the worm is not able to spread its copies via e-mail messages. In addition to this, the mistake may be easily fixed, and the worm will be able to spread.
The worm is able to propagate through a local network. To do this, the worm enumerates network resources and copies itself to there. The worm is not able to activate itself on a remote computer, and infects it only in case the worm copy is occasionally run by a user.
The worm itself is a VBS script program.
The worm arrives as an e-mail message with:
Subject: I’am missing U
Message body: Could u remember me ?
Attachment name: Y072QWV.VBS
Upon being activated by a user, the worm copies itself to the Windows system directory with the same name (Y072QWV.VBS) and registers this copy in the auto-run section in the system registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run”Y072QWV” = %Windir%\Y072QWV.VBS
where “Windir” is the name of Windows system directory.
The worm then spreads through a local network by copying its “Y072QWV.VBS” file to the root directory on drives shared for writing.
To send infected messages, the worm connects to MS Outlook, obtains all addresses from the address book and sends to there its messages (the subject, body and attachment name are the same as listed above).
Because the worm registers itself in the auto-run registry section, it is activated upon each Windows boot-up, but it does not spread by e-mail messages each time it is run. The worm has a counter that is stored in the Windows registry:
HKEY_LOCAL_MACHINE\ “Y072QWV” = number
where “number” is the number of starts (upon each start, the worm increases this counter). When the counter reaches 20, the worm resets it to zero and then runs an Outlook infection routine. Otherwise, the worm skips it.
As a result, the worm sends infected messages only upon the first run (being activated from an infected message), and upon each 20th reboot. The local network spreading routine is activated each time the worm starts.
The worm has a feature that makes its detection a little bit more difficult. All text strings in the worm code are slightly encrypted, and in case of need, the worm decrypts and uses them.

Details
I-Worm.Spam.Brief
Spam.Brief is a worm virus spreading via the Internet as an attachment to infected emails. It is written in Visual Basic Script (VBS).
To send out messages the virus uses MS Outlook and sends messages to all addresses found in a victim machine’s Outlook address book. The messages sent by the worm have the following subject:
here comes the subject
Message body text:
here comes the body
Attachment name:
virus.bat
Spreading
The virus spreads only when the file virus.bat appears in the root directory on drive C:. Thus the enclosed file will not work if the operating system tries to process it as a BAT-file.
Other versions
The virus is written in Visual Basic Script (VBS). To send out messages the virus uses MS Outlook to send infected messages to all addresses found in the Outlook address book. These messages sent by the trojan have the following subject:
Nice couple
Message body text:
They want to meet you. http://briefcase.yahoo.com/youngwifedawn
The message itself does not contain an attached copy of the trojan.

Details
I-Worm.Sonic

This is a multi-component Internet-worm infecting Win32 machines and spreading in e-mail messages as an attached EXE file. The worm has several components, and is able to “upgrade” itself from an Internet Web site.
There are two principal worm components: Loader and Main component.
The Loader is a Windows EXE file about 25K in size (it is compressed by a UPX PE EXE file-compression utility, which being decompressed reaches about 70K in size). When the loader is activated on a computer (being run from e-mail attach), it registers itself as a hidden process (service), copies itself to the Windows system directory with the name GDI32.EXE, and registers in the auto-run system registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
GDI = WinSystem\GDI32.EXE
where “WinSystem” is the Windows system directory name. As a result, the worm Loader then is executed upon each Windows startup. Note that there are standard Windows components in this directory: GDI.EXE and GDI32.DLL. The worm uses the GDI32.EXE name to disguise itself in a standard Windows environment.
To hide its activity, the worm then displays the fake error message:
FileName n’ est pas une application Win32 valide.
where FileName is the actual file name the worm was started from.
The worm then activates the main procedure that obtains and executes the Main component. It enters the http://www.geocities.com/olivier1548/ Web page and obtains several files from there:
LASTVERSION.TXT - a text file with the number of the latest worm version available there. If there is no new version, the worm exits.
nn.ZIP - latest version of worm Main component, “nn” is defined in LASTVERSION.TXT.
GATEWAY.ZIP - latest version of worm Loader component.
The nn.ZIP and GATEWAY.ZIP files are not actually archives, but an encrypted Windows EXE file. The worm Loader decrypts them, copies to the Windows directory and spawns. As a result, the Main component is activated on the computer.
The Main worm component is the Windows EXE file about 40K in size (it is compressed by a UPX PE EXE file-compression utility, which being decompressed reaches 120K in size). It is installed to the Windows directory with the GDI32A.EXE name and is registered in the system registry in a similar way as described above for the virus loader. The main components then, depending on some conditions, open the Windows Address Book, obtain Inet addresses from there and send infected e-mail messages. In the known worm version, these messages have:
Subject: Choose your poison
Attached file name: girls.exe
The Main worm component also has Backdoor abilities to watch at infected computer and run its resources from remote host machine.

Details
I-Worm.Sobig.e
Sobig.e is a worm virus spreading via the Internet as a file attached to infected emails. The Sobig.e worm also spreads through open network shares.
The worm itself is a Windows PE EXE file that is written in Microsoft Visual C++ and is compressed by the TeLock utility. Its file sizes are typically around 80K and above when compressed(TeLock), while its decompressed size is about 130K.
Separating Sobig.e from its four predecessors is its use of the Zip file format, what it does after system infection is virtual identical to past Sobig variants.
The Sobig.e worm activates from an infected email only when a user clicks on or unzips the attached file depending on the attachment’s specific format.
When run the worm installs itself to the system and runs its spreading routine.
Installing
While installing the worm copies itself to the Windows directory under the name winssk32.exe and registers itself in the system registry auto-run keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SSK Service = %WindowsDir%\winssk32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SSK Service = %WindowsDir%\winssk32.exe

Spreading: email
To send infected messages the worm uses a via a built-in SMTP engine. To get victim emails the worm looks for .TXT, .EML, .HTML, .HTM, .DBX, and .WAB files in all directrories on all available local drives. From the files it finds Sobig.e retrieves email-like strings.
Below are variations of Sobig.e message content:
The “From” field has fake email address (found on the infected machine) or “support@yahoo.com”

Subject:

“Re: Movie”
“Re: Movies”
“Re: Submited (Ref: 003746)”
“Re: Screensaver”
“Re: Documents”
“Re: Re: Application ref. 003644″
“Re: Re: Document”
“Your application”

Message Body:

‘Please see the attached zip file for details.’

Attached file name:

“details.pif”
“application.zip”
“application.pif”
“document.zip”
“document.pif”
“screensaver.zip”
“sky_world.scr”
“Movie.zip”
“Movie.pif”

The files with the “zip” extension are archives that contain the worm’s executable file.
The worm also creates the file msrrf.dat in the Windows directory and writes to this file the email addresses that were found on an infected machine.
Spreading: via network
The worm takes note of all accessible network resources (other computers in a network) and copies itself to the auto-start directoris (if there are such subdirectories) of each resource (computer) found.
Windows\All Users\Start Menu\Programs\StartUp\
Documents and Settings\All Users\Start Menu\Programs\Startup\

Updating
The worm opens network connections on ports 995, 996, 997, 998, and 999, and then takes commands from its “master”, and receives data from its “master”. The data comes in the form of some URLs. The worm downloads files from these URLs and executes them. As a result the worm is able to “upgrade” itself with new versions, and/or to install other applications (trojan programs for example).
Other
All worm routines (except “Updating” - see above) are active until July 14, 2003. This means the worm does not run its spreading (both email and network) routines after July 14, 2003.