Details
I-Worm.Thonic.b

This worm spreads via the Internet as an attachment to infected files. The worm itself is a Windows PE EXE file. The body of the worm is encrypted and 7502 bytes in size.
The worm searches for PE files with the extensions .exe, .cpl, and .scr.
When infecting these files it writes itself to the end of the files in a section named .DCUbLmd
It does not infect already infected files.
The worm’s code contains errors. It is unable to propagate independently.
A VBS script controls propagation via email. The script is 875 bytes in size, and saved as C:\\cthonic.vbs
The executable file infects notepad.exe, and copies itself to the C: root directory as C:\snowboard_accident.avi.[75 spaces]exe
It then executes the script to mail the file snowboard_accident.avi.[75 spaces]exe.
The worm contains the following text:
-=[YoG-SoTHoTH]=-
The Ancient Ones are near !!! Fear not these latter days of humanityall
Created by -=[YoG-SoTHoTH]=- on Sept2003
HEX EDITING BIATCHs…….FUCK OFF !!!
Win32.CthonicWorm.1a by -=[Azag-TH0TH]=-
It changes the system registry
[SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
to ensure that the body of the worm is launched every time the system is started.
Infected messages:
Subject:
Hey check out this funny video my friend sent me !
Message body:
Mail Body
Attachment name:
C:\snowboard_accident.avi.[75 spaces]exe
The worm is activated when the user launches the infected file by clicking twice on the attachment. Once this is done, the executable system files will be infected.
The worm uses Windows MAPI function to send messages.
Mass mailing
When sending infected messages, the worm accesses MS Outlook and sends itself to all addresses harvested from the address book.
It also propagates via mIRC.

Related Posts

This entry was posted on Friday, December 29th, 2006 at 6:00 pm and is filed under Virus Threats.

Details
I-Worm.Thonic.a

This worm spreads via the Internet as an attachment to infected messages.
The worm itself is a Windows PE EXE file, and it is 5482 bytes in size.
It searches for and infects PE files with the extensions .exe, .cpl, scr.
The worm intercepts calls to the following Windows API functions: WinExec, MoveFile and SetCurrentDir calls. When they are called, the worm searches for files and infects them.
When infecting files, the worm writes itself to the end of the files under the name .Nameles.
It cannot spread independently by email.
Propagation via email is carried out by a VBS script. The script in 875 bytes in size, and saved as C:\\VQmSXjvyc.vbs.
The executable file infects notepad.exe and copies it to the C: root directory as funnystuff.avi.exe
The script then executes, sending the file funnystuff.avi.exe by mail.
It contains the text:
Win32.Nameless Mist – AzagTH0TH
Infected messages:
Infected messages have the following attributes:
Message header:
Free MyDoom.B Patch !
Message body:
Very urgent !
You should run this patch to protect your Windows OS immediately to
avoid this danger virus variant.

Thank You,

Microsoft Technical
Support Staff

Any rights not expressly granted herein are reserved.

Contact Microsoft with questions or problems.

(c) 2004 Microsoft Corporation. All rights reserved
Attachment name:
C:\funnystuff.avi.exe
The worm will be activated only if the user launches the infected file by clicking twice on the attachment. It then infects executable system files.
It uses Windows MAPI to send messages.
Message mailing
When sending infected messages, the worm accesses MS Outlook and sends itself to all addresses harvested from the address book.

Related Posts

This entry was posted on Friday, December 29th, 2006 at 4:55 pm and is filed under Virus Threats.