I-Worm.Wineva

Details
I-Worm.Winevar

This is the worm virus spreading via the Internet being attached to infected emails. The worm was found in-the-wild in Korea at the end of November 2002.
The worm itself is a Windows PE EXE file about 91Kb of length written in Microsoft Visual C++. Most of text strings in worm body are encrypted.
Installing
While installing the worm copies itself to Windows system directory with the random selected name:
WIN%rnd%.PIF
where %rnd% is random number, and registers that file in system registry auto-run key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
There are two values written to all those keys:
.default = %worm file name%
%worm name% = %worm file name%
where %worm name% is worm file name without extentions, %worm file name% is full file name, for example:
.default = “C:\\TEMP\\WIND2C2.pif”
“WINA2B3″ = “C:\\WINDOWS\\SYSTEM\\WINA2B3.pif”
It seems that “.default” duplicate is written to registry key because of a bug in worm code.
Later the worm also copies itself with EXPLORER.PIF name to the Desktop.
Spreading
To get victim emails the worm looks for *.HTM and *.DBX files and extracts emails addresses from there except emails that have “@microsoft.” part in email address. To send infected messages the worm uses direct connection to default SMTP server.
While sending itself the worm appends to its copy following information:
- country region ID (for example: [KOR], [RUS] – for Korea and Russia)
- current date and time
- user name and company name (as it is stored in registration information)
By using these data that is possible to trace particular worm copy “migration” process.
The infected messages have different data in email fields. Below the %RegisteredOwner% and %RegisteredOrganization%

Subject is randomly (depending on worm “generation”) selected from variants:
Re: AVAR(Association of Anti-Virus Asia Reseachers)
N’4 %RegisteredOrganization%
N’4 Trand Microsoft Inc.

The last (third) variant is selected in case there is no “RegistreredOrganization” key in system registry. The “N`4″ combination is not decrypted “Re:” string, it seems that the worm author just forgot to decrypt that string in corresponding routine.
The message body is also selected depending on worm generation:
%RegisteredOwner% – %RegisteredOrganization%
or:
AVAR(Association of Anti-Virus Asia Reseachers) – Report.
Invariably, Anti-Virus Program is very foolish.
Attached file names can be different, for example:
MUSIC_1.HTM, MUSIC_2.CEO
WIN40B1.TXT, WIN40B1.GIF
Where “WIN” names have random number at the end (in this case – “40B1″). At the same time depending on email client the appearence of these attached files in the infected message may be different.
To run from infected message the worm uses two security breaches:
Microsoft VM ActiveX Component
Incorrect MIME Header Can Cause IE to Execute E-mail Attachment
Payload
The worm looks for anti-virus programs, firewalls and debuggers and tries to terminate them, as well as to kill their files. In some cases (in all cases?) if an anti-virus is found, the worm erases all files on all drives, probably because of a mistake in its code.
The worm drops to Windows system directory “WIN%Rnd%.TMP” file, writes “Win32.Funlove” virus to there and executes this file. Thus the worm infects the machine with “Win32.Funlove” virus.
The worm displays the message:
Make a fool of oneself
What a foolish thing you have done!
In an endless loop the worm opens the http://www.symantec.com Web site (it seems that worm tries to run DoS attack on that server).
The worm also has following encrypted text strings:
~~ Drone Of StarCraft~~