Content

W32/Bibrog.e@MM

Type
Virus
SubType
Internet Worm
Discovery Date
03/24/2003
Length
234,496
Minimum DAT
4254 (03/26/2003)
Updated DAT
4258 (04/16/2003)
Minimum Engine
5.1.00
Description Added
03/24/2003
Description Modified
03/24/2003 10:00 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This threat is proactively detected as a variant of W32/Bibrog with the 4253 DAT files. It behaves much in the same way as W32/Bibrog.c@MM except different file names are used for peer-to-peer propagation.

This mass-mailing worm sends itself to all users found in the Outlook Address Book using MAPI. It also spreads via KaZaa, Grokster, Morpheus, and ICQ and attempts to steal passwords for access to various websites/services. It poses as a Big Brother game and contains a destructive payload.

Email Propagation
The worm arrives in an email message containing the following information:

      Subject: Fwd:La Academia Azteca
          Body: La cacademia azteca (muy bueno) ¡no es virus!
Attachment: academia.exe

When the attachment is run, a shooting game is displayed:

The game functions as expected, only the virus is working in the background performing the following tasks:
  1. Copies itself to the START UP folder as ITCH.EXE and ITCJ.EXE
  2. Copies itself to the WINDOWS (%WinDir%) directory as manzana.exe
  3. Copies itself to the SYSTEM (%SysDir%) directory as academia.exe
  4. Creates a 2 byte text file, %WinDir%\mai.vbs
  5. Creates several copies of webpages in the %My Documents% folder
    • acafug.htm
    • banamex.htm
    • citibank.htm
    • hotmail.htm
    • msn.htm
    • yahoo.htm
    Upon reboot, the ITCH.EXE file and ITCJ.EXE file is run, which results in the creation of 2 marker registry keys:
    • HKEY_CURRENT_USER\Software\
      VB and VBA Program Settings\ezzey\varia "cuento"
    • HKEY_CURRENT_USER\Software\
      VB and VBA Program Settings\ezzey\varia "UpdateRegistry"
      These registry keys are intended to monitor the number of times that the virus has run. However, during testing the virus failed to increment the "cuento" counter key beyond 0. Therefore, the intended payload is never carried out. The first time the virus is run, these keys are not created. It is only after the system is restarted and ITCH.EXE in the START UP folder is called that the keys get created. The "CUENTO" key is an incremental value for the number of times ITCH.EXE is run. When various "trigger" point occur, the virus carries out various payloads.

      Payload

      1. The first time ITCH.EXE is run, the mass-mailing routine is carried out, two image files are dropped and one of them is set as the desktop wallpaper.

        Each time the system is restarted, the wallpaper image is changed.
      2. At some point later, the virus is intended to delete all .DBF, .DLL, .EXE, .GIF, .HTML, .JPG, .MP3, .MPG, and .ZIP files. This was not observed during testing.

        Peer-To-Peer Propagation
        The virus also spreads via KaZaa, Grokster, Morpheus, and ICQ by copying itself to the following locations:

        • KaZaA\My Shared Folder
        • Grokster\My Grokster
        • Morpheus\My Shared Folder
        • ICQ\shared files

        as the following filenames:

        • Kylie_Minogue_screensaver.exe
        • Shakira_screensaver.exe

        Password Stealing
        The virus drops several HTML documents in the MY DOCUMENTS folder. The documents contain forged copies of popular websites login pages (HOTMAIL, MSN, YAHOO, etc). The form actions have been replaced to send entered usernames and passwords to the author, via a Yahoo greetings form.

        • acafug.htm
        • banamex.htm
        • citibank.htm
        • hotmail.htm
        • msn.htm
        • yahoo.htm

          Symptoms

          Presence of the following files:

          • %WinDir%\mai.vbs
          • %WinDir%\manzana.exe
          • %WinDir%\osiris.bmp
          • %WinDir%\quiettime.bmp
          • %Start Up Folder%\itch.exe
          • %Start Up Folder%\itcj.exe
          • %SysDir%\academia.exe

          Method of Infection

          This worm spreads via email. Once run, it installs itself on the local system, which is then used to spread the virus the next time Windows is restarted.

          Removal

          All Users:
          Use specified engine and DAT files for detection and removal.

          Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

          Additional Windows ME/XP removal considerations

          Variants

          Variants

            N/A

          All Information

          Overview -

          This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

          Aliases

          • W32/Bibrog

          Characteristics

          Characteristics -

          This threat is proactively detected as a variant of W32/Bibrog with the 4253 DAT files. It behaves much in the same way as W32/Bibrog.c@MM except different file names are used for peer-to-peer propagation.

          This mass-mailing worm sends itself to all users found in the Outlook Address Book using MAPI. It also spreads via KaZaa, Grokster, Morpheus, and ICQ and attempts to steal passwords for access to various websites/services. It poses as a Big Brother game and contains a destructive payload.

          Email Propagation
          The worm arrives in an email message containing the following information:

                Subject: Fwd:La Academia Azteca
                    Body: La cacademia azteca (muy bueno) ¡no es virus!
          Attachment: academia.exe

          When the attachment is run, a shooting game is displayed:

          The game functions as expected, only the virus is working in the background performing the following tasks:
          1. Copies itself to the START UP folder as ITCH.EXE and ITCJ.EXE
          2. Copies itself to the WINDOWS (%WinDir%) directory as manzana.exe
          3. Copies itself to the SYSTEM (%SysDir%) directory as academia.exe
          4. Creates a 2 byte text file, %WinDir%\mai.vbs
          5. Creates several copies of webpages in the %My Documents% folder
            • acafug.htm
            • banamex.htm
            • citibank.htm
            • hotmail.htm
            • msn.htm
            • yahoo.htm
            Upon reboot, the ITCH.EXE file and ITCJ.EXE file is run, which results in the creation of 2 marker registry keys:
            • HKEY_CURRENT_USER\Software\
              VB and VBA Program Settings\ezzey\varia "cuento"
            • HKEY_CURRENT_USER\Software\
              VB and VBA Program Settings\ezzey\varia "UpdateRegistry"
              These registry keys are intended to monitor the number of times that the virus has run. However, during testing the virus failed to increment the "cuento" counter key beyond 0. Therefore, the intended payload is never carried out. The first time the virus is run, these keys are not created. It is only after the system is restarted and ITCH.EXE in the START UP folder is called that the keys get created. The "CUENTO" key is an incremental value for the number of times ITCH.EXE is run. When various "trigger" point occur, the virus carries out various payloads.

              Payload

              1. The first time ITCH.EXE is run, the mass-mailing routine is carried out, two image files are dropped and one of them is set as the desktop wallpaper.

                Each time the system is restarted, the wallpaper image is changed.
              2. At some point later, the virus is intended to delete all .DBF, .DLL, .EXE, .GIF, .HTML, .JPG, .MP3, .MPG, and .ZIP files. This was not observed during testing.

                Peer-To-Peer Propagation
                The virus also spreads via KaZaa, Grokster, Morpheus, and ICQ by copying itself to the following locations:

                • KaZaA\My Shared Folder
                • Grokster\My Grokster
                • Morpheus\My Shared Folder
                • ICQ\shared files

                as the following filenames:

                • Kylie_Minogue_screensaver.exe
                • Shakira_screensaver.exe

                Password Stealing
                The virus drops several HTML documents in the MY DOCUMENTS folder. The documents contain forged copies of popular websites login pages (HOTMAIL, MSN, YAHOO, etc). The form actions have been replaced to send entered usernames and passwords to the author, via a Yahoo greetings form.

                • acafug.htm
                • banamex.htm
                • citibank.htm
                • hotmail.htm
                • msn.htm
                • yahoo.htm

                  Symptoms

                  Symptoms -

                  Presence of the following files:

                  • %WinDir%\mai.vbs
                  • %WinDir%\manzana.exe
                  • %WinDir%\osiris.bmp
                  • %WinDir%\quiettime.bmp
                  • %Start Up Folder%\itch.exe
                  • %Start Up Folder%\itcj.exe
                  • %SysDir%\academia.exe

                  Method of Infection

                  Method of Infection -

                  This worm spreads via email. Once run, it installs itself on the local system, which is then used to spread the virus the next time Windows is restarted.

                  Removal -

                  Removal -

                  All Users:
                  Use specified engine and DAT files for detection and removal.

                  Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

                  Additional Windows ME/XP removal considerations

                  Variants

                  Variants -

                    N/A