McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This worm is written in Borland Delphi and is intended to spread via a number of vectors:

• mailing itself in reply to messages in the user inbox (Outlook Express).
• via the KaZaA peer to peer (P2P) file-sharing network.
• via IRC/HTTP (port 81 is opened on the victim machine, the URL to which is distributed via IRC. Displayed HTML page contains link to copy of the worm.)

The worm drops a UPX-packed version of IRC-Sdbot (this variant requires the 4258 DATs for detection).

The following files are dropped on the victim machine:

• C:\WINNT\SERVICES\SETUP.EXE (55,808 bytes)
• C:\WINNT\MSAPI.EXE (16,416 bytes) - dropped IRC-Sdbot, detected with 4258 DATs.
• C:\WINNT\SVCHOST.EXE (55,808 bytes) - copy of the worm
• C:\WINNT\SYSTEM32\WINSYST32.EXE (16,416 bytes) - dropped IRC-Sdbot, detected with 4258 DATs.
• C:\MIRC\MSCRIPT.INI (232 bytes) - detected as W32/Morb.ini with specified DATs.
• C:\WINNT\SERVICES\INDEX.HTML (670 bytes) - detected as W32/Morb.html with specified DATs

Multiple Registry keys are modified to hook system startup, both for the virus, and for the dropped IRC-Sdbot:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"svchost" = C:\WINNT\svchost.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"WinSyst32" = winsyst32.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
"WinSyst32" = winsyst32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"svchost" = C:\WINNT\svchost.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"WinSyst32" = winsyst32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
"WinSyst32" = winsyst32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"WinSyst32" = winsyst32.exe

The virus contains the following string:

b0rm_v0.1

Symptoms

Existence of the following files:

• C:\WINNT\SERVICES\INDEX.HTML (670 bytes)
• C:\WINNT\SERVICES\SETUP.EXE (55,808 bytes - copy of the worm)
• C:\WINNT\MSAPI.EXE (16,416 bytes - dropped IRC-Sdbot)
• C:\WINNT\SVCHOST.EXE (55,808 bytes - copy of the worm)
• C:\WINNT\SYSTEM32\WINSYST32.EXE (16,416 bytes - dropped IRC-Sdbot)

Method of Infection

Mass-Mailing

The virus mails itself in reply to messages located in the inbox on the victim machine (the Microsoft Outlook Express inbox in testing). Outgoing messages are formatted with the following characteristics:

Subject/Body: Selected from one of the following strings:

• Check this out,
• btw, download this,
• I wanted to show you this,
• please check out,
• hey go to,
• See if you can get this to work,
• this is cool,
• this is funny,
• Free porn at
• lol,
• is this you?
• whats this?
• This is me,
• Whats wrong with?
• wtf?
• hmmmm,
• Hahaha,
• Fuck this,
• weird,
• HOLY SHIT,
• WOW CHECK THIS OUT,
• omg omg omg I found the best app,
• What have they done with you?
• Is this possible?
• rofl,
• bitch ;),
• How come this happened?
• This is me naked,
• Sex me up
• This guy is a moron,
• Check this out
• This is what you wanted, right?
• Microsoft Windows Security Update
• See if you can get this to work
• I admit it ... I love you
• Sex me up baby
• This is so funny
• To be or not to be?
• B-ville did it again ...
• Company information
• Here you go, I recall you asked for this.
• Hey sweety, check the attachement.
• How do you feel about this?
• Please do not make this public, thank you.
• Please install this update, its required
• Come on honey!
• I love this funny game, check it out.
• This is the stock information you wanted.
• Keep it a secret please!
• With love from b-ville!

Attachment: One of the following filenames, tailored to the rest of the message:

• Q349247.exe
• information.DOC.exe
• Saddam_Game.exe
• I_Love_U.exe
• NakedPics.JPG.exe
• FreeSex.exe
• B-ville.exe
• StockInformation.XLS.exe
• SecretFile.exe
• Attachement.exe

For example:

IRC/HTTP Propagation

The virus opens port 81 on the victim machine. It also drops an IRC script as C:\MIRC\MSCRIPT.INI (232 bytes), which is used to send the following message, publicising the victim machine (crude word masked below):

F*** this, http://(IP address of victim machine):81

The virus also modifies the MIRC.INI script on the victim machine if it exists, such that the dropped MSCRIPT.INI file is processed. It adds the following to the end of MIRC.INI:

[rfiles]
n2=MScript.ini

The virus drops INDEX.HTML in the %WinDir%\SERVICES directory on the victim machine. This HTML page spoofs a message concerning a multimedia player:

This page is displayed when users click on the URL distributed via IRC. The link contained in the HTML page points to a local copy of the worm (SETUP.EXE).

P2P Propagation

Strings within the virus suggest it is intended to spread via the KaZaA file-sharing network, using the following filenames:

• Unreal 2 - The Awakening.exe
• Command & Conquer Generals.exe
• Splinter Cell.exe
• Warcraft III - The Frozen Throne.exe
• Gods & Generals.exe
• Unreal 2 Crack.exe
• Command & Conquer Generals Crack.exe
• Gods & Generals Crack.exe
• The Sims 4.exe
• The Sims 4 Crack.exe
• Splinter Cell Crack.exe
• Raven Shield - Crack.exe
• Raven Shield Keygenerator - WORKS ONLINE.exe
• Mortal Kombat - Deadly Alliance.exe
• GTA 4 - BETA.exe

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This worm is written in Borland Delphi and is intended to spread via a number of vectors:

• mailing itself in reply to messages in the user inbox (Outlook Express).
• via the KaZaA peer to peer (P2P) file-sharing network.
• via IRC/HTTP (port 81 is opened on the victim machine, the URL to which is distributed via IRC. Displayed HTML page contains link to copy of the worm.)

The worm drops a UPX-packed version of IRC-Sdbot (this variant requires the 4258 DATs for detection).

The following files are dropped on the victim machine:

• C:\WINNT\SERVICES\SETUP.EXE (55,808 bytes)
• C:\WINNT\MSAPI.EXE (16,416 bytes) - dropped IRC-Sdbot, detected with 4258 DATs.
• C:\WINNT\SVCHOST.EXE (55,808 bytes) - copy of the worm
• C:\WINNT\SYSTEM32\WINSYST32.EXE (16,416 bytes) - dropped IRC-Sdbot, detected with 4258 DATs.
• C:\MIRC\MSCRIPT.INI (232 bytes) - detected as W32/Morb.ini with specified DATs.
• C:\WINNT\SERVICES\INDEX.HTML (670 bytes) - detected as W32/Morb.html with specified DATs

Multiple Registry keys are modified to hook system startup, both for the virus, and for the dropped IRC-Sdbot:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"svchost" = C:\WINNT\svchost.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"WinSyst32" = winsyst32.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
"WinSyst32" = winsyst32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"svchost" = C:\WINNT\svchost.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"WinSyst32" = winsyst32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
"WinSyst32" = winsyst32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"WinSyst32" = winsyst32.exe

The virus contains the following string:

b0rm_v0.1

Symptoms

Symptoms -

Existence of the following files:

• C:\WINNT\SERVICES\INDEX.HTML (670 bytes)
• C:\WINNT\SERVICES\SETUP.EXE (55,808 bytes - copy of the worm)
• C:\WINNT\MSAPI.EXE (16,416 bytes - dropped IRC-Sdbot)
• C:\WINNT\SVCHOST.EXE (55,808 bytes - copy of the worm)
• C:\WINNT\SYSTEM32\WINSYST32.EXE (16,416 bytes - dropped IRC-Sdbot)

Method of Infection

Method of Infection -

Mass-Mailing

The virus mails itself in reply to messages located in the inbox on the victim machine (the Microsoft Outlook Express inbox in testing). Outgoing messages are formatted with the following characteristics:

Subject/Body: Selected from one of the following strings:

• Check this out,
• btw, download this,
• I wanted to show you this,
• please check out,
• hey go to,
• See if you can get this to work,
• this is cool,
• this is funny,
• Free porn at
• lol,
• is this you?
• whats this?
• This is me,
• Whats wrong with?
• wtf?
• hmmmm,
• Hahaha,
• Fuck this,
• weird,
• HOLY SHIT,
• WOW CHECK THIS OUT,
• omg omg omg I found the best app,
• What have they done with you?
• Is this possible?
• rofl,
• bitch ;),
• How come this happened?
• This is me naked,
• Sex me up
• This guy is a moron,
• Check this out
• This is what you wanted, right?
• Microsoft Windows Security Update
• See if you can get this to work
• I admit it ... I love you
• Sex me up baby
• This is so funny
• To be or not to be?
• B-ville did it again ...
• Company information
• Here you go, I recall you asked for this.
• Hey sweety, check the attachement.
• How do you feel about this?
• Please do not make this public, thank you.
• Please install this update, its required
• Come on honey!
• I love this funny game, check it out.
• This is the stock information you wanted.
• Keep it a secret please!
• With love from b-ville!

Attachment: One of the following filenames, tailored to the rest of the message:

• Q349247.exe
• information.DOC.exe
• Saddam_Game.exe
• I_Love_U.exe
• NakedPics.JPG.exe
• FreeSex.exe
• B-ville.exe
• StockInformation.XLS.exe
• SecretFile.exe
• Attachement.exe

For example:

IRC/HTTP Propagation

The virus opens port 81 on the victim machine. It also drops an IRC script as C:\MIRC\MSCRIPT.INI (232 bytes), which is used to send the following message, publicising the victim machine (crude word masked below):

F*** this, http://(IP address of victim machine):81

The virus also modifies the MIRC.INI script on the victim machine if it exists, such that the dropped MSCRIPT.INI file is processed. It adds the following to the end of MIRC.INI:

[rfiles]
n2=MScript.ini

The virus drops INDEX.HTML in the %WinDir%\SERVICES directory on the victim machine. This HTML page spoofs a message concerning a multimedia player:

This page is displayed when users click on the URL distributed via IRC. The link contained in the HTML page points to a local copy of the worm (SETUP.EXE).

P2P Propagation

Strings within the virus suggest it is intended to spread via the KaZaA file-sharing network, using the following filenames:

• Unreal 2 - The Awakening.exe
• Command & Conquer Generals.exe
• Splinter Cell.exe
• Warcraft III - The Frozen Throne.exe
• Gods & Generals.exe
• Unreal 2 Crack.exe
• Command & Conquer Generals Crack.exe
• Gods & Generals Crack.exe
• The Sims 4.exe
• The Sims 4 Crack.exe
• Splinter Cell Crack.exe
• Raven Shield - Crack.exe
• Raven Shield Keygenerator - WORKS ONLINE.exe
• Mortal Kombat - Deadly Alliance.exe
• GTA 4 - BETA.exe

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A