Content

W32/Culler

Type
Virus
SubType
Win32
Discovery Date
03/28/2007
Length
122,880 bytes
Minimum DAT
4994 (03/28/2007)
Updated DAT
5026 (05/08/2007)
Minimum Engine
5.1.00
Description Added
03/28/2007
Description Modified
05/21/2007 10:48 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

 -- Update May 21, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.smbedge.com/news/view/11/7342/1/

--

This is a worm that spreads through MSN Messenger by sending a link which promises an animation of President Bush.  It arrives as a file named bush.exe, which uses an icon to make it appear to be a Flash animation.

When executed, the worm copies itself to either the Window directory or the Windows System directory:

  • %WinDir%\Strad.exe
  • %WinDir%\Zser.exe
  • %SysDir%\Xeyu.exe
  • %SysDir%\Xsfr.exe

It creates the following registry entries to run itself at startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "System"= %SysDir%\Xsfr.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "SystemUpdate" = %SysDir%\Xeyu.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "Windows" = %WinDir%\Zser.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "WindowsUpdate" = %WinDir%\Strad.exe

It also creates the following registry entry as an infection marker:

  • HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SysUpdate

The worm displays a fake error message, to fool people into thinking it didn't run successfully:

Component 'COMDLG32.OCX' or one of its dependencies no correctly registered a file is missing or invalid.

In order to spread, the worm will send a message to all MSN Messenger contacts with a hyperlink to the file, and the following text:

  • mira esta animacion de bush :P

The worm will attempt to communicate with several remote sites, including trying to download a file in some cases.

Symptoms

  • MSN Messenger contacts stating that you're sending them a hyperlink that you did not intentionally or knowingly send.
  • Presence of the files, registry entries or error messages listed previously

Method of Infection

This worm spreads by sending MSN Messenger Contacts a hyperlink pointing to a web site hosting the worm.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a worm that spreads through MSN Messenger by sending a link which promises an animation of President Bush.

 

Aliases

  • IM-Worm.Win32.VB.au (Kaspersky)
  • W32.Kelvir (Symantec)
  • W32/Culler-D (Sophos)
  • W32/Culler.AU!worm.im (Fortinet)
  • W32/MSNDiablo.A.worm (Panda)
  • Worm/VB.BFE (Grisoft)
  • WORM_KELVIR.EL (Trend)

Characteristics

Characteristics -

 -- Update May 21, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.smbedge.com/news/view/11/7342/1/

--

This is a worm that spreads through MSN Messenger by sending a link which promises an animation of President Bush.  It arrives as a file named bush.exe, which uses an icon to make it appear to be a Flash animation.

When executed, the worm copies itself to either the Window directory or the Windows System directory:

  • %WinDir%\Strad.exe
  • %WinDir%\Zser.exe
  • %SysDir%\Xeyu.exe
  • %SysDir%\Xsfr.exe

It creates the following registry entries to run itself at startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "System"= %SysDir%\Xsfr.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "SystemUpdate" = %SysDir%\Xeyu.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "Windows" = %WinDir%\Zser.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "WindowsUpdate" = %WinDir%\Strad.exe

It also creates the following registry entry as an infection marker:

  • HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SysUpdate

The worm displays a fake error message, to fool people into thinking it didn't run successfully:

Component 'COMDLG32.OCX' or one of its dependencies no correctly registered a file is missing or invalid.

In order to spread, the worm will send a message to all MSN Messenger contacts with a hyperlink to the file, and the following text:

  • mira esta animacion de bush :P

The worm will attempt to communicate with several remote sites, including trying to download a file in some cases.

Symptoms

Symptoms -

  • MSN Messenger contacts stating that you're sending them a hyperlink that you did not intentionally or knowingly send.
  • Presence of the files, registry entries or error messages listed previously

Method of Infection

Method of Infection -

This worm spreads by sending MSN Messenger Contacts a hyperlink pointing to a web site hosting the worm.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A