McAfee > Theat Center > Virus Detail Page

Overview

-- Update May 6, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/05/06/mac_email_worm/
--

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This malware is a worm with bot capabilities, written in RealBasic. Due to several bugs in the code, this worm may partially work or not work at all. 

It mails itself to email addresses found in the Address Book stored on the machine and it is able to propagate over the network by copying itself to network shares (assuming sufficient permissions exist) and removable disks (though, this does not seem to work correctly).

It also creates a few copies of itself under the following filenames:

• systemupdate
• applesystem

The emails are formed like this:

Subject: " For Mac OS X ! :(If you are not on Mac please transfer this mail to a Mac and sorry for our fault :)"

'From' field: "AppleFu"[2 random letters]"cker@mail.[2 random letters]

Mail body:

One of these strings:

• "Hi "
• "Hey"
• " Hello"
• "y0 "
• "Yo"
• "Selem alaykom"
• "Friend ! :) , "

Followed by one of those:

• " friend "
• " dude"
• " man"
• " you"

The third part is chosen among:

• " wassup ?"
• " how it is going "
• " I missed you ! ^^"
• " what is up there? "
• " what is new ?"
• " how are you"
• " sup?"

The fourth part consists on a random string and the fifth part is also randomly chosen among:

• "Traducting and decrypting message .... : "
• "Traducting and decrypting message .... :Sir , Your Text !"
• "Traducting and decrypting message .... :Error For Sending ,It Is Important to Get Your Data "
• "Traducting and decrypting message .... :Chek It "
• "Traducting and decrypting message .... :Crypted Message Has Been An Attachement , To Chek Your Message , Chek Your Attchement"
• "Traducting and decrypting message .... :Check"
• "Traducting and decrypting message .... :Your Identidie Has Been ....Chek Attchement For More Information"
• "Traducting and decrypting message .... :You Has Been Comprimased , updating tools are as an attachement !"
• "Traducting and decrypting message .... :Credi Money Has Been Sent As A Binary File for thanks for the updating, Chek"
• "Traducting and decrypting message .... :New update tools "
• "Traducting and decrypting message .... :Chek your update application !"
• " Traducting and decrypting message .... :Your information was ..."

Some other emails may be sent too when the 'spamming' mode is turned on. Those are formed like this:

The subject is created by using one of these strings:

• "Hi , Chek"
• "Sir , Your Text !"
• "Error For Sending ,It Is Important to Get Your Data "
• "Chek It "
• "Crypted Message Has Been An Attachement , To Chek Your Message , Chek Your Attchement"
• "Check"
• "Your Identidie Has Been ....Chek Attchement For More Information"
• "You Has Been Comprimased , Chek !"
• "Credi Money Has Been Sent As A Binary File , Chek"
• "New porn tools "
• "Chek your XXX application !"
• " Your information was ..."

The mail body is empty and the 'from' field is spoofed using one of these email addresses:

• br@fh.tn
• av@av.tn
• fucker@fuck.fu
• ser@jhfd.it
• Ma@ry.am
• apple@service.tn

The SMTP servers that the worm attempts to use are:

• "smtp.9online.fr"
• "mail.club-internet.fr"
• "mail.diligo.fr"
• "smtp.free.fr "
• "smtp.infonie.fr"
• "smtp.libertysurf.fr"
• "smtp.nerim.fr"
• "mail.cybercable.fr"
• "mail.oreka.com"
• "smtp.wanadoo.fr"
• "mail.worldnet.fr"
• "smtp.laposte.net"

The worm is also attached to these mails.

The bot part of the worm can understand several commands:

• beep
• log.start
• log.stop
• update
• navigate
• spam.on
• spam.off
• ddos.on (DDos on port TCP 80)
• ddos.off

It also listens on the port TCP 9999, it contains a keylogger and it is able to download and execute additional files.

Symptoms

• Existence of the files mentioned above

Method of Infection

This worm does not use any exploit code in order to execute the mail attachment automatically. A user has to doubleclick on an infected attachment or a file shared via P2P to infect the machine

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

-- Update May 6, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/05/06/mac_email_worm/
--

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This malware is a worm with bot capabilities, written in RealBasic. Due to several bugs in the code, this worm may partially work or not work at all. 

It mails itself to email addresses found in the Address Book stored on the machine and it is able to propagate over the network by copying itself to network shares (assuming sufficient permissions exist) and removable disks (though, this does not seem to work correctly).

It also creates a few copies of itself under the following filenames:

• systemupdate
• applesystem

The emails are formed like this:

Subject: " For Mac OS X ! :(If you are not on Mac please transfer this mail to a Mac and sorry for our fault :)"

'From' field: "AppleFu"[2 random letters]"cker@mail.[2 random letters]

Mail body:

One of these strings:

• "Hi "
• "Hey"
• " Hello"
• "y0 "
• "Yo"
• "Selem alaykom"
• "Friend ! :) , "

Followed by one of those:

• " friend "
• " dude"
• " man"
• " you"

The third part is chosen among:

• " wassup ?"
• " how it is going "
• " I missed you ! ^^"
• " what is up there? "
• " what is new ?"
• " how are you"
• " sup?"

The fourth part consists on a random string and the fifth part is also randomly chosen among:

• "Traducting and decrypting message .... : "
• "Traducting and decrypting message .... :Sir , Your Text !"
• "Traducting and decrypting message .... :Error For Sending ,It Is Important to Get Your Data "
• "Traducting and decrypting message .... :Chek It "
• "Traducting and decrypting message .... :Crypted Message Has Been An Attachement , To Chek Your Message , Chek Your Attchement"
• "Traducting and decrypting message .... :Check"
• "Traducting and decrypting message .... :Your Identidie Has Been ....Chek Attchement For More Information"
• "Traducting and decrypting message .... :You Has Been Comprimased , updating tools are as an attachement !"
• "Traducting and decrypting message .... :Credi Money Has Been Sent As A Binary File for thanks for the updating, Chek"
• "Traducting and decrypting message .... :New update tools "
• "Traducting and decrypting message .... :Chek your update application !"
• " Traducting and decrypting message .... :Your information was ..."

Some other emails may be sent too when the 'spamming' mode is turned on. Those are formed like this:

The subject is created by using one of these strings:

• "Hi , Chek"
• "Sir , Your Text !"
• "Error For Sending ,It Is Important to Get Your Data "
• "Chek It "
• "Crypted Message Has Been An Attachement , To Chek Your Message , Chek Your Attchement"
• "Check"
• "Your Identidie Has Been ....Chek Attchement For More Information"
• "You Has Been Comprimased , Chek !"
• "Credi Money Has Been Sent As A Binary File , Chek"
• "New porn tools "
• "Chek your XXX application !"
• " Your information was ..."

The mail body is empty and the 'from' field is spoofed using one of these email addresses:

• br@fh.tn
• av@av.tn
• fucker@fuck.fu
• ser@jhfd.it
• Ma@ry.am
• apple@service.tn

The SMTP servers that the worm attempts to use are:

• "smtp.9online.fr"
• "mail.club-internet.fr"
• "mail.diligo.fr"
• "smtp.free.fr "
• "smtp.infonie.fr"
• "smtp.libertysurf.fr"
• "smtp.nerim.fr"
• "mail.cybercable.fr"
• "mail.oreka.com"
• "smtp.wanadoo.fr"
• "mail.worldnet.fr"
• "smtp.laposte.net"

The worm is also attached to these mails.

The bot part of the worm can understand several commands:

• beep
• log.start
• log.stop
• update
• navigate
• spam.on
• spam.off
• ddos.on (DDos on port TCP 80)
• ddos.off

It also listens on the port TCP 9999, it contains a keylogger and it is able to download and execute additional files.

Symptoms

Symptoms -

• Existence of the files mentioned above

Method of Infection

Method of Infection -

This worm does not use any exploit code in order to execute the mail attachment automatically. A user has to doubleclick on an infected attachment or a file shared via P2P to infect the machine

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A