Content

W32/Cazinat.worm.b

Type
Virus
SubType
Internet Worm
Discovery Date
10/07/2002
Length
40,155 bytes
Minimum DAT
4228 (10/09/2002)
Updated DAT
4228 (10/09/2002)
Minimum Engine
5.1.00
Description Added
10/09/2002
Description Modified
10/09/2002 3:49 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is an intended mass-mailer and KaZaa worm. The virus contains bugs in the code and does not propagate as intended. It attempts to email random addresses in the domains TIN.IT, HOTMAIL.COM, YAHOO.IT, and INWIND.IT and MSN Messenger contacts. The messages sent are as follows:

From: Staff di %1st part of one domain name from list ie. YAHOO%
To: random address@domain name from list
Subject: Servizio abbonati
Body: Gentile abbonato, lo FROM field value ti regala un grazioso screen saver come da te richiesto.
Se non vuoi ricevere pi i nostri screen saver inviaci una e-mail vuota.
Per accedere direttamente al nostro sito clicca sul link che segue: http://www.1st part of one domain name from list.it

Attachment: Figura.scr

or

From: Messnger Contact Address
To: Messnger Contact Address
Subject: Screen Saver Figura
Body: Buongiorno, il nostro Staff le ha allegato uno screen saver
riguardante l' uso della canapa tra i giovani d' oggi.
Questo contiene molte informazioni che bene conoscere, soprattutto
se non si fa uso di tale sostanza!
Se e favorevole alla legalizzazione della canapa(non droga)
faccia notizia espandendo quest' email ai suoi amici e colleghi.

Attachment: Figura.scr

When the attachment is run, the worm gathers email addresses on the MSN Messenger contact list. These addresses are stored in the %TEMP% directory in the file Contact-e-mail.ini. The worm contacts the server smtp.aruba.it for sending. However, the propagation routine does not succeed as the worm attaches the file c:\windows\system\Figura.scr. During testing, the worm would either not create this file, or create a 0 byte file.

The following registry key value is created:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ "Veline" = Veline.exe
During testing this Veline.exe was not created.

Symptoms

Presence of following files:

  • Contact-e-mail.ini
  • Figura.scr

Method of Infection

This worm attempts to email itself to MSN Messenger addresses found on the local system, using SMTP. It also attempts to copy itself to KaZaa shared folders.

If the current year is 2003 or greater and the day of the month is 31, the virus displays a fake error message:

E r r o r: II programma e scaduto!

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This is an intended mass-mailer and KaZaa worm. The virus contains bugs in the code and does not propagate as intended. It attempts to email random addresses in the domains TIN.IT, HOTMAIL.COM, YAHOO.IT, and INWIND.IT and MSN Messenger contacts. The messages sent are as follows:

From: Staff di %1st part of one domain name from list ie. YAHOO%
To: random address@domain name from list
Subject: Servizio abbonati
Body: Gentile abbonato, lo FROM field value ti regala un grazioso screen saver come da te richiesto.
Se non vuoi ricevere pi i nostri screen saver inviaci una e-mail vuota.
Per accedere direttamente al nostro sito clicca sul link che segue: http://www.1st part of one domain name from list.it

Attachment: Figura.scr

or

From: Messnger Contact Address
To: Messnger Contact Address
Subject: Screen Saver Figura
Body: Buongiorno, il nostro Staff le ha allegato uno screen saver
riguardante l' uso della canapa tra i giovani d' oggi.
Questo contiene molte informazioni che bene conoscere, soprattutto
se non si fa uso di tale sostanza!
Se e favorevole alla legalizzazione della canapa(non droga)
faccia notizia espandendo quest' email ai suoi amici e colleghi.

Attachment: Figura.scr

When the attachment is run, the worm gathers email addresses on the MSN Messenger contact list. These addresses are stored in the %TEMP% directory in the file Contact-e-mail.ini. The worm contacts the server smtp.aruba.it for sending. However, the propagation routine does not succeed as the worm attaches the file c:\windows\system\Figura.scr. During testing, the worm would either not create this file, or create a 0 byte file.

The following registry key value is created:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ "Veline" = Veline.exe
During testing this Veline.exe was not created.

Symptoms

Symptoms -

Presence of following files:

  • Contact-e-mail.ini
  • Figura.scr

Method of Infection

Method of Infection -

This worm attempts to email itself to MSN Messenger addresses found on the local system, using SMTP. It also attempts to copy itself to KaZaa shared folders.

If the current year is 2003 or greater and the day of the month is 31, the virus displays a fake error message:

E r r o r: II programma e scaduto!

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A