Content

W32/Korvar

Type
Virus
SubType
Worm
Discovery Date
11/24/2002
Length
91,086 bytes
Minimum DAT
4235 (11/27/2002)
Updated DAT
4298 (10/15/2003)
Minimum Engine
5.1.00
Description Added
11/24/2002
Description Modified
11/27/2002 10:05 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

This threat has an updated risk assessment of Low-Profiled due to the Ananova article Experts warn Winevar worm is spreading.

The prevalence of this worm is, at the time of this writing, more concentrated in Korea. It may arrive in an email message with the following information:

Subject: Varies
Body: Varies
Attachments (3):

  • WIN random characters .TXT (12.6 KB) MUSIC_1.HTM
  • WIN random characters .GIF (120 bytes) MUSIC_2.CEO
  • WIN random characters .PIF

    The worm exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability (MS01-020) in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2) to automatically execute itself when viewing an infected message. Alternatively, users may run the .HTM attachment, which exploits the "Microsoft VM ActiveX Component" Vulnerability to register the file extension .CEO in the registry:

    • HKEY_CLASS_ROOT\.CEO\Default="exefile"
    • HKEY_CLASS_ROOT\.CEO\Content Type="application/x-msdownload"
    When the attached .CEO file is run, it is then treated like an .EXE file.

    When the .CEO file is run, it copies itself to the WINDOWS SYSTEM (%SysDir%) directory with a random filename starting with "WIN" and ending with ".PIF". Registry run keys are then created for both the copied file and the originally executed file:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      Run "(Default)"=First infected file run
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      Run "WIN random characters"=C:\WINDOWS\SYSTEM\WIN random characters.pif
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
      Run "(Default)"=First infected file run
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
      Run "WIN random characters"=C:\WINDOWS\SYSTEM\WIN random characters.pif
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
      RunServices "(Default)"=First infected file run
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
      RunServices "WIN random characters"=C:\WINDOWS\SYSTEM\WIN random characters.pif

    When run, the virus will randomly display a message box:

    After OK is pressed, the virus will attempt to delete all files and folders on the local system.

    A slightly modified version of W32/Funlove is dropped in the SYSTEM directory with the name AAVAR.PIF. This file is detected as W32/Funlove.dr with the current dat files. Files infected by this virus are detected as W32/Funlove.gen with the current dat files as well. Files with the names WIN random characters.TMP are also created by W32/Korvar during the infection.

    • Symptoms

    - Degradation of system performance
    - Presence of WIN*.PIF files in the WINDOWS SYSTEM directory
    - Presence of the W32/Funlove.gen and W32/Funlove.dr viruses.

    Method of Infection

    This worm arrives as an email attachment. It exploits known Microsoft Internet Explorer vulnerabilities to automatically run on an unpatched system. Once running, the virus terminates security software, may try to delete all files, and may attempt to harvest email addresses found on the local system to mail itself to those recipients via SMTP.

    Removal

    All Users :
    Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Aliases

    • I-Worm.Winevar (AVP)
    • W32.HLLW.Winevar (Symantec)
    • Win32.HLLM.Seoul (Dr. Web)
    • WORM_WINEVAR.A (Trend)

    Characteristics

    Characteristics -

    This threat has an updated risk assessment of Low-Profiled due to the Ananova article Experts warn Winevar worm is spreading.

    The prevalence of this worm is, at the time of this writing, more concentrated in Korea. It may arrive in an email message with the following information:

    Subject: Varies
    Body: Varies
    Attachments (3):

  • WIN random characters .TXT (12.6 KB) MUSIC_1.HTM
  • WIN random characters .GIF (120 bytes) MUSIC_2.CEO
  • WIN random characters .PIF

    The worm exploits the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability (MS01-020) in Microsoft Internet Explorer (ver 5.01 or 5.5 without SP2) to automatically execute itself when viewing an infected message. Alternatively, users may run the .HTM attachment, which exploits the "Microsoft VM ActiveX Component" Vulnerability to register the file extension .CEO in the registry:

    • HKEY_CLASS_ROOT\.CEO\Default="exefile"
    • HKEY_CLASS_ROOT\.CEO\Content Type="application/x-msdownload"
    When the attached .CEO file is run, it is then treated like an .EXE file.

    When the .CEO file is run, it copies itself to the WINDOWS SYSTEM (%SysDir%) directory with a random filename starting with "WIN" and ending with ".PIF". Registry run keys are then created for both the copied file and the originally executed file:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      Run "(Default)"=First infected file run
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
      Run "WIN random characters"=C:\WINDOWS\SYSTEM\WIN random characters.pif
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
      Run "(Default)"=First infected file run
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
      Run "WIN random characters"=C:\WINDOWS\SYSTEM\WIN random characters.pif
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
      RunServices "(Default)"=First infected file run
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
      RunServices "WIN random characters"=C:\WINDOWS\SYSTEM\WIN random characters.pif

    When run, the virus will randomly display a message box:

    After OK is pressed, the virus will attempt to delete all files and folders on the local system.

    A slightly modified version of W32/Funlove is dropped in the SYSTEM directory with the name AAVAR.PIF. This file is detected as W32/Funlove.dr with the current dat files. Files infected by this virus are detected as W32/Funlove.gen with the current dat files as well. Files with the names WIN random characters.TMP are also created by W32/Korvar during the infection.

    • Symptoms

    Symptoms -

    - Degradation of system performance
    - Presence of WIN*.PIF files in the WINDOWS SYSTEM directory
    - Presence of the W32/Funlove.gen and W32/Funlove.dr viruses.

    Method of Infection

    Method of Infection -

    This worm arrives as an email attachment. It exploits known Microsoft Internet Explorer vulnerabilities to automatically run on an unpatched system. Once running, the virus terminates security software, may try to delete all files, and may attempt to harvest email addresses found on the local system to mail itself to those recipients via SMTP.

    Removal -

    Removal -

    All Users :
    Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A