[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

It is a biggie Worm ...

To: <killietalk at aka_org>, <killies at mejac_palo-alto.ca.us>
Subject: It is a biggie Worm ...
From: "Tom Grady" <tomgrady at slic_com>
Date: Wed, 22 Dec 1999 17:01:41 -0500

Okay folks  here it is ...

I just received this from Dr. Solomons


Long explanation:

Profile

Name
W32/NewApt.worm

Aliases
I-Worm/MesMate, TROJ_NEWAPT.WORM, W32.NewApt.worm, W32/NewApt.worm

Variants
None

Date Added
12/15/99

Information
  Discovery Date: 12/14/99
  Type: Virus
  SubType: worm
  Risk Assessment: High
  Minimum DAT: 4058
  Minimum Engine: 4.0.25


Characteristics
This worm has been reported to AVERT in several countries during the week of
December 13, 1999. The file may be received by email with a size of 69,632
bytes. The worm arrives by email and depending on if the email application
supports HTML email body content or not, one of two messages is displayed.
If HTML is supported, the message content looks like this:

---------------------------------------------------------------


http://stuart.messagemates.com/index.html



Hypercool Happy New Year 2000 funny programs and animations...

We attached our recent animation from this site in our mail ! Check it out

---------------------------------------------------------------

If the email client does not support HTML, the email message will have this
content:

---------------------------------------------------------------

he, your lame client cant read HTML, haha. click attachment to see some
stunningly HOT
stuff ---------------------------------------------------------------

The email contains an attachment of a randomly selected name from the
following list:
baby.exe
bboy.exe
boss.exe
casper.exe
chestburst.exe
cooler1.exe
cooler3.exe
copier.exe
cupid2.exe
farter.exe
fborfw.exe
goal.exe
goal1.exe
g-zilla.exe
irngiant.exe
hog.exe
monica.exe
panther.exe
panthr.exe
party.exe
pirate.exe
s.exe
saddam.exe
theobbq.exe
video.exe

Please note that the file is not a "messagemates" game program and is not
related to the web site listed in the email message! Messagemates.com has
issued a notice about this also on their web site at this location:
http://stuart.messagemates.com/notice.htm There is no icon associated with
this 32 bit file other than the one associated with command line executables
such as COMMAND.COM. If this worm is run, a "dummy" error message is
displayed with the text-

The dinamic link library giface.dll could not be found in the specified path
(list of directory names)

The list of directory names are taken from they system environment variable
"path" which is set in AUTOEXEC.BAT in Windows 9x and also configurable in
Windows NT through the control panel. Note the misspelling of the word
"dinamic".

The machine is then checked for the installation of MS Outlook Express. If
found, two files are written in the c:\windows folder

mma. - contains a listing of email addresses
mmail. - contains the directory of MS Outlook Express

The list of email addresses is captured by checking all folders in Outlook
Express for email messages received!

A file is then saved to the Windows folder and the registry is modified to
load the file at the next Windows startup with a command line option of
"/x". For example, if the executable "chestburst.exe" is run, the registry
entry would look like this on a Windows 95 system:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tpawen =
c:\windows\chestburst.exe /x

On the next Windows startup, the file is loaded. When the worm loads into
memory, it waits for an unspecified amount of time and then sends an email
message to one of the listed entries from the file "mma." with the format
mentioned at the beginning of this description.

While the worm is active on Windows 9x system, the following DLLs are
implemented:

C:\WINDOWS\SYSTEM\WSOCK32.DLL
C:\WINDOWS\SYSTEM\WININET.DLL
C:\WINDOWS\SYSTEM\SHLWAPI.DLL
C:\WINDOWS\SYSTEM\USER32.DLL
C:\WINDOWS\SYSTEM\GDI32.DLL
C:\WINDOWS\SYSTEM\ADVAPI32.DLL
C:\WINDOWS\SYSTEM\KERNEL32.DLL

When an email application such as MS Outlook is in use, the additional DLL
loaded is TAPI32.DLL.

At this time, AVERT is analyzing the distribution method for this worm.
Strings within the executable suggest that it uses information stored in the
file "prefs.js" which is a reference to Netscape.


Symptoms
Existence of this file on the local system - modifications to the system
registry as mentioned above - email mailings as mentioned above.


Method Of Infection
Running the executable will directly copy itself and run the mailing
routine.







---------------
See http://www.aka.org/AKA/subkillietalk.html to unsubscribe

Prev by Date: Re: KillieTalk Digest V2 #1266
Next by Date: Re: Possible VIrus warning ...
Prev by thread: Re: KillieTalk Digest V2 #1266
Next by thread: Re: Virus file
Index(es):
- Date
- Thread