Stages
|
Description Added Virus Information
Virus Characteristics
This is a multi-application Internet worm which is designed with intent to spread using one of four spreading mechanisms. This worm takes advantage of installations of Pirch, Outlook, mIRC, and also spreads to available mapped drives.
This Internet worm was first announced on the author's website and has not been seen at a customer site as of this description posting.
This worm may arrive by email in the following format:
Subject: Funny
The attachment is 39,936 bytes and is a Shell Scrap Object file. These files are the most unpredictable file type of all, since they can be anything from an authentic file to a trojan application. In this case, the file cannot be trusted.
An interesting feature of SHS files is that the extension remains hidden, even though the operating system is set to show file extensions. This helps to confuse the user into believing the file is really of .TXT file type. Double-clicking on the file will install this Internet worm in an interesting manner.
This SHS worm does contain content which is displayed while it installs itself to the local host. The following text file is shown:
---------copy of displayed text--------
Age. Seduction lines.
One significance of this exploitation of SHS files is that it raises awareness to the fact that the extension is not shown, even if a system is configured to "show all files" and "show extensions of known file types".
This is due to a registry entry for Shell Scrap file types:
HKEY_CLASSES_ROOT\ShellScrap
Users can change this by renaming the entry above from "NeverShowExt" to "AlwaysShowExt". Users can even delete the entry. Once it is modified, user must log off and log back into Windows for the change to take effect. Symptoms
*Due to the creation of files in the Recycle Bin by this worm, it will be necessary to remove Recycle Bin listing from the exclusion list in VirusScan. Also SCAN ALL files.*
If the Recycle Bin is emptied, the file REGEDIT (RECYCLED.VXD) will be removed (see below for file creations by this Internet worm). Obtain a copy of REGEDIT.EXE from a non-infected system and place in the Windows folder. Additional registry settings will require adjusting. Method Of Infection
* moves REGEDIT.EXE from the Windows folder to the recycle bin as "RECYCLED.VXD", modifies registry to use this relocated file when importing or using registry type files
* creates files of random names throughout the local system and all available drives; fixed names include the following:
The following are examples of random names generated:
([Random1]+[Random2]+[Random3])+TXT+SHS.
Random1 is a selection of one of five choices:
* modifies the registry to run SCANREG.VBS at Windows startup
* modifies the registry to run DBINDEX.VBS when loading ICQ
* modifies the registry to run RECYCLED.VXD when calls are made to run REGEDIT type files
* modifies MIRC.INI to load an auxiliary script file for PIRCH/mIRC installations
* creates SOUND32B.DLL whenever Windows restarts in the Windows folder via SCANREG.VBS; SOUND32B.DLL is an auxiliary script file called by MIRC.INI; SOUND32B.DLL contains instructions to send the file LIFE_STAGES.TXT.SHS when connecting to IRC channels
* modifies the following registry settings (to recover, modify these to original "from" settings):
HKLM\Software\CLASSES\regfile\DefaultIcon
HKLM\Software\CLASSES\regfile\shell\open\command
* creates the following registry settings (to recover, delete these keys):
HKU\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ\
HKU\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ\
HKU\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQ\
HKLM\Software\CLASSES\txtfile\
HKLM\Software\Microsoft\Windows\CurrentVersion\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
--------Special Notes-----------
This is due to a registry entry for Shell Scrap file types:
HKEY_CLASSES_ROOT\ShellScrap
Users can change this by renaming the entry above from "NeverShowExt" to "AlwaysShowExt". Users can even delete the entry. Once it is modified, user must log off and log back into Windows for the change to take effect. Removal Instructions
Note1- Microsoft has released an update for Outlook as an email attachment security update. For a list of attachments blocked and a general FAQ, visit this link.
Note2- It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.
PE,Trojan,Internet Worm and memory resident:
|