发信人: emil()
整理人: emil(1999-06-16 09:51:33), 站内信件
|
I-Worm.ZippedFiles
This is a worm virus spreading via Internet. It appears as a
"Zipped_Files.Exe" file attached to email. This file itself is a
Delphi executable files about 210Kb of length. The most part of
file's code is occupied by Delphi run-time libraries, data and
classes, and just about 10Kb of code is "pure" worm code.
Being executed it installs itself into the system, then sends
infected messages (with its attached copy) to addresses using
addresses found in emails in the Inbox. To hide its activity the worm
displays the message:
To install into the system the virus copies itself to Windows
directory with the _SETUP.EXE name and to Windows system directory
with EXPLORE.EXE name, for example:
C:\WINDOWS\_SETUP.EXE
C:\WINDOWS\SYSTEM\EXPLORE.EXE
The worm then registers its copy in the Windows configuration file
WIN.INI to force the system to execute it each time Windows starts
up. To do that the worm writes the instruction "run=" to the
[windows] section there. Depending on the worm "status" and system
conditions there are two possible variants of this instruction, for
example:
run=_setup.exe
run=C:\WINDOWS\SYSTEM\Explore.exe
The worm then stays "memory resident" and is active up to the moment
the system shuts down. The worm's task has no active window and is
not visible in taskbar, but is visible in the task list (Ctrl-Alt-
Del) with one of the names the worm use to name their copies:
Zipped_files
Explore
_setup
The worm does not check its copy already presented in the Windows
memory, and as a result there may be several worm's instances found.
Being active as a Windows application the worm runs four threads of
its main process: installation thread that copies worm files to the
Windows directories and registers them, the Internet spreading thread
and two files destroying threads.
The second (most important) thread sends the email messages using any
email system based on standard MAPI (Messaging Application Program
Interface) - MS Outlook, MS Outlook Express, e.t.c. The worm knocks
to the installed E-mail system four times trying to logon with
different MAPI profiles: default one, Microsoft Outlook, Microsoft
Outlook Internet Settings, Microsoft Exchange.
Being connected to the E-mail the worm monitors all arriving messages
- in endless loop it scans Inbox for messages and reply to them. The
reply message has the same Subject with "Re" prefix, the body of
message looks like follows:
Hi [recipient name]
I received your email and I shall send you a reply ASAP.
Till then, take a look at the attached zipped docs.
The message ends with one of two variants of signature:
bye.
sincerely [sender name]
The copy of worm is attached to the message with the
"Zipped_Files.Exe" name.
The worm does not reply on the messages twice and does not reply its
own messages. To detect already affected messages the worm marks them
with TAB character at the end of Subject string. Each time the worm
scans Inbox for messages, it gets Subject field, goes to its end, and
skips the message if TAB is found there. The worm also does not reply
all messages in Inbox but unread messages only.
It is necessary to note that both these conditions (reply unread
messages only and do not reply the same message twice) are optional
in the worm's infection routine. In known worm version both of them
are hardcoded the way described above, but it is possible that the
next worm version will answer all messages in Inbox each time the
worm infection thread gets control.
As a result the things look like follows. When the worm starts for
the first time on the computer, it sends infected messages by using
all unread messages found in the Inbox. It marks them as "affected"
by TAB character and does not affect anymore. When a new message is
received from the Internet and appears in the Inbox, it is
immediately "answered" by worm with the fake text shown above.
The virus has extremely dangerous payload. Each time it is executed,
it runs two more threads that scan directory trees on the local and
network drives, look for .C, .H, .CPP, .ASM, .DOC, .XLS, .PPT
(programs' source and MS Office files) and zeroes them. The worm uses
a create-and-close trick that erases file contents and sets file
length to zero. As a result the files become unrecoverable.
As it is mentioned above, there are two files killing threads. First
of them is active all time the worm copy is active in the system -
till the shutting down. In endless loop it scans all available drives
from C: to Z: and corrupts files that were listed above. The second
thread is executed only once. It enumerates network resources, scans
them for the same files and also destroys them.
-- 欢迎光临“病毒观察” http://bd.yeah.net “聊毒斋” http://ldz.126.com http://liaoduzhai.163.net Email: [email protected]
※ 来源:.月光软件站 http://www.moon-soft.com.[FROM: 202.192.154.2]
|
|