Aladdin: Virus Alert "Win32.SWen.a"

Rubrik: Virenwarnung/Aktuelle Meldungen

Win32.Swen.a is a Mass-Mailing Worm Which Employs Multiple Propagation Methods to Spread

(22.09.03) - Win32.Swen may appear to be a legitimate message from Microsoft. All users must note that Microsoft will never send updates and paths via email. The worm attempts to open itself automatically when received via email by using the I-Frame exploit. eSafe Gateway and eSafe Mail customers are proactively protected from this exploit and therefore the worm will not be able to self-execute on protected machines.

The arriving email will have the following characteristics:

Sender: The forged sender's address is composed of several random strings. The random address is composed as follows: Username@domain.domain-suffix.com or .net

Possible Usernames:

· Assistance

· Bulletin

· Center

· Corporation

· Customer

· Department

· Division

· Internet

· Microsoft

· MS

· Network

· Program

· Public

· Section

· Security

· Services

· Support

· Technical

Possible Domain Names:

· advisor

· bulletin

· confidence

· news

· newsletters

· support

· technet

· updates

Possible Domain Suffixes:

· microsoft

· ms

· msdn

· msn

Subject: The subject of this mail will usually be composed from a pre-generated list of words. There may be thousands of different variations.

Message body: The message body contains information that may appear legitimate. It claims to include a cumulative patch for Internet Explorer, Outlook and Outlook express. The exact message is also constructed from various lines of text and may appear different for each recipients.

Attached File: The attached filename will be an executable (.EXE). The name itself will be composed of one of the following text strings and end with a randomly generated number:

· install

· patch

· q

· update

Malicious Activity

When the worm is executed it does the following:

1. The worm attempts to disable various processes related to security applications. This may help the worm thrive on a system if it was not already protected.

2. The worm searches the registry to check if the computer is already infected. If it doesn't find the relevant entry it creates one. This action also ensures the worm is executed whenever the computer is restarted. The registry entry is as follows:

HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run

'[random string]' = '[random string].exe /autorun'

3. If the computer is already infected by the worm, it will display the following message:

Subject: Microsoft Internet Update Pack

Message: This update does not need to be installed on this system.

If the computer is not yet infected, the worm will display the following message, with Yes and No buttons:

Subject: Microsoft Internet Update Pack

Message: This will install Microsoft Security Update. Do you wish to continue?

The infection will commence regardless of the user's selection. If the 'No' button is pressed, the worm will install itself in the background with no user interaction.

When a user authorized installation is complete the worm will notify the user accordingly.

4. Copies itself to the default Windows directory as an executable file with a random filename.

5. Creates the following registry entries:

HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/explorer/[ran

domly generated 4 character string]

'CacheBox Outfit' = 'yes'

'Install Item' = '<random string>'

'Installed' = '...by Begbie'

'Mirc Install Folder' = '<location of installed mIRC client>' 'Unfile' = '<random string>' 'ZipName' = '<random string>'

6 Modifies the following registry keys so that they correspond with its main executable file:

HKEY_LOCAL_MACHINE/CLASSES/exefile/shell/open/command

HKEY_LOCAL_MACHINE/CLASSES/regfile/shell/open/command

HKEY_LOCAL_MACHINE/CLASSES/scrfile/shell/open/command

HKEY_LOCAL_MACHINE/CLASSES/comfile/shell/open/command

HKEY_LOCAL_MACHINE/CLASSES/batfile/shell/open/command

HKEY_LOCAL_MACHINE/CLASSES/piffile/shell/open/command

This allows the worm to run whenever .exe, .reg, .scr, .com, .bat or .pif files are executed.

7 So that users will not be able to access the worms registry modifications, it also creates the following entry:

HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Policies/System

'DisableRegistryTools' = '1'

8. Occasionally, the worm may present a forged MAPI Exception error which will prompt the user to enter all mail details, confidential (password) or otherwise.

9. When certain executables the worm does not agree with are opened, the worm will display the following error message and the close the application:

Exception error occured:

Memory access violation in module kernel32 at < random number:random_number >

10. To spread via KaZaA, the worm creates a folder and shares it with other users. It then drops several copies of itself to that folder with various filenames and with a .zip or .exe extensions.

11. To spread via mIRC, the worm attempts to open a client (if it exists on the infected computer), connect to channels and send itself to all users connected to those channels.

12. To spread via network shares, the worm attempts to copy itself to all startup folders on shared drives it can find.

13. The worm also attempts to spread via newsgroup channels, but only if the machine's user uses this service. The worm will only send itself to those newsgroups accessed by the user.

14. Finally, the worm attempts to send itself to all contacts harvested from various locations on the infected system. All messages attempt to use the I-Frame exploit in order to be automatically executed when the message is opened or previewed. (ma)

Aladdin Knowledge Systems

SYSTEMS 2002

Halle B2, Stand 121

Ansprechpartner: Wolfram Dorfner

Tel. (089) 894221-0, Fax (089) 894221-40

E-Mail: wdorfner@aladdin.de

Web: www.aladdin.de