|
|
New virus may be received by user with e-mail message, which has the theme "New photos from my party" and following text:
Hello! My party... It was absolutely amazing! I have attached my web page with new photos! If you can please make color prints of my photos. Thanks! |
In the attachment there is a file, called like an URL: www.myparty.yahoo.com. Size of this e-mail is about 29 Kb, reference to that Web-page is not a real reference, it's a masked file. The last extension of the name of this file is "com", it means this is an usual executive file. Undoubtedly the idea of this virus is clear: when someone sees this reference, he would like to click and look at the "photos". So the virus would start its work. According the speed of the expansion of the virus, the idea was right.
Doctor Web developers prepared all required measures to protect users computers. In our last "hot-addition" (it was made today) you can find everything you need to find the virus and protect your computer. We appeal to all the users: please, watch over your computers health and refresh virus database regularly.
Upon its launch the virus starts with verifying the current system date. If the date is not within the range 25-29 January 2002 or the Cyrillic keyboard layout is used by the system the virus tries to move the launched virus file to the Recycle Bin and terminates its operation immediately. If the system date and keyboard layout are satisfactory, the virus verifies the operation system type. In case it is WinNT/2k/XP the virus installs a Trojan program into the system.
To do this the virus extracts the packed software code from its own body and copies it under the name "msstask.exe" to the current user's autorun folder:
%USERPROFILE%\Startup\Programs\Startup\msstask.exe
Therefore, the above Trojan program will be launched automatically upon the current user next logging in. This program is operational in the NT/2k/XP environment only and also verifies upon its launch whether the system is set to Cyrillic keyboard layout. If so, the Trojan program will not work. Upon launching the Trojan creates one more user desktop in the system under the name "SecondDesktop", reads encrypted "control data" from the address http://209.151.250.170/wares-xchg.cgi?xxxxxxxxx (where xxxxxxxx is a random set of figures), decrypts the data and in accordance with the instructions received performs a set of operations which are necessary to launch Microsoft Internet Explorer on the second invisible desktop and to feed to it certain Internet pages' addresses. Upon successfully doing so the program is capable to "generate" user keystroke in accordance with the "control data" received. This way the infected computer well can be used to wind up counters on pre-set by the virus author pages and to run certain scripts. It's worth to mention that by default the desktop creation is available to the users of the Administrator group, therefore the "stealth-mode" launch of the Internet Explorer as used by the Trojan component will not always work. Further on the virus creates its own copy in the file C:\REGCTRL.EXE (for Win9x/Me) or C:\RECYCLED\REGCTRL.EXE (for WinNT/2k/XP) and launches it, after which the previous copy of the virus terminates its work. The virus copy launched immediately starts its replication: the virus gets the registered in the system SMTP-server address, which is used by MS Outlook, Outlook Express or Internet Mail, gets the Windows Address Book file name, scans it and extracts e-mail addresses. After that the virus gets current user DBX-files' names (Outlook Express mail databases) and extracts e-mail addresses from them as well. Upon doing this the virus sends copies of its own to the first five hundred e-mail addresses located. The message sent includes the following text and subject line:
!Subject: new photos from my party
Message body:
Hello! My party... It was absolutely amazing! I have attached my web page with new photos! If you can please make color prints of my photos. Thanks! |
The message includes the virus body in UUENCODE format attached under the name "www.myparty.yahoo.com".
Apart from that the virus sends a statistics of its own distribution (number of e-mail addresses located and virus file name) to the address napster@gala.net. In order to distribute itself the virus does not use Outlook MAPI resources, as it has got its own SMTP-client, encapsulated in the virus code.
In the process of its work the virus consistently tries to move the file it has started from to the folder C:\RECYCLED\F-xx-xx-xx-xx or C:\RECYCLER\F-xx-xx-xx-xx; the above operation is successful only in WinNT/2k/XP, as the OS Win9x/Me blocks the process of renaming the already launched files.
The virus also includes the code segment which detects the "access" line's presence in the name of the virus copy launched. If the above line is present the code segment opens the Web-page http://www.disnay.com right before the replication mechanism is initiated. This particular code never acquires control because the fixed virus files' names never contain the above line.
|
Some other interesting viruses |