PIF.Fable.Worm

SUMMARY

PIF.Fable.Worm is the first worm that spreads as a PIF (Program Information File) file. When executed, the worm adds several files to the hard disk and deletes the file Regedit.exe.

The worm spreads by means of Microsoft Outlook and mIRC. mIRC is a popular chat program.

Protection

• Virus Definitions (Intelligent Updater) October 31, 2000

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Moderate

Damage

• Damage Level: Medium
• Large Scale E-mailing: Spreads via mIRC and Microsoft Outlook.
• Deletes Files: When first executed, the worm deletes the file Regedit.exe located at WindowsRegedit.exe.

Distribution

• Distribution Level: Medium
• Subject of Email: The subject can be any of the following: 1) Fable 2) Something You Should Read 3) Very Important That You Recieve This
• Name of Attachment: Fable.pif
• Size of Attachment: 17, 937 Bytes

TECHNICAL DETAILS

When PIF.Fable.Worm is executed for the first time, it creates copies of itself as the files Test.bat and Backup570.pif, located at C:Test.bat and [WindowsDir]Backup570.pif. The worm then executes C:Test.bat. Test.bat is an exact copy of Fable.pif.

Norton Antivirus detects both files, Test.bat and Fable.pif, and reports them as PIF.Fable.Worm.

The worm also adds itself in the registry. HKLMSoftwareMicrosoftWindowsCurrentVersionRunServicesChanges is set to execute a .VBS file that is later inserted by the virus. This ensures execution upon restart.

Test.bat starts the viral actions by creating the following files on the system:

[WindowsDir]MrBat.bat
[WindowsDir]Winstart.bat
[WindowsDir]Fable.pif
[WindowsDir]Plans.bat

[WindowsDir]Winstart.bat is a batch file that executes every time Windows starts. The file is detected as BAT.Fable.Worm by Norton AntiVirus.

After these files are created, the worm deletes [WindowsDir]Regedit.exe and sets the hidden and read only attributes on the newly inserted files. The worm then searches for mIRC. mIRC is a popular chat client that the worm uses to spread itself. The search is performed by checking for mIRC directories. If found, the worm inserts itself as Script.ini. If mIRC is found in C:Mirc (this is the default installation path), then the read only attribute is set on the newly inserted file.

The worm creates several copies of itself on infected systems. It then inserts itself as MS_Dos_Prompt.pif in all folders that are in the PATH. It creates several more copies of itself in various places in the Windows directory. All of these copies are detected as PIF.Fable.Worm by Norton AntiVirus.

The worm checks if to see if [WindowsDir]Wscript.exe exists. This is the file that is responsible for running VBscripts. If you want to disable the functionality of running scripts on the system, SARC offers a tool that accomplishes this, available at

http://service1.symantec.com/sarc/sarc.nsf/html/win.script.hosting.html

If Wscript.exe is found, the worm inserts several VBscripts on the system and executes them.

When executed, the VBscripts attempt to change several Windows Registry keys and propagate PIF.Fable.Worm by emailing everyone in the Microsoft Outlook address book.

If mIRC is found, the worm also collects email address from mIRC and saves them in a file named [WindowsDir]EList.eml. It then attempts to email itself to all addresses in the file.

NOTE: The VBscript that attempts to email everyone in the Outlook address book will, with definitions prior to 31st of October, be detected as VBS.NewLove.

If the worm succeeds in emailing everyone in the Outlook address book, it sets a registry key so that this action is not performed multiple times.

Finally, the worm displays a text file with the title: The Grasshopper and the Owl.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

Delele all infections. If necessary, restore Regedit.exe from a clean backup.