W32.Badass.24576

SUMMARY

W32.Badass.24576 is a worm that usually comes as BADASS.EXE program attachment in an email. The size of this attached program file is 24,576 bytes. The email message has a jumbled looking subject line and a message body in Dutch:
Dit is wel grappig! :-)

The worm displays an insulting message box with un-click-able NO button. In the background, it uses Microsoft Outlook to send a copy of itself to people in the MS Outlook address book. Symantec Antivirus Research Center has not received any report of this worm from the field.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Moderate
• Removal: Moderate

Damage

• Damage Level: Low

Distribution

• Distribution Level: Medium
• Name of Attachment: BADASS.EXE
• Size of Attachment: 24,576 bytes

TECHNICAL DETAILS

The worm routine appears to be a straight Visual Basic port of W97M.Melissa payload routine. In fact, it is so similar that it marks its activation in Windows Registry too. The marker is

HK..CurrentUserSoftWareVB
and
VBA Program SettingsWindowsCurrentVersion
as a value: CMCTL32

If the marker is present, the worm routine is not activated. Everytime it is executed, the worm displays an insulting message box:

 An error has occured probably because your  c__ smells bad.
 Is this really so?

When the YES button is clicked, it displays the following message:

Contact your local supermarket for toiletpaper  and soap to solve this problem.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

As with other worm or trojan horse programs, the detected file must be deleted. There is no need to remove the marker from the Windows Registry. In fact, its presence dis-activates the worm routine.