W32.Desperate@mm

SUMMARY

W32.Desperate@mm is a worm that spreads by creating multiple files. It creates a Windows executable, an mIRC script, and a Visual Basic Script (VBS) file. The worm then uses these files to spread its infection using IRC and Microsoft Outlook. The original dropper file for this worm is packed and encrypted. This appears to be an attempt to avoid detection and make it more difficult to analyze the worm. However, both the packer and the encryptor are well known and are, therefore, easily bypassed.

Because the original dropper for this worm is written in Visual Basic, it requires Visual Basic runtime libraries to execute.

NOTE: Virus definitions dated prior to April 11, 2001, will detect some components of this worm (such as the VBS file) as Bloodhound.VBS.Worm.

Protection

• Virus Definitions (Intelligent Updater) April 11, 2001

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Moderate
• Removal: Moderate

Damage

• Damage Level: Medium
• Large Scale E-mailing: Uses MS Outlook and MIRC

Distribution

• Distribution Level: High
• Subject of Email: "Do you know a Diane ?"
• Name of Attachment: Diane.jpg.exe
• Size of Attachment: Approx. 52K
• Shared Drives: All
• Target of Infection: Win32 systems

TECHNICAL DETAILS

W32.Desperate@mm is a worm that spreads as a Visual Basic Script (VBS) file. It is packed into a large executable dropper file written in Visual Basic. When this dropper is executed, it creates several files in several locations on the system. However, VB runtime libraries are required for the file to execute on the system. If VB runtime libraries are not installed, nothing will happen when the file is executed.

All created files are detected by Norton AntiVirus as W32.Desperate@mm, IRC.Desperate@mm, or VBS.Desperate@mm.

The worm consists of the following three main components, which are contained in the VBS file:

• IRC
  The IRC component is the mIRC script file <Mirc folder>Script.ini, which is used to spread the worm using the IRC network.

• VBS
  The VBS component spreads the worm using Microsoft Outlook. It saves the file as C:WindowsDiane.jpg <many spaces> .vbs. The VBS file also contains the IRC script and the executable file. So, when the worm spreads, it sends the VBS file to other users. When the VBS file is executed, it creates the IRC script and the executable file.

• EXE
  The EXE component is a backdoor Trojan. When this file is executed, it opens a backdoor on the computer.

The worm also modifies several registry keys.

• It adds the following values
  
  SystemEvents     C:WINDOWSclhost.exe
  
  EXPLORER   C:WINDOWS/system32/DRIVERS/EXPLORER.exe
  
  Winlogo   C:WINDOWSWinlogo.jpg [many spaces] .exe
  
  WinHelp   wscript.exe C:WINDOWSDiane.jpg [many spaces] .vbs %
  
  to the registry key
  
  HKEY_LOCAL_MACHINESoftwareMicrosoft
  WindowsCurrentVersionRun
  
• It adds the value
  
  Window Title   <This appears to be the "signature" of the author of this virus>
  
  to the registry key
  
  HKEY_CURRENT_USERSoftwareMicrosoft
  Internet ExplorerMain
  
• It changes the Internet Explorer home page to one designated by the virus author. (This appears to be a page that counts how many people are infected.)

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

To remove the worm, delete all files detected by NAV as W32.Desperate@mm, IRC.Desperate, or VBS.Desperate@mm; remove the values that it added to the registry; and reset the Internet Explorer home page.

To remove the worm:

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files detected as W32.Desperate@mm, IRC.Desperate, or VBS.Desperate@mm.

To edit the registry:

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
   
   HKEY_LOCAL_MACHINESoftwareMicrosoft
   WindowsCurrentVersionRun
   
4. In the right pane, delete the following values:
   
   SystemEvents     C:WINDOWSclhost.exe
   
   EXPLORER   C:WINDOWS/system32/DRIVERS/EXPLORER.exe
   
   Winlogo   C:WINDOWSWinlogo.jpg [many spaces] .exe
   
   WinHelp   wscript.exe C:WINDOWSDiane.jpg [many spaces] .vbs %
   
5. Navigate to the following key:
   
   HKEY_CURRENT_USERSoftwareMicrosoft
   Internet ExplorerMain
   
6. In the right pane, delete the following value:
   
   Window Title   <This appears to be the "signature" of the author of this virus>
   
7. Click Registry, and click Exit to save the changes and close the Registry Editor.

To reset the Internet Explorer home page:

1. Start Microsoft Internet Explorer.
2. Connect to the Internet, and go to the page that you want to set as your home page.
3. Click Tools, and click Internet Options.
4. On the General tab, click Use Current, and then click OK.