W32.Indor

SUMMARY

W32.Indor is a mass-mailing worm that uses Microsoft Outlook to send itself to all contacts in the Microsoft Outlook Address Book. The email subject, message, and attachment vary. It can also spread across a network. This threat is written in the Microsoft Visual Basic programming language and is compressed using Petite.

Protection

• Virus Definitions (LiveUpdate™ Weekly) September 18, 2002
• Virus Definitions (Intelligent Updater) September 17, 2002

TECHNICAL DETAILS

When W32.Indor runs, it does the following:

It displays this fake message:



It copies itself as

• C:\%windir%Sexy.scr
• C:\%windir%Temp.exe
• C:\_.exe
• C:Update_Date.exe

NOTE: %windir% is a variable. The worm locates the main Windows installation folder (by default this is C:Windows or C:Winnt) and copies itself to that location.

It also attempts to copy itself to a floppy disk as:

• A:Asian-Girls*.avi.scr
• A:Nude*.jpg.exe
• A:Sexy*.gif.exe

NOTE: * represents a number that is randomly chosen by the worm. For example, the file name may be Asian-Girls41.avi.scr.

The worm searches all folders and subfolders for files that have these extensions:

• .txt
• .exe
• .lnk
• .doc
• .xls
• .jpg
• .mp3
• .mpg
• .htm.
• .html.
• .asp
• .zip
• .rar

If it finds such a file, it may copy itself to the same folder, using the same file name that it finds, plus the .exe or .pif extension. For example, if it finds C:WindowsCalc.exe, the worm may copy itself as C:WindowsCalc.exe.pif.

The worm adds the value

(Default) _.exe

to the registry key

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunservices

It inserts the following section in C:WindowsSystem.ini file:

[ABOUT]
MY NAME=.....I-Worm.Indovirus.A
AUTHORZ=.....iwing@indovirus.net - INDONESIA
MESSAGE=.....Salam Kenal buat Virus Coderz indonesia, semoga bisa lebih Kreatif dalam menciptakan virus/worm
GREEETZ=.....Greetings goes to : BCVG,IkX,29A,Coderz,And all Virus Group on the NET
PRIVATE=.....Imel...! Cintaku hanya untuk mu, sekarang dan selamanya, biarlah Dunia yang menyaksikan Pernyataan cintaku ini - LOVE YOU-> Iwing <-

It also adds this line to the [windows] section of the C:WindowsWin.ini file:

load=C:\_.exe

It uses Microsoft Outlook to send itself to all contacts in the Outlook Address Book. The email subject, message, and attachment vary.

If the Mirc.ini exists, the worm overwrites it to send itself to other mIRC users as Update_Date.exe.

Payloads
On the first day of any month, the worm does the following:

It displays a message that has "Indovirus Network" as its title.

It then opens the default Web browser and goes to the Website www.indovirus.net.

The worm tries to kill the following processes:

• ANTIVIR
• WEBSCANX
• SAFEWEB
• AVP.EXE
• LOCKDOWN2000
• AVP32
• AMON.EXE
• AVPCC.EXE
• AVPM.EXE
• PCCIOMON
• PCCMAIN
• POP3TRAP
• WEBTRAP
• AVCONSOL
• VSHWIN32
• VSSTAT
• LUCOMSERVER
• MCAFEE
• SCAN32
• VETTRAY
• RESCUE32
• PCCWIN98

It deletes all .ini files that reside in the C:\%windir% folder.

It then changes the (Default) value from

%1" %*

to

notepad.exe %1

in the registry key

HKEY_CLASSES_ROOTexefileshellopencommand

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Update the virus definitions.
2. Restart the computer in Safe mode.
3. Run a full system scan, and delete all files that are detected as W32.Indor.
4. Reverse the changes that the worm made to the registry.
5. (Windows 95/98/Me) Reverse the changes that the worm made to Win.ini and System.ini.
6. Replace deleted .ini files from a clean backup.

For details on how to do this, read the following instructions.

To update the virus definitions:
All virus definitions receive full quality assurance testing by Symantec Security Response before being posted to our servers. There are two ways to obtain the most recent virus definitions:

• Run LiveUpdate, which is the easiest way to obtain virus definitions. These virus definitions are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up.
• Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up.
  
  Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.

To restart the computer in Safe mode:
All Windows 32-bit operating systems, except Windows NT, can be restarted in Safe mode. For instructions on how to do this, read the document How to start the computer in Safe Mode.

To scan for and delete the infected files:

1. Start your Symantec antivirus program, and make sure that it is configured to scan all files.
   • Norton AntiVirus consumer products: Read the document How to configure Norton AntiVirus to scan all files.
   • Symantec enterprise antivirus products: Read the document How to verify a Symantec Corporate antivirus product is set to scan All Files.
2. Run a full system scan.
3. If any files are detected as infected with W32.Indor, click Delete.

To reverse that changes that the worm made to the registry:

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the key
   
   HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunservices
   
4. In the right pane, delete the value
   
   (Default) _.exe
   
5. If the payload has run, navigate to the key
   
   HKEY_CLASSES_ROOTexefileshellopencommand
   
6. In the right pane, double-click (Default).
7. Change the Value Data to
   
   %1" %*
   
8. Exit the Registry Editor.

To reverse the changes that the worm made to Win.ini and System.ini:
This is necessary only on Windows 95/98/Me-based computers.

NOTE: (For Windows Me users only) Due to the file-protection process in Windows Me, a backup copy of the file that you are about to edit exists in the C:WindowsRecent folder. Symantec recommends that you delete this file before you continue with the steps in this section. To do this using Windows Explorer, go to C:WindowsRecent, and in the right pane select the Win.ini file and delete it. It will be regenerated as a copy of the file that you are about to edit when you save your changes to that file.

1. Click Start, and click Run.
2. Type the following, and then click OK:
   
   edit c:windowswin.ini
   
   The MS-DOS Editor opens.
   
   NOTE: If Windows is installed in a different location, make the appropriate path substitution.
   
3. In the [windows] section of the file, look for an entry similar to the following:
   
   load=C:\_.exe
   
4. Select the entire line. Be sure that you have not selected any other text, and then press Delete.
5. Click File, and click Save.
6. Click File, and click Exit.
7. Click Start, and click Run.
8. Type the following, and then click OK:
   
   edit c:windowssystem.ini
   
   NOTE: If Windows is installed in a different location, make the appropriate path substitution.
   
9. Look for the following section and text, and delete it:
   
   [ABOUT]
   MY NAME=.....I-Worm.Indovirus.A
   AUTHORZ=.....iwing@indovirus.net - INDONESIA
   MESSAGE=.....Salam Kenal buat Virus Coderz indonesia, semoga bisa lebih Kreatif dalam menciptakan virus/worm
   GREEETZ=.....Greetings goes to : BCVG,IkX,29A,Coderz,And all Virus Group on the NET
   PRIVATE=.....Imel...! Cintaku hanya untuk mu, sekarang dan selamanya, biarlah Dunia yang menyaksikan Pernyataan
   intaku ini - LOVE YOU-> Iwing <-
   
10. Click File, and click Save.
11. Click File, and click Exit.