W32.Recory@mm

SUMMARY

W32.Recory@mm is a mass-mailing worm that is written in Visual Basic (VB). The VB run-time libraries must be installed on the computer for it to execute.
The worm uses Microsoft Outlook to email itself to all the contacts in the Windows Address Book. It also attempts to spread across a file-sharing network.

The email has a randomly chosen subject and attachment. The attachment will have an extension of .com, .exe or .pif.

Protection

• Virus Definitions (LiveUpdate™ Weekly) January 4, 2003
• Virus Definitions (Intelligent Updater) January 2, 2003

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Moderate

Damage

• Damage Level: Low
• Large Scale E-mailing: Emails itself to all the contacts in the Windows Address Book

Distribution

• Distribution Level: High
• Subject of Email: Varies
• Name of Attachment: Varies with .com, .exe or .pif extension
• Size of Attachment: 19,968 bytes
• Shared Drives: Attempts to spread via various file-sharing networks.

TECHNICAL DETAILS

When W32.Recory@mm runs, it does, or attempts, to do the following:

1. Copies itself as the following files:
   • %windir%Autotest.com
   • %windir%Startwin.com
   • %windir%TaskBoot.com
   • %windir%Winboot32.com
   • %windir%Jdbgmgr.exe
   • %windir%Compile32.pif
   • %windir%Security.pif
   • %windir%Uninstall32.pif
   • %windir%Windows Startup.pif
   • %windir%COMMANDEBDWinexec.bat
   • %windir%Start MenuProgramsStartupSysTray.pif
   • %system%Autoexec32.bat
   • %system%Jdbgmgr.exe
   • %system%Memory.com
   • %system%RecoveryWorm32.scr
   • %tempdir%Jdbgmgr.exe
   • FixTool.exe
     
     NOTES:
     • %windir% is a variable. The worm locates the Windows installation folder (by default, this is C:Windows or C:Winnt) and copies itself to that location.
     • %system% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
     • %tempdir% is a variable. The worm locates the Temporary folder and copies itself to that location. By default, this is C:WindowsTemp (Windows 95/98/ME), C:Documents and Settings<username>Local SettingsTemp (Windows 2000/XP).
       
2. May also copy itself as one of the following file names, followed by a randomly chosen extension: .exe, .com, or .pif:
   • %system%Killvirus
   • %system%Killvir
   • %system%Fixvir
   • %system%Fixtool
   • %system%Removal
   • %system%Recovery
   • %system%Virusfix
   • %system%Virusremove
   • %system%Cleaner
   • %system%Cleanvir
   • %system%Scan32
   • %system%Scanvir
   • %system%Cleanvirus
   • %system%Removal32
   • %system%Deletevir
     
     This particular file will be attached to the email when the worm performs its email routine.
     
3. Adds the value
   
   Msdos32      %system%Msdos32.pif
   
   to the registry key
   
   HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
   
   This causes the worm to be executed every time you start Windows.
   
4. Searches the computer for specific files. If the file %system%RecoveryWorm32.scr is not found, the system date is January 16th, March 16th, May 16th, July 16th, September 16th, or November 16th, and the following files are found:
   • %system%Msdos32.pif
   • %windir%TaskBoot.com
   • %system%Autoexec32.bat
   • %windir%Autotest.com
     
     the worm displays this message:
     
     
     
5. If any of the following folders exist:
   • C:KazaaMy Shared Folder
   • C:My Downloads
   • C:Program FilesKazaaMy Shared Folder
   • C:ProgrammeKazaaMy Shared Folder
   • C:ProgrammiKazaaMy Shared Folder
   • C:Program FilesKazaa LiteMy Shared Folder
   • C:ProgrammeKazaa LiteMy Shared Folder
   • C:ProgrammiKazaa LiteMy Shared Folder
   • C:Program FilesBearshareShared
   • C:ProgrammeBearshareShared
   • C:ProgrammiBearshareShared
   • C:Program FilesEdonkey2000
   • C:ProgrammeEdonkey2000
   • C:ProgrammiEdonkey2000
   • C:Program FilesMorpheusMy Shared Folder
   • C:ProgrammeMorpheusMy Shared Folder
   • C:ProgrammiMorpheusMy Shared Folder
   • C:Program FilesGroksterMy Grokster
   • C:ProgrammeGroksterMy Grokster
   • C:ProgrammiGroksterMy Grokster
   • C:Program FilesICQShared Files
   • C:ProgrammeICQShared Files
   • C:ProgrammiICQShared Files
     
     the worm will copy itself to that particular folder as these files:
     • Computer Virus Generator.pif
     • Dancing Girls ScreenSaver.scr
     • Erotic Poetry.pif
     • FixTool.exe
     • How to hack websites.pif
     • How to hack www.google.com
     • How to make a virus.pif
     • KaZaA Bug Fix.exe
     • KaZaA Download Booster.exe
     • Lord Of The Rings 2 Fast Downloader.pif
     • Microsoft Product Serial List.pif
     • Nature ScreenSaver.scr
     • NFS Car Builder.pif
     • Norton AntiVirus Quick Downloader - www.symantec.com
     • Readme.pif
     • Red Alert 2 Money Cheat.pif
     • The Sims patch.pif
     • Type-and-talk.pif
     • User Information.pif
     • Virtual Sex ScreenSaver.scr
     • WarCraft 2 - Advance Level Builder.com
     • Windows Logon Password Cracker.pif
       
6. If the file Mirc.ini is found in one of these folders:
   • C:Mirc
   • C:Mirc32
   • C:Program FilesMirc
   • C:Program FilesMirc32
   • C:ProgrammeMirc
   • C:ProgrammeMirc32
   • C:ProgrammiMirc
   • C:ProgrammiMirc32
     
     the worm will copy itself as %windir%Wideo1.mpg and overwrite the file Script.ini in that particular folder to spread itself through mIRC.
     
     NOTE: The file name is case sensitive.
     
7. If the file Pirch32.exe is found in one of these folders:
   • C:Pirch
   • C:Pirch32
   • C:Program FilesPirch
   • C:Program FilesPirch32
   • C:ProgrammePirch
   • C:ProgrammePirch32
   • C:ProgrammiPirch
   • C:ProgrammiPirch32
     
     the worm will copy itself as %system%Video1.mpg and overwrite the file Events.ini in that folder to spread itself through Pirch.
     
     NOTE: The file name is case sensitive.
     
8. The worm creates the registry key
   
   HKEY_CURRENT_USERSoftwareed/[rRlf]Recovery1.0
   
   and sets the (Default) value of this registry key to W32/Recovery family worm by Zed/[rRlf].

Email Routine Details

W32.Recory@mm uses Microsoft Outlook to email itself to all the contacts in the Windows Address Book.

The email message has the following characteristics:

Subject: The subject line is one of the following.

• Computer virus alert
• Important
• Read this
• Urgent
• Serious alert
• Attention users
• Severs virus alert
• Attention company personal
• Urgent information
• Latest news
• Computer issue
• Email virus alert
• Computer virus information
• Attention Employees
• Computer virus removal tool
• Computer virus fix tool
• Help on Computer issue
• Software alert
• Damaged Software information
• Latest News
• Latest computer virus outbreak
• Computer virus outbreak
• Email security update
• Security update
• Software patch
• From helpdesk support
• Technical support
• Software support
• Microsoft support
• Email support
• Free support
• Microsoft news
• Important information
• High-risk computer virus removal
• Client support
• High-threat computer virus fix
• Computer virus removal
• Urgent news

NOTE: The subject line may have the prefix Fwd: or Fw:

Message:

Hello readers,

I have just cleaned my computer from a highly damaging computer virus
Which is spreading rapidly through computer networks worldwide.

There is one way to check to see if your computer is infected with this
virus.

Click the "Start" menu at the bottom left of your screen.
Click the "Find" or "Search" button.
Click the "Files or folders..." option.
Then once the search application starts, type "Jdbgmgr.exe"

If you have found this file, right-click on it and click the "Properties"
tab.
If the Properties menu has a picture of a bear on it,
your computer is infected with this virus. (Note that the non-infected file
picture has a hammer and a screwdriver shown in it)
You may delete this file, but this is not the only file that the virus
infects,
To remove this virus, I have included a virus removal tool in the
attachments "<Attachment file name>"
that will scan all system files and remove any infectious code from them.
This virus removal tool is very easy to use. If you have any trouble with
this tool,
read the help menu that the removal tool supplies.

If your computer is infected with this virus, It is strongly recommended
that you send this removal tool to as many people
as you can to help remove the traces of this virus worldwide.

Attachment: The attachment is one of the following file names with a random extension: .exe, .com, or .pif:

• Killvirus
• Killvir
• Fixvir
• Fixtool
• Removal
• Recovery
• Virusfix
• Virusremove
• Cleaner
• Cleanvir
• Scan32
• Scanvir
• Cleanvirus
• Removal32
• Deletevir

Importance: High

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Delete the value
   
   Msdos32
   
   from the registry key
   
   HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
   
2. Restart the computer.
3. Update the virus definitions,
4. Run a full system scan and delete all the files detected as W32.Recory@mm.
   

For further details, read the following instructions.


Deleting the value from the registry

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

1. Click Start, then click Run. (The Run dialog box appears.)
2. Type regedit, then click OK. (The Registry Editor opens.)
3. Navigate to the key
   
   HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
   
4. In the right pane, delete the value
   
   Msdos32
   
5. Exit the Registry Editor and restart the computer.

Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

• Running LiveUpdate, which is the easiest way to obtain the virus definitions. These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate) line at the top of this writeup.
• Downloading the definitions using the Intelligent Updater. The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater) line at the top of this writeup.
  
  The Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.

Scanning for and deleting the infected files

1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
   • For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
   • For Symantec AntiVirus Enterprise products: Read the document, "How to verify a Symantec Corporate antivirus product is set to scan All Files."
2. Run a full system scan.
3. If any files are detected as infected with W32.Recory@mm, click Delete.