W95.Buggy.Worm@mm

SUMMARY

This worm consists of a Microsoft Outlook mass mailer and an IRC worm.

Protection

• Virus Definitions (Intelligent Updater) May 23, 2001

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low
• Payload: Mails itself every time that it is executed
• Large Scale E-mailing: Sends itself to all recipients in Windows Address Book

Distribution

• Distribution Level: High
• Subject of Email: The last patch for Internet Explorer
• Name of Attachment: ie042601.exe
• Size of Attachment: 8192

TECHNICAL DETAILS

When this worm is executed, it does the following:

1. It hides itself from the Windows Task List by calling RegisterServiceProcess. Under Windows NT and 2000, this simply fails.
2. It copies itself as WindowsSystemie042601.exe.
3. So that the worm executes when Windows starts, it changes the run= line in the Win.ini file to run=c:windowssystemie042601.exe
4. The worm drops the following files:
   • C:Script.ini
   • WindowsEmail.vbs
   • C:Win.drv
   • WindowsWsock32.bat.
5. The Script.ini file is copied to
   • C:MircScript.ini
   • C:Mirc32Script.ini
6. When you use mIRC, the ie042601.exe file is sent to others who connect to the same channel that you are using.
7. The Wsock32.bat file contains code to run each of the dropped files. The worm waits for an active Internet connection and tries to establish one by attempting to connect to www.yahoo.fr. When the connection is successful, Wsock32.bat is executed.
8. The Email.vbs file contains Microsoft Outlook mass-mailing code, which has been copied from VBS.Newlove.A. It sends ie042601.exe to every entry in every address list in the Windows Address Book. The mail appears as follows:
   
   Subject: The last patch for Internet Explorer
   Message: Date : <current date> A lot of virus and worms use a bug in Internet Explorer This patch allows you to correct this problem
   Attachment: ie042601.exe
   
9. Win.drv is an FTP script that is supposed to download the Petik.bmp file; however, the script contains a bug and no file is downloaded. Despite this, the worm attempts to change the Windows wallpaper to use this file; this code also contains a bug, and the values are set incorrectly.
10. After altering the wallpaper setting, the worm hides every .bmp file in the Windows folder. This may be an attempt to hide the Petik.bmp file, but that file is not stored in the Windows folder.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

To remove this worm, delete any files detected as W95.Buggy.Worm@mm and undo the change that it made to the Win.ini file.

To remove the worm:
1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files detected as W95.Buggy.Worm@mm.

To edit the Win.ini file:
1. Click Start, and click Run.
2. Type the following, and then click OK:

NOTE: If Windows is installed in a different location, make the appropriate substitution.

edit c:windowswin.ini

3. In the [windows] section, locate the run= line. It will look similar to the following:

run=c:windowssystemie042601.exe

4. Remove the text to the right of the equal (=) sign, so that the line now reads

run=

5. Click File, click Save, and then exit the MS-DOS Editor.