W32/Cult.D@mm - Released Apr 02, 2003 - Last Updated Mar 13, 2007
|
Alias/esI-Worm.Cult.d, W32.HLLW.Cult.C@mm, W32/Cult-C, W32/Cult.D, W32/Cult.D@mm, Worm.Cult.D |
Visible Symptoms
- Creation of the file "iexplorer.exe"
into the %Windows%\System32 folder
- Virus may be received by email in this format -
Subject: Hi , I sent you an eCard
from Blue-Mountain.com
Body:
To view your eCard, open the attachment
If you have any comments or questions, please visit
http://www.bluemountain.com/customer/index.pd
Thanks for using BlueMountain.com.
Attachment: BlueMountaineCard.pif
|
Detailed Analysis
- Virus is 32bit with a compressed file size of 22,016
bytes
- If virus is run, it will copy itself into the %Windows%\System32
folder as "iexplorer.exe" and then run as
a process in memory
- The virus will modify the registry to load itself
at next Windows startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"sysconfig" = iexplorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
"sysconfig" = iexplorer.exe
-
The mass-mailing code within the virus may send
a copy of the virus to others with an attachment
with a .PIF extension and a size of 22,016 bytes
- the target address is generated at random and
may or not be an actual email address - the email
will be in this format -
Subject: Hi , I sent you an eCard
from Blue-Mountain.com
Body:
To view your eCard, open the attachment
If you have any comments or questions, please visit
http://www.bluemountain.com/customer/index.pd
Thanks for using BlueMountain.com.
Attachment: BlueMountaineCard.pif
-
Virus may attempt to connect to IRC servers via
TCP port 6667 at one of two addresses -
xman.sytes.net
ragonx.hopto.org
-
Once connected the virus listens and awaits commands
from a hacker or group of hackers which could include
initiating a "ping attack" or UDP flood
against a target
-
Virus contains SDBot code and has the string "sdbot
0.5b by [sd]" in its code
|
