VirusW32/Wozer.A!worm
Analysis
- Virus is 32bit with a compressed file size of 23,040
bytes
- Virus may be introduced to the system through email,
network shares or from an infected user across IRC
- If the virus is run, it will write itself to the
undefinedWindowsundefined\System32 folder as "Explore.exe"
and modify the registry to load when the common Windows
shell Explorer is run at next Windows startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
CurrentVersion\Winlogon\
Shell = Explorer.exe Explore.exe
-
The virus will then modify the infected system by changing DHCP settings and the established IP address - this is done in the registry -
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
(LAN card CSLID)\Parameters\Tcpip\
"DhcpIPAddress" = 169.254.20.244
"DhcpServer" = 255.255.255.255
"DhcpSubnetMask" = 255.255.0.0HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Tcpip\Parameters\Interfaces\(LAN card CSL)\
"AddressType" = 01, 00, 00, 00
"DhcpIPAddress" = 169.254.20.244
"DhcpServer" = 255.255.255.255
"DhcpSubnetMask" = 255.255.0.0
"IPAutoconfigurationAddress" = 169.254.20.244
-
The virus deletes existing keys which are also related to DHCP settings -
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
(LAN card CSLID)\Parameters\Tcpip\
"DhcpDefaultGateway"
"DhcpSubnetMaskOpt"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\
"(LAN card CSLID)"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
"DhcpDomain"
"DhcpNameServer"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
Parameters\Interfaces\(LAN card CSLID)\
"DhcpDefaultGateway"
"DhcpDomain"
"DhcpNameServer"
"DhcpSubnetMaskOpt"
-
The virus may attempt to terminate tasks running in memory which have these names in them -
antiv
syman
microsoft
mcaf
virus
anti
kasp
-
The virus will attempt to connect to other systems on the same network - the virus will seek open shares on the C$ share and attempt to write itself as "winupdate.exe"
-
The virus will attempt to look up Mail Exchange (MX) records for several domains, including some of the following -
GTO.NET
VIP1.GOLDEN.NET
NETS.NET
DOROTHY.BMC.COM
GWIA.NETS.NET
-
Next the virus will write three files to the infected system -
undefinedWindowsundefined\System32\eCard.zip (23,162 bytes)
undefinedWindowsundefined\System32\Explore.exe (23,040 bytes)
undefinedRootundefined\CrOW.txt (24 bytes)
-
The file "c:\CrOW.txt" contains this text -
"i love u crow .... i do."
-
The file "eCard.zip" is a PKZip archive and contains an infectious file "default.pif" with a size of 23,040 bytes
-
The virus may attempt to send itself to email addresses found on the infected system, and in MIME encoding in the following format -
From: "Superzone eCard" <ecard@superzone.com>
Subject: Superzon eCard from Secret Admirer
Body:
eCard@Superzone is an online service for sending eCards.Dear reader,
You have been sent an eCard from 'Secret Admirer'!
To see the eCard, simply open the attachment.
Send an eCard to someone that you care. It's free!eCard@Superzone
http://eCard.Superzone.comSave trees, send eCards.
eCard@Superzone: part of the Superzone Network
http://www.superzone.com
Attachment: eCard.zip
-
The email will contain an infectious email attachment and commonly contains a fake "content" type tag -
Content-Type: audio/x-wav;
-
Virus contains the following strings in its code -
====== Created By ME ======
===========================
THIS IS:
DEFAULT, NIL, NULL, $NULL, NOTHING, ZERO
ZIP, POFF, 0 WORM.
it owns u.
Recommended Action
- Using the email content blocking feature of FortiGate,
add the following text -
eCard+Superzone
-
Configure email servers to quarantine tagged email messages and delete messages as necessary
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |