Threat Encyclopedia

W32/Wozer.A!worm

Analysis

• Virus is 32bit with a compressed file size of 23,040 bytes
  
• Virus may be introduced to the system through email, network shares or from an infected user across IRC
  
• If the virus is run, it will write itself to the undefinedWindowsundefined\System32 folder as "Explore.exe" and modify the registry to load when the common Windows shell Explorer is run at next Windows startup -

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
  CurrentVersion\Winlogon\
  Shell = Explorer.exe Explore.exe
  

• The virus will then modify the infected system by changing DHCP settings and the established IP address - this is done in the registry -

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
  (LAN card CSLID)\Parameters\Tcpip\
  "DhcpIPAddress" = 169.254.20.244
  "DhcpServer" = 255.255.255.255
  "DhcpSubnetMask" = 255.255.0.0

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
  Tcpip\Parameters\Interfaces\(LAN card CSL)\
  "AddressType" = 01, 00, 00, 00
  "DhcpIPAddress" = 169.254.20.244
  "DhcpServer" = 255.255.255.255
  "DhcpSubnetMask" = 255.255.0.0
  "IPAutoconfigurationAddress" = 169.254.20.244
  

• The virus deletes existing keys which are also related to DHCP settings -
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
  (LAN card CSLID)\Parameters\Tcpip\
  "DhcpDefaultGateway"
  "DhcpSubnetMaskOpt"

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\
  "(LAN card CSLID)"

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
  "DhcpDomain"
  "DhcpNameServer"

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
  Parameters\Interfaces\(LAN card CSLID)\
  "DhcpDefaultGateway"
  "DhcpDomain"
  "DhcpNameServer"
  "DhcpSubnetMaskOpt"
  

• The virus may attempt to terminate tasks running in memory which have these names in them -

  antiv
  syman
  microsoft
  mcaf
  virus
  anti
  kasp
  

• The virus will attempt to connect to other systems on the same network - the virus will seek open shares on the C$ share and attempt to write itself as "winupdate.exe"
  

• The virus will attempt to look up Mail Exchange (MX) records for several domains, including some of the following -

  GTO.NET
  VIP1.GOLDEN.NET
  NETS.NET
  DOROTHY.BMC.COM
  GWIA.NETS.NET
  

• Next the virus will write three files to the infected system -

  undefinedWindowsundefined\System32\eCard.zip (23,162 bytes)
  undefinedWindowsundefined\System32\Explore.exe (23,040 bytes)
  undefinedRootundefined\CrOW.txt (24 bytes)
  

• The file "c:\CrOW.txt" contains this text -

  "i love u crow .... i do."
  

• The file "eCard.zip" is a PKZip archive and contains an infectious file "default.pif" with a size of 23,040 bytes
  

• The virus may attempt to send itself to email addresses found on the infected system, and in MIME encoding in the following format -

  From: "Superzone eCard" <ecard@superzone.com>
  Subject: Superzon eCard from Secret Admirer
  Body:
  eCard@Superzone is an online service for sending eCards.

  Dear reader,

  You have been sent an eCard from 'Secret Admirer'!
  To see the eCard, simply open the attachment.
  Send an eCard to someone that you care. It's free!

  eCard@Superzone
  http://eCard.Superzone.com

  Save trees, send eCards.
  eCard@Superzone: part of the Superzone Network
  http://www.superzone.com
  Attachment: eCard.zip
  

• The email will contain an infectious email attachment and commonly contains a fake "content" type tag -

  Content-Type: audio/x-wav;
  

• Virus contains the following strings in its code -

  ====== Created By ME ======
  ===========================
  THIS IS:
  DEFAULT, NIL, NULL, $NULL, NOTHING, ZERO
  ZIP, POFF, 0 WORM.
  it owns u.
  

Recommended Action

• Using the email content blocking feature of FortiGate, add the following text -
  eCard+Superzone
  

• Configure email servers to quarantine tagged email messages and delete messages as necessary