Virus

W32/Zoek.D@mm

Analysis

  • Virus is 32bit, with a UPX compressed size of 217,600 bytes
  • When first executed, virus may display an image and in the background, the virus may initiate WINIPCFG.EXE in order to capture IP information to a file named "ipinfo.txt" and save this file into the Windows folder.
  • The virus may then write two Uuencoded files which are then decoded -

    c:\WINDOWS\hoen.txt -> hoen.exe - 40Kb Trojan
    c:\WINDOWS\tcasuta.txt -> tcasuta.exe - 220Kb virus

  • The file hoen.exe is executed at next Windows startup and is then copied to the Windows\System folder as "tcasutb.exe", the registry is then modified to load this file at Windows startup and open connections with the Internet on TCP port
    33530 -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\RunServices\
    tcasutb.exe = "C:\WINDOWS\SYSTEM\tcasutb.exe"

  • Virus backs up copies of the mailboxes for Outlook Express and prefixes the backup .DBX file with "bek" as in this example -

    c:\WINDOWS\Application Data\Identities\
    {longstring}\Microsoft\Outlook Express\bekInbox.dbx
    The virus scavenges these files for email addresses to create a list of targets.

  • The virus writes additional files to the Windows folder -

    * accountboy.ini - contains POP3/SMTP email configuration details in the following format:

    [POP3]
    Server=text
    User Name=text
    [SMTP]
    Server=text
    User Name=text
    Display Name=text

    * attachready.ini - contains date email propagation routine was initiated, in this format:

    [MAIL]
    Done=mm/dd/yy

    * mailboy.ini - contains email addresses, in this format:

    [First]
    1=email address

    [Rest]
    2=email address
    3=email address

    Continues for as many address as could be found in the Windows address book

    * mailboy2.ini - contains all email addresses found by searching all .DBX folders related to Outlook Express, in this format:

    [victims]
    0=email address
    1=email address
    2=email address
    3=email address
    4=email address (and so on)

    [candidates]
    0=email address

    * passboy.ini - contains email configuration data

  • Virus attempts to connect to one of several hard-coded SMTP servers and send itself as a single MIME encoded message to each contact listed in the Outlook Address Book in this format (the URL in the body is no longer accessible) -

    Subject = Maxima Screensaver
    Body =
    http://home.wanadoo.nl/kees.tittel/screenmaxima.scr
    Attachment = "screenmaxima.scr"