Virus

W32/Sinala@mm

Analysis

  • Virus is 32bit with a compressed file size of 22,528 bytes
  • Virus has infection methods for popular peer-to-peer file sharing applications, email and floppy drives
  • If the virus is run, it will copy itself to several places on the local system -

    c:\WINNT\spoolyb.exe
    c:\WINNT\svchost.exe
    c:\WINNT\system32\mope.scr

  • The virus will then modify the registry to auto run at next Windows startup -

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    "Service Host" = C:\WINNT\spoolyb.exe

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TORVIL\
    "DisplayName" = System Registry Service

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TORVIL\
    "ImagePath" = C:\WINNT\spoolyb.exe -xStartOurNiceServicesYes

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    "w32alanis" = C:\WINNT\system32\mope.scr

  • The virus will also modify the registry to run any time certain file types are run -

    HKEY_CLASSES_ROOT\batfile\shell\open\command\
    "(Default)" = C:\WINNT\svchost.exe "undefined1" undefined*

    HKEY_CLASSES_ROOT\cmdfile\shell\open\command\
    "(Default)" = C:\WINNT\svchost.exe "undefined1" undefined*

    HKEY_CLASSES_ROOT\comfile\shell\open\command\
    "(Default)" = C:\WINNT\svchost.exe "undefined1" undefined*

    HKEY_CLASSES_ROOT\exefile\shell\open\command\
    "(Default)" = C:\WINNT\svchost.exe "undefined1" undefined*

    HKEY_CLASSES_ROOT\piffile\shell\open\command\
    "(Default)" = C:\WINNT\svchost.exe "undefined1" undefined*

    HKEY_CLASSES_ROOT\scrfile\shell\open\command\
    "(Default)" = C:\WINNT\svchost.exe "undefined1" /S

  • The virus may copy itself to the shared folder for some peer-to-peer file sharing applications such as Grokster, WinMX, Morpheus and Kazaa -

    C:\ARCHIV~1\Grokster\My Grokster\
    C:\archiv~1\WinMX\My Shared Folder\
    C:\ARCHIV~1\KaZaA\My Shared Folder\
    C:\archiv~1\Morpheus\My Shared Folder\
    C:\archiv~1\ICQ\shared files\
    C:\archiv~1\Edonkey2000\incoming\
    C:\archiv~1\KaZaA Lite\My Shared Folder\
    C:\Program Files\WinMX\My Shared Folder\
    C:\Program Files\KaZaA\My Shared Folder\
    C:\Program Files\Grokster\My Grokster\
    C:\Program Files\Morpheus\My Shared Folder\
    C:\Program Files\ICQ\shared files\
    C:\Program Files\Edonkey2000\incoming\
    C:\Program Files\KaZaA Lite\My Shared Folder\

  • The virus will attempt to copy itself to A: drives with these file names -

    a:\axebah.exe
    a:\ring.exe
    a:\piratas.scr
    a:\BadboysII.scr

  • The virus will write infectious HTML files in different locations - the HTML file contains an encoded copy of the virus which is decoded and run if the HTML file is viewed on vulnerable systems -

    c:\alanis.html
    c:\avril.html
    c:\pamelaXXX.html
    c:\evan.html
    c:\emo.html
    c:\misdoc~1\alanis.html
    c:\misdoc~1\avril.html
    c:\misdoc~1\pamelaXXX.html
    c:\misdoc~1\evan.html
    c:\misdoc~1\emo.html

  • The virus may register a new file type on the infected system called ".MCG" associate the application Windows Media Player with this file, and then make the file type directly executable -

    HKEY_CLASSES_ROOT\.mcg\
    "(Default)" = mcgfile

    HKEY_CLASSES_ROOT\mcgfile\
    "(Default)" = clip de video

    HKEY_CLASSES_ROOT\mcgfile\
    "NeverShowExt" = 1

    HKEY_CLASSES_ROOT\mcgfile\DefaultIcon\
    "(Default)" = C:\ARCHIV~1\REPROD~1\wmplayer.exe,-120

    HKEY_CLASSES_ROOT\mcgfile\Shell\Open\Command\
    "(Default)" = "undefined1" undefined*

  • The virus will then write numerous files with .MCG extensions in several places -

    c:\WINNT\Cleanmgr.mcg
    c:\WINNT\molani.scr
    c:\WINNT\system32\Cleanmgr.mcg

  • Two other files are created by the same size -

    c:\WINNT\system32\freesoft.avi.scr
    c:\WINNT\system32\kerneldll32.api

  • The virus may create an email message and send it to each contact in the Windows address book with the file attachment "alanis.exe" - the email message created will have Spanish subject and body text

  • Virus contains the string "[DemionKlaz]..................[DK]" in its code