Virus

W32/Wozer.A!worm

Analysis

  • Virus is 32bit with a compressed file size of 23,040 bytes
  • Virus may be introduced to the system through email, network shares or from an infected user across IRC
  • If the virus is run, it will write itself to the undefinedWindowsundefined\System32 folder as "Explore.exe" and modify the registry to load when the common Windows shell Explorer is run at next Windows startup -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
    CurrentVersion\Winlogon\
    Shell = Explorer.exe Explore.exe

  • The virus will then modify the infected system by changing DHCP settings and the established IP address - this is done in the registry -

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    (LAN card CSLID)\Parameters\Tcpip\
    "DhcpIPAddress" = 169.254.20.244
    "DhcpServer" = 255.255.255.255
    "DhcpSubnetMask" = 255.255.0.0

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    Tcpip\Parameters\Interfaces\(LAN card CSL)\
    "AddressType" = 01, 00, 00, 00
    "DhcpIPAddress" = 169.254.20.244
    "DhcpServer" = 255.255.255.255
    "DhcpSubnetMask" = 255.255.0.0
    "IPAutoconfigurationAddress" = 169.254.20.244

  • The virus deletes existing keys which are also related to DHCP settings -
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    (LAN card CSLID)\Parameters\Tcpip\
    "DhcpDefaultGateway"
    "DhcpSubnetMaskOpt"

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\
    "(LAN card CSLID)"

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
    "DhcpDomain"
    "DhcpNameServer"

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\
    Parameters\Interfaces\(LAN card CSLID)\
    "DhcpDefaultGateway"
    "DhcpDomain"
    "DhcpNameServer"
    "DhcpSubnetMaskOpt"

  • The virus may attempt to terminate tasks running in memory which have these names in them -

    antiv
    syman
    microsoft
    mcaf
    virus
    anti
    kasp

  • The virus will attempt to connect to other systems on the same network - the virus will seek open shares on the C$ share and attempt to write itself as "winupdate.exe"

  • The virus will attempt to look up Mail Exchange (MX) records for several domains, including some of the following -

    GTO.NET
    VIP1.GOLDEN.NET
    NETS.NET
    DOROTHY.BMC.COM
    GWIA.NETS.NET

  • Next the virus will write three files to the infected system -

    undefinedWindowsundefined\System32\eCard.zip (23,162 bytes)
    undefinedWindowsundefined\System32\Explore.exe (23,040 bytes)
    undefinedRootundefined\CrOW.txt (24 bytes)

  • The file "c:\CrOW.txt" contains this text -

    "i love u crow .... i do."

  • The file "eCard.zip" is a PKZip archive and contains an infectious file "default.pif" with a size of 23,040 bytes

  • The virus may attempt to send itself to email addresses found on the infected system, and in MIME encoding in the following format -

    From: "Superzone eCard" <ecard@superzone.com>
    Subject: Superzon eCard from Secret Admirer
    Body:
    eCard@Superzone is an online service for sending eCards.

    Dear reader,

    You have been sent an eCard from 'Secret Admirer'!
    To see the eCard, simply open the attachment.
    Send an eCard to someone that you care. It's free!

    eCard@Superzone
    http://eCard.Superzone.com

    Save trees, send eCards.
    eCard@Superzone: part of the Superzone Network
    http://www.superzone.com

    Attachment: eCard.zip

  • The email will contain an infectious email attachment and commonly contains a fake "content" type tag -

    Content-Type: audio/x-wav;

  • Virus contains the following strings in its code -

    ====== Created By ME ======
    ===========================
    THIS IS:
    DEFAULT, NIL, NULL, $NULL, NOTHING, ZERO
    ZIP, POFF, 0 WORM.
    it owns u.

Recommended Action

  • Using the email content blocking feature of FortiGate, add the following text -
    eCard+Superzone
  • Configure email servers to quarantine tagged email messages and delete messages as necessary