VirusW32/Wurmark.J@mm
Analysis
This variant of Wurmark contains a keylogger component that submits data to the web address 'melaniecarroll.biz'. This virus is also a mass-mailer threat.
Loads at Windows startup
If this threat is run, it will copy itself to the System32
folder by a random name and also a .ZIP file containing
a copy of the threat, such as -
C:\WINNT\system32\NVJQLL.EXE [80,384 bytes]
C:\WINNT\system32\song.zip [80,616 bytes]
The virus will then register itself to run at each Windows startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"nvjqll" = nvjqll.exe
Mass-mailing component
This virus carries a mass-mailing routine that resembles
that of other viruses. It searches files of a certain
file extension for what is considered usable email addresses.
This is the list of file extensions used -
.SHT
.ASP
.HTM
.MBX
.EML
.TBB
.DBX
The virus will avoid selecting email addresses that have any of these names as a prefix or suffix to the address -
admin
hostmaster
messagelab
symantec
localdomain
localhost
mcafee
postmaster
webmaster
spam
reports
noreply
recipients
abuse
microsoft
root
The virus then creates email messages based on hard-coded text stored in the virus body, and attached files to the message. The files are copies of the virus and have one aspect that qualifies as a form of social engineering - the file has a double extension. These are examples of the file names that could be used for the viral attachment -
screensaver undefinednumerous spacesundefined .scr
song.wav undefinednumerous spacesundefined .scr
music.mp3 undefinednumerous spacesundefined .scr
video.avi undefinednumerous spacesundefined .scr
photo.jpg undefinednumerous spacesundefined .scr
girls.jpg undefinednumerous spacesundefined .scr
pic.jpg undefinednumerous spacesundefined .scr
message.txt undefinednumerous spacesundefined .scr
image.jpg undefinednumerous spacesundefined .scr
news.doc undefinednumerous spacesundefined .scr
details.doc undefinednumerous spacesundefined .scr
resume.doc undefinednumerous spacesundefined .scr
love.jpg undefinednumerous spacesundefined .scr
readme.txt undefinednumerous spacesundefined .scr
The virus could also send a .ZIP file attachment containing a copy of the virus.
Keylogger component
This threat will write a file to the System32 folder
such as -
C:\WINNT\system32\fculssac.dll [77,824]
The threat will then register this component to load with Windows via numerous registry keys -
HKEY_CLASSES_ROOT\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}
"(Default)" = SpyBHO Class
HKEY_CLASSES_ROOT\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\InprocServer32
"(Default)" = C:\WINNT\System32\fculssac.dll
"ThreadingModel" = Apartment
HKEY_CLASSES_ROOT\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\ProgID
"(Default)" = IESpy.SpyBHO.1
HKEY_CLASSES_ROOT\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\TypeLib
"(Default)" = {84695FC8-A8A8-11D8-978E-005022E14DE2}
HKEY_CLASSES_ROOT\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}\VersionIndependentProgID
"(Default)" = IESpy.SpyBHO
HKEY_CLASSES_ROOT\IESpy.SpyBHO
"(Default)" = SpyBHO Class
HKEY_CLASSES_ROOT\IESpy.SpyBHO\CLSID
"(Default)" = {84695FD5-A8A8-11D8-978E-005022E14DE2}
HKEY_CLASSES_ROOT\IESpy.SpyBHO\CurVer
"(Default)" = IESpy.SpyBHO.1
HKEY_CLASSES_ROOT\IESpy.SpyBHO.1
"(Default)" = SpyBHO Class
HKEY_CLASSES_ROOT\IESpy.SpyBHO.1\CLSID
"(Default)" = {84695FD5-A8A8-11D8-978E-005022E14DE2}
HKEY_CLASSES_ROOT\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}
"(Default)" = ISpyBHO
HKEY_CLASSES_ROOT\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\ProxyStubClsid
"(Default)" = {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\ProxyStubClsid32
"(Default)" = {00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}\TypeLib
"(Default)" = {84695FC8-A8A8-11D8-978E-005022E14DE2}
"Version" = 1.0
HKEY_CLASSES_ROOT\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0
"(Default)" = IESpy 1.0 Type Library
HKEY_CLASSES_ROOT\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\0\win32
"(Default)" = C:\WINNT\System32\fculssac.dll
HKEY_CLASSES_ROOT\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\FLAGS
"(Default)" = 0
HKEY_CLASSES_ROOT\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}\1.0\HELPDIR
"(Default)" = C:\WINNT\System32\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{84695FD5-A8A8-11D8-978E-005022E14DE2}
"(Default)" =
The component will track keystrokes into a random file in the System32 folder with a file name such as "hivakkli.dll". As keys are typed, this file will grow in size. Periodically, the threat may submit data stored in the file via HTTP post to the web address 'melaniecarroll.biz'.
Recommended Action
- check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option
FortiGate systems:
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| FortiClient | |
| FortiAPS | |
| FortiAPU | |
| FortiMail | |
| FortiSandbox | |
| FortiWeb | |
| Web Application Firewall | |
| FortiIsolator | |
| FortiDeceptor | |
| FortiEDR |