Virus Update(r)

There's yet another mass-mailer on the loose called Updater -- It seems as if we need to cover the Virus of the Day. This latest malicious offering uses Visual Basic to worm its way into your network. Read on to learn about Updater's aliases, appearance, payload, and how to remove it.

By Jim Freund | Posted Dec 6, 2001
Page 1 of 3
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

It seems like these days you can't turn around without hearing about another virus hitting the bitstream. The latest to hit is called either W32/Updatr@MM or I-Worm.Updater depending on whose coinage you accept. It has also been identified as New Backdoor, New Worm, New Malware, and I-WORM.IMELDA. For our purposes, we will call it Updater. The worm appears to be a variant on VBS.Update which first reared its ugly head in September of 2000.

This trojan is yet another mass-mailer which uses the (now) standard Microsoft Outlook exploit as its first and foremost method of propagation. It sends an attachment which attempts to fool the user into believing that the file has a benign purpose. Updater is hard to recognize at first blush as it can generate a number of subjects from a series of grouped phrases in succession.

  • Group1 = "Have you ", "You Should ", "Just ", "Why Not you ", "How to ", "Re: ", "Fwd : "
  • Group2 = "Check ", "Check out", "Watch out ", "Open ", "Look at "
  • Group3 = "this ", "my ", "For this ", "The ", "Subject "
  • Group4 = "Report", "Documment", "Quotation", "Transaction", "Bank Account", "WTC Tragedy", "Osama Vs Bush", "Account", "Private Pic", "Picture ", "Program ", "Patch", "Nude pic"
Therefore a subject line might read "Have you Open Documment" or "Check out For this Report".

The body of the message is constant, but the attachment names can vary, and include:

  • Files.exe
  • install.exe
  • Letter.Doc.exe
  • Picture.exe
  • Picture.jpg.exe
  • Quotation.Doc.exe
  • Readme.exe
  • Setup.EXE

So a typical Updater-borne message may appear as follows:

   -----------------------------------------------------------
   From:        [Someone you may know]
   Subject:     Just Look at my Account
   Attachment:  Letter.Doc
   --
   Hi:
   This is the file you ask for, Please save it to disk and open this 
   file, it's very important.
   -----------------------------------------------------------
Take note that the attachment in this case may bear a Word icon if you do not have the Windows default of hide known file extensions turned off. (See the end of this article for instructions.)

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter