Virus Update(r)

By Jim Freund | Dec 6, 2001 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/10952_935691_3/Virus-Updater.htm

It seems like these days you can't turn around without hearing about another virus hitting the bitstream. The latest to hit is called either W32/Updatr@MM or I-Worm.Updater depending on whose coinage you accept. It has also been identified as New Backdoor, New Worm, New Malware, and I-WORM.IMELDA. For our purposes, we will call it Updater. The worm appears to be a variant on VBS.Update which first reared its ugly head in September of 2000.

This trojan is yet another mass-mailer which uses the (now) standard Microsoft Outlook exploit as its first and foremost method of propagation. It sends an attachment which attempts to fool the user into believing that the file has a benign purpose. Updater is hard to recognize at first blush as it can generate a number of subjects from a series of grouped phrases in succession.

  • Group1 = "Have you ", "You Should ", "Just ", "Why Not you ", "How to ", "Re: ", "Fwd : "
  • Group2 = "Check ", "Check out", "Watch out ", "Open ", "Look at "
  • Group3 = "this ", "my ", "For this ", "The ", "Subject "
  • Group4 = "Report", "Documment", "Quotation", "Transaction", "Bank Account", "WTC Tragedy", "Osama Vs Bush", "Account", "Private Pic", "Picture ", "Program ", "Patch", "Nude pic"
Therefore a subject line might read "Have you Open Documment" or "Check out For this Report".

The body of the message is constant, but the attachment names can vary, and include:

  • Files.exe
  • install.exe
  • Letter.Doc.exe
  • Picture.exe
  • Picture.jpg.exe
  • Quotation.Doc.exe
  • Readme.exe
  • Setup.EXE

So a typical Updater-borne message may appear as follows:

   -----------------------------------------------------------
   From:        [Someone you may know]
   Subject:     Just Look at my Account
   Attachment:  Letter.Doc
   --
   Hi:
   This is the file you ask for, Please save it to disk and open this 
   file, it's very important.
   -----------------------------------------------------------
Take note that the attachment in this case may bear a Word icon if you do not have the Windows default of hide known file extensions turned off. (See the end of this article for instructions.)

The Payload
Of course, clicking on the attachment (or having it opened in Outlook Express' Preview Pane) will launch the executable and infect the machine. A fake File Open Error message is displayed stating: "Cannot Open File: It does not appear to be a valid archive. If you Downloaded this file, try Downloading the file again." This is intended to make the user believe that the file was merely corrupted, and not malicious.

When Updater is launched, it will copy and mail itself to everyone in the Outlook Address Book; it then saves a copy of itself in the WINDOWS or WINDOWS/SYSTEM32 directory, and creates a registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Run\Update=C:\WINDOWS\Update.exe

Also, a Visual Basic script is written to C:\WINDOWS\STARTM~1\PROGRAMS\STARTUP\Update.vbs

The former causes the virus to run again at Windows' restart if it has not been fully eradicated, while the latter searches your local and mapped network drives for .DOC, .EXE and .TXT files and saves a copy of itself there. It does not alter the files it finds, but rather creates a new file with the same name and appends .VBS. Therefore, README.TXT becomes README.TXT.VBS.

The script reads as follows:

   I-WORM.IMELDA.B
   (C)2001, by Iwing
   Virusindo - Indonesian Virus Network
   http://indovirus.8m.com , IRC Dalnet #indovirus
Thereafter, on the 12th of each month, a message will appear, stating "Hi there... you are infected by some of IWING creations... Have a nice day."

The Bottom Line
As you can see, Updater's payload is not extremely harmful, but nevertheless it will compromise the security and integrity of your machine and network. Even though most anti-virus vendors have not (yet) rated Updater as being major threat, you still need to be no less vigilant against any kind of intrusion, since one minor incursion can set a pathway for a major one to get in.

Prevention and Removal
Keep those definitions and security patches up-to-date, and (try to) educate your users about attachments. Make sure you have altered the default behavior in Windows, Outlook, and Outlook Express' default behavior so as not to launch files automatically, and to show the full filename.

To remove the virus from a system manually, open the Registry using RegEdit or a preferred tool and find the keys listed above, and remove any suspicious entries. Then reboot the machine into Command Line mode or by using a clean DOS floppy. Search for the files UPDATER.EXE and look through all .VBS files, and delete the suspicious ones.

To alter the dangerous default behavior in Windows 9x or NT, open Windows Explorer, click View | Option | View, and uncheck the box with the label "Hide file extensions for known file types". In Windows 2000, the same thing can be done under Tools | Folder Options | View.

For more information on handling viruses, read Don't Let Viruses Knock You Out.

--
Jim Freund is the Managing Editor of CrossNodes.