Security Lab

WURMARK.S

WURMARK.S

Сетевой резидентный червь, распространяющийся по электронной почте. Распространяется через архивную копию в почтовых вложениях.

Сетевой резидентный червь, распространяющийся по электронной почте. Распространяется через архивную копию в почтовых вложениях.

Описание от Trend Micro:

Installation and Autostart Techniques

Upon execution, this memory-resident worm drops a copy of itself in the Windows system folder as LSESS.EXE.

It also drops the following non-malicious files in the Windows system folder:

  • zlib.dll - a .DLL file used in compressing/decompressing of files
  • ansmtp.dll - a Simple Mail Transfer Protocol (SMTP) engine

It creates the following registry entries to enable itself to run at every Windows startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
lsess = "%System%\lsess.exe"

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and 2003.)

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\RunServicesOnce
lsess = "%System%\lsess.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
lsess = "%System%\lsess.exe"

It also has shell spawning mechanism that enables it to execute whenever text files are opened. It does this by creating the following registry entry:

HKEY_CLASSES_ROOT\txtfile\shell\open\command
@ = "%System%\lsess.exe %1"

name=EMAIL>

Propagation Via Email

This worm propagates by sending email messages with a zipped copy of itself as an attachment. The email that it sends out has the following details:

Subject: (any of the following)
• Administration
• approved
• Bad Request
• corrected
• Delivery Protection
• Delivery Server
• Encripted Mail
• Error
• Extended Mail
• Extended Mail System
• Failure
• hello
• important
• improved
• Mail Authentification
• Mail Server
• Notify
• patched
• Protected Mail Delivery
• Protected Mail Request
• Protected Mail System
• read it immediately
• Secure delivery
• Secure SMTP Message
• SMTP Server
• Status
• Thank you for delivery
• Thanks!

Message Body: (a combination of the following message strings)
• +++ Attachment: No Virus found
• +++ Bitdefender AntiVirus - www.bitdefender.com
• +++ Kaspersky AntiVirus - www.kaspersky.com
• +++ MC-Afee AntiVirus - www.mcafee.com
• +++ MessageLabs AntiVirus - www.messagelabs.com
• +++ Panda AntiVirus - www.pandasoftware.com
• ++++ F-Secure AntiVirus - www.f-secure.com
• ++++ Norman AntiVirus - www.norman.com
• ++++ Norton AntiVirus - www.symantec.de
• Authentication required.
• Bad Gateway: The message has been attached.
• Delivered message is attached.
• Encrypted message is available.
• ESMTP [Secure Mail System #334]: Secure message is attached.
• First part of the secure mail is available.
• Follow the instructions t read the message.
• For further details see the attachment.
• For more details see the attachment.
• Forwarded message is available.
• I have attached your document.
• I have received your document. The corrected document is attached.
• New message is available.
• Now a new message is available.
• Partial message is available. Waiting for a Response. Please read the attachment.
• Please authenticate the secure message.
• Please confirm my request.
• Please confirm the document.
• Please read the attached file!
• Please read the attached file!
• Please read the attachment t get the message.
• Please read the document.
• Please read the important document.
• Please see the attached file for details.
• Protected Mail System Test.
• Protected message is attached.
• Protected message is available.
• Requested file.
• Secure Mail System Beta Test.
• See the file.
• SMTP: Please confirm the attached message.
• Waiting for authentification.
• You got a new message.
• You have received an extended message. Please read the instructions.
• Your details.
• Your document is attached t this mail.
• Your document is attached.
• Your document.
• Your file is attached.
• Your requested mail has been attached.

Attachment: (any of the following)
• data.zip
• details.zip
• document.zip
• message.zip
• msg.zip
• readme.zip

(The attached .ZIP file contains any of the following files)
• Data.txt{spaces}.exe
• Delails.doc{spaces}.exe
• Document.txt{spaces}.exe
• Readme.txt{spaces}.exe

name=EXT>

This worm searches for target email address from files having the following extension names:

  • CFG
  • CGI
  • DBX
  • DHTM
  • DOC
  • EML
  • HTM
  • JSP
  • MBX
  • MDX
  • MHT
  • MMF
  • MSG
  • NCH
  • ODS
  • OFT
  • PHP
  • PPT
  • RTF
  • SHT
  • SHTM
  • STM
  • TBB
  • TXT
  • UIN
  • VBS
  • WAB
  • WSH
  • XLS
  • XML
name=STRING>

However, it avoids email addresses that have the following strings:

  • @antivir
  • @f-pro
  • @freeav
  • @f-secur
  • @kaspersky
  • @mcafee
  • @messagel
  • @microsof
  • @norman
  • @norton
  • @pandasof
  • @skynet
  • @sophos
  • @spam
  • @symatec
  • @viruslist
  • abuse@
  • noreply@
  • ntivir
  • reports@
  • spam@
name=ANTIVIRUS>

Antivirus Retaliation

This worm has the ability to terminate the following programs that are related to antivirus and security programs:

  • _avp32.exe
  • _avpcc.exe
  • _avpm.exe
  • ackwin32.exe
  • ADVXDWIN
  • alertsvc.exe
  • ALOGSERV
  • amon.exe
  • AMON9X
  • anti-trojan.exe
  • antivir
  • apvxdwin.exe
  • ATCON
  • ATUPDATER
  • ATWATCH
  • autodown.exe
  • AutoTrace
  • avconsol.exe
  • ave32.exe
  • AVGCC32
  • avgctrl.exe
  • AvgServ
  • AVGSERV9
  • avkpop
  • AvkServ
  • avkserv.exe
  • avkservice
  • avkwctl9
  • Avnt.exe
  • avp.exe
  • avp32.exe
  • avpcc.exe
  • avpdos32.exe
  • avpm.exe
  • avpmon.exe
  • avpnt.exe
  • avptc32.exe
  • avpupd.exe
  • Avrep32.exe
  • avsched32.exe
  • avsynmgr.exe
  • avwin95.exe
  • AVWINNT
  • avwupd32.exe
  • AVXMONITOR9X
  • AVXMONITORNT
  • AVXQUAR
  • blackd.exe
  • blackice.exe
  • BullGuard
  • CCAPP.EXE
  • cfgWiz
  • cfiadmin.exe
  • cfiaudit.exe
  • cfind.exe
  • cfinet.exe
  • cfinet32.exe
  • claw95.exe
  • Claw95cf.exe
  • claw95ct.exe
  • cleaner.exe
  • cleaner3.exe
  • clrav.com
  • CMGRDIAN
  • CONNECTIONMONITOR
  • CPDClnt
  • defalert
  • defscangui
  • DEFWATCH
  • DOORS
  • dv95.exe
  • dv95_o.exe
  • dvp95.exe
  • Dvp95_0.exe
  • ecengine.exe
  • EFINET32.EXE
  • EFPEADM
  • esafe.exe
  • espwatch.exe
  • ETRUSTCIPE
  • EXPERT
  • f-agnt95.exe
  • f-prot.exe
  • f-prot95.exe
  • f-stopw.exe
  • fameh32
  • fch32
  • fih32
  • filemon.exe
  • findviru.exe
  • fnrb32
  • fp-win.exe
  • fprot.exe
  • FPROT95.EXE
  • frw.exe
  • fsav32
  • fsgk32
  • fsm32
  • fsma32
  • fsmb32
  • gbmenu
  • GBPOLL
  • GENERICS
  • GUARD
  • iamapp.exe
  • iamserv.exe
  • IAMSTATS
  • IBMASN.EXE
  • ibmavsp.exe
  • icload95.exe
  • icloadnt.exe
  • icmon.exe
  • icmoon.exe
  • icssuppnt.exe
  • icsupp95.exe
  • Icsuppnt.exe
  • iface.exe
  • iomon98.exe
  • ISRV95
  • jed.exe
  • Jedi.exe
  • kpf.exe
  • KPFW32.EXE
  • LDPROMENU
  • LDSCAN
  • lockdown2000.exe
  • lockdownadvanced.exe
  • lookout.exe
  • luall.exe
  • lucomserver.exe
  • LUSPT
  • mcafee
  • MCAGENT
  • MCMNHDLR
  • MCTOOL
  • MCUPDATE
  • MCVSRTE
  • MCVSSHLD
  • MGHTML
  • MINILOG
  • Monitor.exe
  • moolive.exe
  • MPFSERVICE
  • mpftray.exe
  • msconfig.exe
  • MWATCH
  • n32scan.exe
  • N32scanw.exe
  • navapsvc.exe
  • navapw32.exe
  • NAVENGNAVEX15
  • navlu32.exe
  • navnt.exe
  • navrunr.exe
  • navsched.exe
  • navw.exe
  • navw32.exe
  • navwnt.exe
  • ndd32
  • NeoWatchLog
  • netutils
  • nisserv.exe
  • nisum.exe
  • nmain.exe
  • normist.exe
  • notstart.exe
  • npscheck
  • npssvc
  • nsched32.exe
  • Nspclean.exe
  • ntrtscan
  • NTVDM
  • NTXconfig
  • nupgrade.exe
  • nvc95.exe
  • NVSVC32
  • NWService
  • NWTOOL16
  • offguard.exe
  • outpost.exe
  • PADMIN
  • padmin.exe
  • pav.exe
  • pavcl.exe
  • pavmail.exe
  • pavproxy
  • Pavsched.exe
  • Pavw.exe
  • pcciomon.exe
  • pccmain.exe
  • pccwin97
  • pccwin98.exe
  • pcfwallicon.exe
  • pcntmon
  • pcscan
  • per.exe
  • perd.exe
  • persfw.exe
  • pertsk.exe
  • perupd.exe
  • pervac.exe
  • pervacd.exe
  • POP3TRAP
  • POPROXY
  • PORTMONITOR
  • pqremove.com
  • PROCESSMONITOR
  • procexp
  • PROGRAMAUDITOR
  • pview95
  • pview95.exe
  • rapapp.exe
  • rav7.exe
  • rav7win.exe
  • REALMON
  • regedit.exe
  • regedt32.exe
  • regmon.exe
  • rescue.exe
  • RTVSCN95
  • RULAUNCH
  • safeweb.exe
  • sbserv
  • scan32.exe
  • scan95.exe
  • scanpm.exe
  • scrscan.exe
  • serv95.exe
  • sfc.exe
  • smc.exe
  • sphinx.exe
  • SPYXX
  • SS3EDIT
  • sweep95.exe
  • SweepNet
  • SWNETSUP
  • SymProxySvc
  • SYMTRAY
  • taskmgr
  • TAUMON
  • tbscan.exe
  • tca.exe
  • TDS-3
  • tds2-98.exe
  • tds2-nt.exe
  • th.exe
  • th32.exe
  • th32upd.exe
  • thav.exe
  • thd.exe
  • thd32.exe
  • thmail.exe
  • vbcmserv
  • VbCons
  • VCONTROL.EXE
  • VET32.EXE
  • vet95.exe
  • vet98.exe
  • vettray.exe
  • VPC32
  • Vscan40.exe
  • vsecomr.exe
  • vshwin32.exe
  • VSMAIN
  • vsmon
  • vsscan40.exe
  • vsstat.exe
  • WATCHDOG
  • webscan.exe
  • webscanx.exe
  • WEBTRAP
  • wfindv32.exe
  • WGFE95
  • WIMMUN32
  • WrAdmin
  • WrCtrl
  • ZAP.EXE
  • ZAPD.EXE
  • ZAPPRG.EXE
  • zapro.exe
  • ZAPS.EXE
  • ZCAP.EXE
  • zonealarm.exe

Other Details

This worm drops the following zipped copies of itself on the affected system:

  • Credit Card.zip
  • Edonkey 1.1.zip
  • Emoticons MSN.zip
  • Hotmail Passwords HOWTO.me.zip
  • Norton Antivirus.zip
  • Overnet Full.zip
  • Windows Commander.zip
  • Windows XP Activate.zip
  • Winzip Cracked.zip

It drops the said files in folders that have any of the following strings in their names:

  • compart
  • download
  • incoming
  • share
  • shared

Platforms

This worm runs on Windows 98, ME, NT, 2000, XP, and Server 2003.