|
|
I-Worm.Runnelo Viruses Information
| Name: |
I-Worm.Runnelo |
| Category: |
Viruses |
| Description:
|
Details
I-Worm.Runnelot
Runnelot is a worm virus spreading via the Internet as an attachment to infected emails. It also infects Win32 EXE files.
The worm itself is a Windows PE EXE file about 9KB in size when compressed by UPX; the decompressed size is about 20KB. It is written in Assembler.
The worm contains a "copyright" text string:
Runner "Pilot" 01/2003
Installing
While installing the worm writes its code to the Windows system directory with the "Runner.exe" name and registers that file in system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Runner = Runner.exe /auto /rsrc32.dll
Infecting EXE files
The worm looks for PE EXE files and writes itself to the beginning of these files. It looks for victim EXE files in directories located on local and network hard drives.
To release control to host the program the worm creates on disk a disinfected copy and spawns it. In case of an error the worm displays fake error messages:
Error of loading WIN32.DLL file
Loading incomplete. Correct work is not warranted!
Continue?
General error 1452 in KERNEL32.DLL
Program terminated
Spreading: EMail
To send infected messages the worm uses direct access to the default SMTP server. To get victim email addresses the worm looks for *.HTM* files, it also writes these email addresses to the "runner.dll" file in the Windows system directory.
The infected messages have different fields that are randomly constructed from several variants:
From: "%str1%%str2%"
where following strings are randomly selected from:
%str1% : Dmitry Eugene Igor Jhon Mark Bill Frank Sam Tim Brad Samuel Dean Tom Robert Mostovoy Losinsky Kaspersky Danilov Smith Woodruf Brown Steel Driver Seldon Forge Stab McAndrew Gregor
%str2": @hotmail.com @yandex.ru @yahoo.com @newmail.ru
Subject: %subj1% %subj2%
where:
%subj1% :
Weclome to Pink World
Blacks on Blondes
New porno movies every day
TONS of porno movies
Fucking Wifes
%subj1% :
New FREE sex soft
FREE porno-soft
+ many FREE sex games
The body is randomly constructed from randomly selected text strings:
SUPERGAME! + Look as + fine + blonde
SEX SOFT! + hot mom
black hitchiker teen
dirty girl
amateur slut
petite babe
busty teen
wet secretary
wild wife
This is a free demo version, and we hope you want visit our web-site +
Please visit our web site +
+
WWW.EXPLOITEDPUSSY.COM
WWW.SLEAZYDREAM.COM
WWW.ALLHOTPORN.COM
WWW.TEENFILES.NET
WWW.ADULTMOVIESTATION.NET
WWW.DISCRETESEX.COM
+
to take more sex programs
to take full version
150 GIG OF DOWNLOADABLE MOVIES - FREE PASSWORD
HIGH QUALITY MPEGS - NEW SCENES EVERY DAY - 100k+ PICS TOO
Full lenght movies
THE BEST MOVIES ONLINE
HUGE archive of previous movies available! TONS of movies
+
Full screen quality
Ultra fast downloads
Updated every day
All in DVD quality
WEBMASTERS MAKE MONEY
GET FULL ACCESS TO OUR MEMBERS AREA FOR 30 MINUTES - FREE
GET YOUR 30 MINUTES FREE ACCESS
A new 150mb full lenght movie is added every day
+
Install NOW!!!
Installer in attach
Test our soft now!
or randomly selected from variants:
We presents to you ours new sex game as adversting
Install a locator of FREE sex movies of our site as adversting
Install porno screen saver as adversting
This is a new imitator as adversting
Attachment:
sexy + girls. + dll
hottest blonde.
cumshot pamela.
analsex lesbians.
oralsex teens.
asian virgins.
hardcore .
slut
doggy
sucking
messy
Payload
On February 13, March 7,16, April 21, May 8,18, June 11, July 3, August 29, October 30, November 5,26, December 11,30 the worm overwirtes all files in "Personal" folders ("My Documents", "History", "Cookies", e.t.c.). |
Top Viruses Visited Pages:
Invader. - 234 visits
not-a-virus:RiskWare.Tool.RegPatch. - 72 visits
Worm.P2P.Harex. - 65 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 59 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 47 visits
Win16.Klon.1177 - 42 visits
Win32.Hidra - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
PMB
Win95.Zombie.458
Solar.9
Rajaat.14
Kirti.200
Win95.Iced.161
Macro.Word.Xenixo
Worm.Win32.Welchia.
Scitzo Famil
Oggo.383
|
|
