| Description:
|
Details
I-Worm.Icecubes.a
This is an Internet worm that spreads as an attachment via e-mail. The worm itself is a Windows executable file about 18Kb in length. Upon being executed from an e-mail attachment, the worm installs itself to the system and hides its activity utilizing a humerous dialogue box that "configures" Windows icecubes.
While installing, the worm copies itself to the Windows system directory with WSOCK2.DLL name (note: not WSOCK32.DLL, not WSOCK2.VXD), and infects the original WSOCK32.DLL Windows library by writing its code to the end of the file. This library is usually locked by Windows for writing, and the worm uses a standard stick: it copies that file with a WSOCK32.INF name, infects this copy, and writes a "rename" command to the WININIT.INI file, which in turn will replace the original WSOCK32.DLL with an infected one upon the next Windows restart.
The worm code in the infected WSOCK32.DLL hooks the "send" function, and monitors all data that are sent. When a message is outgoing, the worm duplicates it with a second message with an attached ICECUBES.EXE file and:
Subject: Windows Icecubes !
Text:
I almost forgot. Look at what I found on the web. This tool scans your system for hidden Windows settings, better known as -Windows Icecubes-. These secret settings were built in by the Windows programmers. I think you might want to change them a little, just take a look ! :)
The worm also logs Internet login names and passwords to a ICECUBE.TXT file in the Windows directory.
On July 1st, the worm displays the following message:
W9x.Icecubes / f0re [lz0]
Windows detected icecubes on your harddrive.
This may cause the system to stop responding.
Do you want Windows to remove all icecubes ? |
