| Description:
|
Details
I-Worm.Cholera
This is a virus-worm that spreads via the Internet and local network. It appears as a "SETUP.EXE" file attached to an e-mail message that has the "Okall" subject and the message body contains just a "smile":
:-)
This attached file itself is a Microsoft C++ executable file about 40Kb in length. The majority of the file's code is occupied by C++ run-time libraries and data, and just about 7Kb of its code is "pure" worm code.
The worm got its name because of the text string in its code:
CH0LERA - Bacterium BioCoded by GriYo / 29A
This string, as well as other of the worm's data, are encrypted in the worm's body.
Installing into the system
When the worm is executed for the first time (being run from an infected attachment), it gets its module name and installs itself to the Windows directory with the RPCSRV.EXE name. To force Windows to run this file upon the next reboot, the worm writes an additional "Run=" instruction to the WIN.INI file in the Windows directory (under Win9x), or modifies a corresponding key in the system registry (under WinNT).
To locate the Windows directory, the worm does not call corresponding Windows functions, but scans all available local drives, looks for subdirectory names: WINDOWS, WIN95, WIN98, WIN, WINNT, and then looks for a WIN.INI file in the directory. If such a file is located, the worm installs itself into the directory.
As a result, the worm may create several of its copies on the same computer, and infect all Windows installations on it. In case a multiboot loader is installed, and there are several different Windows versions installed, this trick allows the virus to activate upon any Windows copy start-up.
To hide its activity, the worm displays the fake message:
Further spreading
Upon the next Windows start-up, the worm copy is activated by the Run command in the WIN.INI file. It takes control, registers itself in the Windows memory as a hidden application (invisible service) that also allows the worm to stay active whenever a user logs off. The worm then runs two more routines in addition to the installation one. The first of these new routines spreads the worm through the local network, and the second one sends infected e-mail messages. The installation routine is also active, and the worm is able to infect a new Windows copy if it appears on the computer. All the routines are run as main-process threads, so they do their work in parallel.
The first of the new routines spreads the worm copy through the network. It enumerates all network drives, scans them for Windows directories, copies the worm's RPCSRV.EXE file to there and registers it in the WIN.INI file in the same remote directory. As a result, upon the next rebooting the worm on a remote computer will be activated and spread itself further.
The second routine sends infected messages to the Internet addresses. To send its copy, the worm uses SMTP protocol and sends itself by direct connection, and as a result, the worm spreading does not depend on the type of e-mail application that is used in the system.
Once per six seconds, this routine enumerates all active program windows and looks for Internet applications: Outlook, Cuteftp, Internet Explo, Telnet, Mirc. If any of these applications is active, it means that the computer is connected to the Internet (this is necessary because of the direct SMTP connection used by worm).
The worm then gets SMTP server address and user e-mail addresses from the system registry keys, builds a new message, attaches its copy with the SETUP.EXE name and sends it.
The Internet addresses to where the worm sends its copies are collected from disk files in the Windows directory and subdirectories. The worm scans all files there, searches for files with extensions .HTM, .TXT, .EML, .DBX, .MBX, .NCH, .IDX, and then scans these files and gets email-address-like strings from there. Upon each sending, the worm sends itself to not more than ten addresses. |
