| Description:
|
Details
I-Worm.Finaldo.a
This is a virus-worm that spreads via the Internet attached to infected e-mails. The virus also infects Windows executable files on a local machine and on a local network.
The virus is memory resident and polymorphic.
The virus has bugs, and infected files often crash upon starting.
Coded_by_CJH
It's only a demo version.
Made in china
Infected EXE
The virus in infected Windows EXE files is encrypted with polymorphic code. When an infected file is run, the polymorphic routine gains control, decrypts the virus dropper and passes control to it. The virus dropper simply extracts the main virus code to the FINALDOOM.DLL file in the Windows temporary directory and loads it. As a result, the main virus code is activated. The virus dropper in the EXE file then simply releases control to the host file.
The DLL file also gains a hidden attribute.
Main Virus Routine
The virus' main component (main virus code) is a Windows PE library (DLL file) about 31Kb in length, and is compressed by a UPX PE EXE file-compression utility.
When run, it creates two more files in the Windows TEMP directory: FINALDOOM.EML and FINALDOOM.EXE. The first one is an e-mail message file that is sent to victim-users later. The second file (EXE file) is a temporary file, which is used by the virus to generate a MIME block in its EML file.
The virus then stays in the Windows memory, and hooks four Windows API functions:
file searching (FindNextFileA, FindNextFileW) - both are stealth (doesn't show FINALDOOM.DLL)
file opening (CreateFileA, CreateFileW) - infects EXE, SCR, OCX and affects HTM, HTML, ASP
The virus also infects the local network by using Windows network functions (infects EXE files on read-write shared network resources).
Infection
While infecting EXE files, the virus writes itself to the end of the files. The worm checks the file name and contents, and does not infect the NTOSKRNL.EXE file or WinZip and RAR self-extracting archives.
While affecting HTML pages, the worm adds the "open eml file" command (similar to the "Nimda" worm), and copies its FINALDOOM.EML file to the same directory.
E-Mail
Before spreading via e-mail, the virus sleeps for about 30 minutes, and then runs a spreading routine. This routine is then run again in about 30 minutes, so the worm spreads about once per every half hour.
While spreading, the worm, using MAPI, connects to the e-mailer, reads e-mail messages and "answers" them.
The worm's "answer" is similar to the "Nimda" worm, and uses the same security breach to be automatically activated on a victim's machine.
Backdoor
The virus also has a backdoor component that has just four functions for a remote host:
- upload and execute file on an infected computer
- exit Windows
- exit a backdoor routine
- report to the host the following message:
Finaldoom is coming ! Don't worryall It's no harm to your system ! |
