|
I-Worm.SSIW Viruses Information
| Name: |
I-Worm.SSIW |
| Category: |
Viruses |
| Description:
|
Details
I-Worm.SSIWG
This is "LoveLetter" -like Internet worm spreading via e-mail by sending infected messages from infected computers. While spreading, the worm uses MS Outlook and sends itself to all addresses that are stored in the MS Outlook Address Book.
The known worm version has a mistake (one instruction is mistyped), and the worm is not able to spread its copies via e-mail messages. In addition to this, the mistake may be easily fixed, and the worm will be able to spread.
The worm is able to propagate through a local network. To do this, the worm enumerates network resources and copies itself to there. The worm is not able to activate itself on a remote computer, and infects it only in case the worm copy is occasionally run by a user.
The worm itself is a VBS script program.
The worm arrives as an e-mail message with:
Subject: I'am missing U
Message body: Could u remember me ?
Attachment name: Y072QWV.VBS
Upon being activated by a user, the worm copies itself to the Windows system directory with the same name (Y072QWV.VBS) and registers this copy in the auto-run section in the system registry:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun"Y072QWV" = %Windir%Y072QWV.VBS
where "Windir" is the name of Windows system directory.
The worm then spreads through a local network by copying its "Y072QWV.VBS" file to the root directory on drives shared for writing.
To send infected messages, the worm connects to MS Outlook, obtains all addresses from the address book and sends to there its messages (the subject, body and attachment name are the same as listed above).
Because the worm registers itself in the auto-run registry section, it is activated upon each Windows boot-up, but it does not spread by e-mail messages each time it is run. The worm has a counter that is stored in the Windows registry:
HKEY_LOCAL_MACHINE "Y072QWV" = number
where "number" is the number of starts (upon each start, the worm increases this counter). When the counter reaches 20, the worm resets it to zero and then runs an Outlook infection routine. Otherwise, the worm skips it.
As a result, the worm sends infected messages only upon the first run (being activated from an infected message), and upon each 20th reboot. The local network spreading routine is activated each time the worm starts.
The worm has a feature that makes its detection a little bit more difficult. All text strings in the worm code are slightly encrypted, and in case of need, the worm decrypts and uses them. |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 72 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win16.Klon.1177 - 42 visits
Win32.Hidra - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
AD.13
Uddy.261
Indonga.206
Minzhou.102
IDEA.612
Ache.33
RedArc.32
Macro.Word.Dietze
Win32.HLLC.Vede
Chill.54
|
