| Description:
|
Details
I-Worm.Welyah.a
This is a worm that spreads under Win32 systems. The virus sends e-mail messages with infected attached files, as well as sends files from a local computer to steal information from infected systems, and the worm has destructive actions. The worm was discovered in-the-wild in December 2001.
The worm itself is a Windows PE EXE file about 108K in length, written in Visual Basic 6.
Infecting the system
When an infected file is run (when a user clicks on an attached file and activates it, or if the worm gets control through an IFRAME security breach), the worm's code takes control. First of all, it drops (installs) its components to the system and registers in the system registry.
While installing, the worm copies itself to the Windows system directory with the name WINL0G0N.EXE, and registers this file in the system registry auto-run key.
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
WINL0G0N.EXE = WINL0G0N.EXE
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
WINL0G0N.EXE = WINL0G0N.EXE
Spreading
To send infected messages, the worm uses a direct connection to SMTP server. The worm obtains an SMTP address from the system registry or uses the following predefined address:
210.177.111.18
Victim e-mail addresses are obtained from the files in the local disks. The file list is as follows:
"*.eml","*.wab","*.dbx","*.mbx","*.xls","*.xlt","*.mdb"
Next, the worm sends infected messages. The message body is in HTML format, and exploits an IFRAME breach to spawn an infected attachment on vulnerable machines.
The message fields are:
Subject: Welcome to Yahoo! Mail
Body: Welcome to Yahoo! Mail
Attachment: readme.txt
The worm stores an e-mail list of its victim in the file emailinfo.txt. While spreading, it stores its dropper in the file email.txt
Sending files from a local computer
The worm looks for files in the subdirectories of the local disks. The file list is:
"tree.dat","smdata.dat","hosts.dat","sm.dat"
It sends them to the ftp server "ftphd.pchome.com.tw" for the users from the list:
shit0918, shit530, shiu58, shoho2, shoo2206
Destructive actions
The worm deletes all files in the current directory. It can delete files in the Windows root directory after rebooting. |
