Results 1 to 4 of 4

Thread: New Worm in the Wild "Winevar"

  1. #1
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050

    New Worm in the Wild "Winevar"

    Looks like another heads up for all you windows peole out there a new mass mailing worm called winevar story from here

    http://www.smh.com.au/articles/2002/...173745188.html

    New email worm detected

    November 26 2002

    Anti-virus software maker F-Secure has reported the presence of a new email worm called Winevar.

    The company has ranked it as a level 2 alert - a new worm causing large infections which might be local to a specific region.

    The worm was found in the wild in South Korea towards the end of November. It was apparently released during the AVAR 2002 Conference (Anti-Virus Researcher's Asia) in Seoul.

    The worm's file is a Windows PE executable about 91k long written in Microsoft Visual C++. Winevar resembles the Bridex worm that appeared earlier.

    The worm arrives in an email that contains three attachments. The names are variable but they will have the format:
    WIN[some characters].TXT (12.6 KB) MUSIC_1.HTM
    WIN[some characters].GIF (120 bytes) MUSIC_2.CEO
    WIN[some characters].PIF

    The file with the .HTM extension exploits an old vulnerability, the Microsoft VM ActiveX Component Vulnerability to register the .CEO extension as an executable file.

    The e-mail message is formed to take advantage of the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability.

    On system restart the worm displays the message "Make a fool of oneself: What a foolish thing you've done!". If the "OK" button is pressed the worm deletes all deletable files in all folders.

    The worm continuously tries to download the front page of the Symantec Web site to a temporary file, then deletes this file. This may lead to a denial of service attack in case the worm becomes widespread.

    The worm also changes Windows registration information on an infected computer:
    Registered Organization: Trand Microsoft Inc.
    Registered Owner: AntiVirus
    this is from the F-secure website
    http://www.f-secure.com/v-descs/winevar.shtml

    NAME: Winevar
    ALIAS: HLLM.Seoul, Korvar, I-Worm.Winevar, Braid.C

    THIS VIRUS IS RANKED AS LEVEL 2 ALERT
    UNDER F-SECURE RADAR
    For more information, see
    http://www.F-Secure.com/products/radar/

    The Winevar e-mail worm was found in-the-wild in Korea in the end of November 2002. Apparently it was released on purpose during the AVAR 2002 Conference (Anti-Virus Researcher's Asia) in Seoul, South Korea.

    The worm's file is a Windows PE executable about 91Kb long. The worm was written in Microsoft Visual C++. It should be noted, that Winevar resembles Bridex worm that appeared earlier. The Winevar worm has many bugs that can cause damage to infected systems and limit the worm's spreading.

    When the worm's file is run, it copies itself as WINxxxx.PIF file (xxxx - random characters) to Windows System directory. It creates startup keys for this file in the System Registry:

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]

    After that the worm creates a dropper for Funlove.4099 virus as WINxxxx.PIF file (xxxx - random characters) to Windows System directory. The original text is replaced with the following line:

    ~AAVAR 2002 in Seoul~

    The original Funlove's dropper name (FLCSS.EXE) is replaced with AAVAR.PIF filename. The description of Funlove virus is here:

    http://www.europe.f-secure.com/v-descs/funlove.shtml

    Being active the Winevar worm continuosly looks for and terminates processes and services that contain the following text:

    view
    debu
    scan
    mon
    vir
    iom
    ice
    anti
    fir
    prot
    secu
    dbg
    avk
    pcc
    spy

    However, the worm doesn't kill the above mentioned processes and services if the following text is present in them:

    microsoft
    ms
    _np
    r n
    cicer
    irmon
    smtpsvc
    moniker
    office
    program
    explorewclass

    The worm scans hard drives for files and folders with the following text in their names:

    antivirus
    cillin
    nlab
    vacc

    If such folder or file is found, the worm attempts to delete all files in that folder. Due to a bug in this routine, the worm deletes all files on an infected hard drive.

    To get e-mail addresses the worm looks for *.HTM and *.DBX files and extracts emails addresses from them. The worm ignores e-mail addresses with the following text: '@microsoft' to prevent its spreading to Microsoft. To send infected messages the worm uses a direct connection to a default SMTP server.

    The worm stores e-mail addresses to where it already sent itself in the following Registry key:

    [HKEY_LOCAL_MACHINE\Software\Microsoft\DataFactory]

    An infected e-mail message looks like that:

    Subject: Re: AVAR(Association of Anti-Virus Asia Reseachers)

    AVAR(Association of Anti-Virus Asia Reseachers) - Report.
    Invariably, Anti-Virus Program is very foolish.

    Attached file names:

    WINxxx.TXT (12.6 KB) MUSIC_1.HTM
    WINxxx.GIF (120 bytes) MUSIC_2.CEO
    WINxxx.PIF

    The 'xxx' represents random characters. In some cases the subject and message body can be different. The .CEO and .PIF files are the same and represent the worm's executable file.

    The .HTM file contains the VM ActiveX Component exploit. It contains a script that will add .CEO extension to the Registry and associate it with executable files. So a user will be able to run files with CEO extensions as executables. This is a security hole and we recommend to add this extension to the list of scanned extensions of F-Secure Anti-Virus if it's not present there yet.

    To run from an infected message the worm uses the Iframe exploit, that is widely used in present day e-mail worms. The IFrame vulnerability is fixed and the patch for it is available on Microsoft's website:

    http://www.microsoft.com/windows/ie/...ie/default.asp

    Also the worm uses Microsoft VM ActiveX Component vulnerability:

    http://www.microsoft.com/technet/sec...n/MS00-075.asp

    In case the worm fails to spread and or in case of file deletion payload activation, it displays a messagebox:

    Make a fool of oneself
    What a foolish thing you have done!

    The worm continuosly tries to download the front page of www.symantec.com website to a temporary file, then deletes this file. This might create a DoS (Denial Of Service) attack in case the worm becomes widespread.

    Winevar attempts to copy itself as EXPLORER.PIF to a desktop folder. The worm also contains code, that looks like an incomplete network spreading routine.

    The worm changes Windows registration information on an infected computer:

    Registered Organization: Trand Microsoft Inc.
    Registered Owner: AntiVirus

    Winevar creates a mutex for itself with the following name:

    ~~ Drone Of StarCraft~~

    F-Secure Anti-Virus detects Winevar worm with the updates published on November 25th, 2002:

    [FSAV_Database_Version]

    Version=2002-11-25_02

    [Analysis: F-Secure Corporation and Kaspersky Labs; November 24-25th, 2002]
    So heads up get updating dont open email attatcments from people you dont know
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  2. #2
    Junior Member
    Join Date
    Nov 2002
    Posts
    6
    I was just about to post this but you got to it first it's a good alert.This is what got me which most unsuspecting user's first reaction will be

    On system restart the worm displays the message "Make a fool of oneself: What a foolish thing you've done!". If the "OK" button is pressed the worm deletes all deletable files in all folders.
    as soon as you click ok bang! you're files are gone pretty nasty if you ask me

    D.0.C

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050
    it wont let me edit the original file but here is more info on the worm

    http://www.ananova.com/news/story/sm...ews.technology


    Ananova:
    Experts warn Winevar worm is spreading

    Internet security experts have issued a warning about a destructive new virus.

    Trend Micro say the Winevar worm runs on all Windows platforms and possesses the potential to delete files.

    It propagates using its own Simple Mail Transfer Protocol engine and sends emails to addresses it gathers from infected systems.

    It employs a known exploit that automatically executes its attachment without a careless click on the part of the recipient.

    The worm is also capable of preventing installed antivirus protections from working.

    The email arrives with 'N`4' in the subject line and two attachments - one a GIF, the other a TXT file - with random number values.

    Trend Micro's president of European Operations Raimund Genes said its appearance of the new worm marks the end of a relatively quiet period of virus activity.
    He said email users should contact their antivirus vendors for updated protection.
    http://news.zdnet.co.uk/story/0,,t269-s2126648,00.html

    looks like this is going to be quite a little nast piece of software

    DOC that is pretty messed up that the coder of this worm wrote that in to it a waste if you ask me
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  4. #4
    Senior Member
    Join Date
    Aug 2002
    Posts
    239
    Wow. Virii today sound more like beast than an intangible spurt of data...

    (sigh) "Man has dominated man to his injury"
    It\'s 106 miles to Chicago, we\'ve got a full tank of gas, half a pack of cigarettes, it\'s dark and we\'re wearing sunglasses.

    Hit it!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •