Virus

W32/Syney@mm

Analysis

  • Virus is 32bit with a file size of 536,578 bytes, and was coded using Visual Basic 6
  • This virus requires MSVBVM60.DLL in order to be a threat on the potential target
  • The virus is buggy and may not infect the host at all
  • If the virus is run, it may display a lengthy message box announcing itself as "W32.Sydney"
  • Next the virus may open a command shell and run a Batch script program - the script contains instructions to set the system date to 10:00 am and possibly delete files associated with Norton Antivirus
  • The virus may attempt to copy itself to the local system as any or all of the following file names -

    C:\aVirus.exe
    C:\Aattach.exe
    C:\Viarus.exe
    C:\Attaach.exe
    C:\Viruas.exe
    C:\Attacah.exe
    C:\wVirus.exe
    C:\Awttach.exe
    C:\Viwrus.exe
    C:\Veirus.exe
    C:\Attwach.exe
    C:\Viruws.exe
    C:\Attacwh.exe
    C:\eVirus.exe
    C:\Aettach.exe
    C:\Vierus.exe
    C:\Atteach.exe
    C:\Virues.exe
    C:\Attaceh.exe
    C:\wAttach.exe
    C:\Vdirus.exe
    C:\Atftach.exe
    C:\Virfus.exe
    C:\Attafch.exe
    C:\Virusf.exe
    C:\Aqttach.exe
    C:\qVirus.exe
    C:\Atqtach.exe
    C:\Virqus.exe
    C:\Attaqch.exe
    C:\zVirusq.exe
    C:\Azttach.exe
    C:\Vizrus.exe
    C:\Attzach.exe
    C:\Viruzs.exe
    C:\Attaczh.exe
    C:\Atetach.exe
    C:\Vireus.exe
    C:\Attaech.exe
    C:\Viruse.exe
    C:\rAttach.exe
    C:\Vrirus.exe
    C:\Atrtach.exe
    C:\Virrus.exe
    C:\Attarch.exe
    C:\Virusr.exe
    C:\yAttach.exe
    C:\Vyirus.exe
    C:\Atytach.exe
    C:\Viryus.exe
    C:\Attaych.exe
    C:\Virusy.exe
    C:\Attachy.exe
    C:\Attahch.exe
    C:\Virush.exe
    C:\hAttach.exe
    C:\Vhirus.exe
    C:\Athtach.exe
    C:\Virhhus.exe
    C:\Attachh.exe
    C:\rVirus.exe
    C:\Arttach.exe
    C:\Attrrach.exe
    C:\tAttach.exe
    C:\Vtirus.exe
    C:\Attttach.exe
    C:\Attatch.exe
    C:\Virust.exe
    C:\Atttacht.exe
    C:\Viruts.exe
    C:\Vttirus.exe
    C:\Attacht.exe
    C:\Virust.etxe
    C:\Virus.texe
    C:\Attacth.exe
    C:\Virust.texe
    C:\Virus.etxe
    C:\Attach.etxe
    C:\Virus.exet
    C:\Windows\rAttach.exe
    C:\Windows\Vrirus.exe
    C:\Windows\Atrtach.exe
    C:\Windows\Virrus.exe
    C:\Windows\Attarch.exe
    C:\Windows\Virusr.exe
    C:\Windows\yAttach.exe
    C:\Windows\Vyirus.exe
    C:\Windows\Atytach.exe
    C:\Windows\Viryus.exe
    C:\Windows\Attaych.exe
    C:\Windows\Virus.exe
    C:\Windows\Virusy.exe
    C:\Windows\Attachy.exe
    C:\Windows\Attahch.exe
    C:\Windows\Virush.exe
    C:\Windows\hAttach.exe
    C:\Windows\Vhirus.exe
    C:\Windows\Athtach.exe
    C:\Windows\Virhhus.exe
    C:\Windows\Attachh.exe
    C:\Windows\rVirus.exe
    C:\Windows\Arttach.exe
    C:\Windows\Attrrach.exe
    C:\Windows\Attach.exe
    C:\Windows\tAttach.exe
    C:\Windows\Vtirus.exe
    C:\Windows\Attttach.exe
    C:\Windows\Attatch.exe
    C:\Windows\Virust.exe
    C:\Windows\Atttacht.exe
    C:\Windows\Viruts.exe
    C:\Windows\Vttirus.exe
    C:\Windows\Attacht.exe
    C:\Windows\Virust.etxe
    C:\Windows\Virus.texe
    C:\Windows\Attacth.exe
    C:\Windows\Virust.texe
    C:\Windows\Virus.etxe
    C:\Windows\Attach.etxe
    C:\Windows\Virus.exet

  • The virus may compose an email and attach one of the written files to the message and send it out to all contacts found in the Windows address book

    Subject: Fw:
    Body:
    Do you want to suprise your wife or husband? Do you want to do something Romantic for them? Wanna find out how to get lucky ;) Sydney has made this Awesome Document Attached. It tells men everything a Lady wants! And Ladies you can add stuff onto it before forwarding it to all your freinds!
    Attachment: (infectious binary)

  • The virus may attempt to delete files from the folder "C:\WINDOWS\SYSBCKUP" -

    *.dll
    *.dat
    *.exe

  • The virus may write a file "C:\Windows\Desktop\Read Me.txt" with the following content -

    Dear User,
    You have been infected with the w32.Sydney Love worm. I would like to send a personal Note to someone speacial of mine. Your Great! :P In all ways, Great Hair, Awesome Body, Blue eyes :D Lol. Now to the Owner of this machine. You where dumb enough to open this file or email that contains a worm. Thanks to you you have helped spread the w32.sydneylove worm more! Anyway, Get Norton AntiVirus 2003 scan your machine and in a week or two Norton AntiVirus will detect me. Don't Open Wierd Attachments! Lol :D Oh and if you want to know what the best Virus scanner on the net is! Then the Answer is Norton AntiVirus. Mcafee detects way less viruses then Norton does, Panda dosent detect me and problably never will! lol and Norton is the only one who detects me in a day or two! Also, Keep Working Out Squeaky, You could work out on me! Lol :D
    You have problably Noticed you Windows Start-Up and Shutdown screens where modifyed
    This is because you Machine is Infected with the w32.Sydney Worm.
    Download a Virus Removal tool from www.Norton.com
    I love You!

  • The virus may attempt to replace the existing file "C:\Windows\Logow.Sys" with graphic content however this was not found in testing

  • The virus may write itself to the Startup folder for Windows -

    C:\Windows\Start Menu\Programs\Startup\NortonAntiVirus.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Backup.exe