Virus

W32/Swen.A@mm

Analysis

  • The virus is 32bit with a file size of 106,496 bytes
  • This virus contains code to send itself by email, IRC and Kazaa
  • If the virus is run, it will write itself as a random file name into the %Windows% folder and then modify the registry to load at Windows startup, and also when certain files are run - below is an example of the changes made by the virus -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    "oxgqywwt" = aeymdaoa.exe autorun

    HKEY_CLASSES_ROOT\batfile\shell\open\command\
    "(Default)" = aeymdaoa.exe "%1" %*
    HKEY_CLASSES_ROOT\comfile\shell\open\command\
    "(Default)" = aeymdaoa.exe "%1" %*
    HKEY_CLASSES_ROOT\exefile\shell\open\command\
    "(Default)" = aeymdaoa.exe "%1" %*
    HKEY_CLASSES_ROOT\piffile\shell\open\command\
    "(Default)" = aeymdaoa.exe "%1" %*

    Original data values were ["%1" %*]

    HKEY_CLASSES_ROOT\regfile\shell\open\command\
    "(Default)" = aeymdaoa.exe showerror

    Original data value was [regedit.exe "%1"]

    HKEY_CLASSES_ROOT\scrfile\shell\config\command\
    "(Default)" = aeymdaoa.exe "%1"

    Original data value was ["%1"]

    HKEY_CLASSES_ROOT\scrfile\shell\open\command\
    "(Default)" = aeymdaoa.exe "%1" /S

    Original data value was ["%1" /S]

  • The virus may write itself to the folders

    "C:\Winnt\Profiles\All Users\Documents and Settings\
    Start menu\Programs\Startup"
    "C:\Winnt\Profiles\Default User\Documents and Settings\
    Start menu\Programs\Startup"

  • The virus may either write itself as an .EXE file or package itself into an archive files by any of the following file names -

    10.000 Serials
    AOL hacker
    Bugbear
    cleaner
    Cooking with Cannabis
    Download Accelerator
    Emulator PS2
    fixtool
    GetRight FTP
    Gibe
    hack
    hacked
    Hallucinogenic Screensaver
    HardPorn
    Hotmail hacker
    installer
    Jenna Jameson
    key generator
    Klez
    Magic Mushrooms Growing
    My naked sister
    removal tool
    remover
    Sex
    Sick Joke
    Sircam
    Sobig
    upload
    Virus Generator
    warez
    Windows Media Player
    XboX Emulator
    XP update
    XXX Pictures
    XXX Video
    Yaha
    Yahoo hacker


  • The virus contains instructions which could include posting to Newsgroups - the virus may track newsgroup posting data into a file named "nntpgroups.dat" - the virus writes newsgroup servers into another file as text named "swen0.dat" or "swen1.dat" - whether or not the virus actually does this is based on if Outlook Express has a default newsgroup account defined

  • The virus will then harvest email addresses from the infected machine and write them in plain text into a file named "germs0.dbv" or "germs1.dbv" - the virus searches files with the extensions
    .asp
    .dbx
    .eml
    .ht*
    .mbx
    .wab

  • The virus will then construct an email based on variables in the following format with an infectious attachment -

    Subject: %Critical/Latest/New/Last/Newest/Current% %Upgrade/Pack/Update/Patch%
    Body:

    MS %Client/Consumer/Partner/User/Customer%
    this is the latest version of security update, the "%Month% %YYYY% Cumulative Patch" update which %eliminates/resolves/fixes% all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express. Install now to help %maintain the security of your computer/protect your computer/continue keeping your computer secure% from these vulnerabilities%, the most serious of which could allow an% %malicious user/attacker% to run executable code on your %computer/system%. This update includes the functionality of all previously released patches.

    System requirements: Windows 95/98/Me/2000/NT/XP

    This update applies to:
    - MS Internet Explorer, version 4.01 and later
    - MS Outlook, version 8.00 and later
    - MS Outlook Express, version 4.01 and later

    Recommendation: Customers should install the patch at the earliest opportunity.
    How to install: Run attached file. Choose Yes on displayed dialog box.
    How to use: You don't need to do anything after installing this item.


    Microsoft Product Support Services and Knowledge Base articles can be found on the Microsoft Technical
    upport web site.
    http://support.microsoft.com/

    For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site
    http://www.microsoft.com/security/

    Thank you for using Microsoft products.

    Please do not reply to this message.
    It was sent from an unmonitored e-mail address and we are unable to respond to any replies.

    ----------------------------------------------
    The names of the actual companies and products mentioned herein are the trademarks of their respective
    owners.
    Attachment: (infectious binary)

  • The virus will attempt to disable and terminate processes which match the following -

    _avp
    ackwin32
    anti-trojan
    aplica32
    apvxdwin
    autodown
    avconsol
    ave32
    avgcc32
    avgctrl
    avgw
    avkserv
    avnt
    avp
    avsched32
    avwin95
    avwupd32
    blackd
    blackice
    bootwarn
    ccapp
    ccshtdwn
    cfiadmin
    cfiaudit
    cfind
    cfinet
    claw95
    dv95
    ecengine
    efinet32
    esafe
    espwatch
    f-agnt95
    findviru
    f-prot
    fprot
    f-prot95
    fprot95
    fp-win
    frw
    f-stopw
    gibe
    iamapp
    iamserv
    ibmasn
    ibmavsp
    icload95
    icloadnt
    icmon
    icmoon
    icssuppnt
    icsupp
    iface
    iomon98
    jedi
    kpfw32
    lockdown2000
    lookout
    luall
    moolive
    mpftray
    msconfig
    nai_vs_stat
    navapw32
    navlu32
    navnt
    navsched
    navw
    nisum
    nmain
    normist
    nupdate
    nupgrade
    nvc95
    outpost
    padmin
    pavcl
    pavsched
    pavw
    pcciomon
    pccmain
    pccwin98
    pcfwallicon
    persfw
    pop3trap
    pview
    rav
    regedit
    rescue
    safeweb
    serv95
    sphinx
    sweep
    tca
    tds2
    vcleaner
    vcontrol
    vet32
    vet95
    vet98
    vettray
    vscan
    vsecomr
    vshwin32
    vsstat
    webtrap
    wfindv32
    zapro
    zonealarm

  • The virus will attempt to enable file sharing for the peer-to-peer file sharing application Kazaa via the registry and then it will create a random folder name within the %Windows%\Temp folder, then set the Shared folder for Kazaa to that newly created directory, as in the following example -

    HKEY_CURRENT_USER\Software\Kazaa\LocalContent\
    "Dir99" = 012345:C:\WINDOWS\TEMP\uvghltv
    "DisableSharing" = 00, 00, 00, 00

  • The virus will write infectious files into the %Windows%\Temp\%random% folder for others to possibly download and become infected

  • The virus may write infectious files into the %Windows% folder and then may modify the SCRIPT.INI file such that mIRC will send the virus when connecting to IRC channels as in the following example -

    dcc send $nick "C:\WINDOWS\XboX Emulator.zip"

  • The virus will write values into created registry keys as in the following example -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\LYVU
    "CacheBox Outfit" = yes
    "Install Item" = oxgqywwt
    "Installed" = ... by Begbie
    "Kazaa Infect" = yes
    "Mirc Install Folder" = C:\mirc
    "Unfile" = laivxxr.htp
    "ZipName" = oliq


Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.