W32/Morbex
Analysis
- Virus is 32bit with a compressed size of 55,808
bytes
- Virus uses MAPI email and Kazaa in order to spread
- If virus is run, it may write files to the local
system, including extracting an embedded Trojan known
as Backdoor.Sdbot – it may write the files in
these locations –
c:\WINDOWS\msapi.exe (16,416 bytes) – Backdoor.Sdbot
c:\WINDOWS\svchost.exe (55,808 bytes) – W32/Morb-mm
c:\WINDOWS\SYSTEM\winsyst32.exe (16,416 bytes) – Backdoor.Sdbot
-
If the virus locates the Windows\Services folder, it may copy itself to that location as “setup.exe” and also write an HTML file called “index.html” to that folder – the index page if opened will suggest that Macromedia is required to view the page and to click a hyperlink pointing to “setup.exe” in order to install it
-
Code in the virus suggests it may modify mIRC installations however this was not seen in testing
-
Virus may modify the registry to load these files at Windows startup –
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"svchost" = C:\WINDOWS\svchost.exe
"WinSyst32" = winsyst32.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce\
"WinSyst32" = winsyst32.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"svchost" = C:\WINDOWS\svchost.exe
"WinSyst32" = winsyst32.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\
"WinSyst32" = winsyst32.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
"WinSyst32" = winsyst32.exe
-
Virus may attempt to connect to 127.0.0.1 on TCP 6667 persistently – this is in an effort to monitor messages received and reply to them with an infected file attachment – the virus may also attempt to check for unread messages in the Outlook inbox and reply to these messages with an infected file attachment
-
Virus composes emails based on a hard-coded list of subject lines and body text, and the file attachment name is chosen from a list as well – some of the possible file attachment names are –
Q349247.exe
information.DOC.exe
Saddam_Game.exe
I_Love_U.exe
NakedPics.JPG.exe
FreeSex.exe
B-ville.exe
StockInformation.XLS.exe
SecretFile.exe
Attachement.exe -
Virus may also attempt to copy itself to the local system into the shared folder for Kazaa, a peer-to-peer file sharing application –
Unreal 2 - The Awakening.exe
Command & Conquer Generals.exe
Splinter Cell.exe
Warcraft III - The Frozen Throne.exe
Gods & Generals.exe
Unreal 2 Crack.exe
Command & Conquer Generals Crack.exe
Gods & Generals Crack.exe
The Sims 4.exe
The Sims 4 Crack.exe
Splinter Cell Crack.exe
Raven Shield - Crack.exe
Raven Shield Keygenerator - WORKS ONLINE.exe
Mortal Kombat - Deadly Alliance.exe
GTA 4 - BETA.exe -
Virus contains the string “b0rm_v0.1” in its code