W32/Morbex

description-logoAnalysis

  • Virus is 32bit with a compressed size of 55,808 bytes
  • Virus uses MAPI email and Kazaa in order to spread
  • If virus is run, it may write files to the local system, including extracting an embedded Trojan known as Backdoor.Sdbot – it may write the files in these locations –

    c:\WINDOWS\msapi.exe (16,416 bytes) – Backdoor.Sdbot
    c:\WINDOWS\svchost.exe (55,808 bytes) – W32/Morb-mm
    c:\WINDOWS\SYSTEM\winsyst32.exe (16,416 bytes) – Backdoor.Sdbot

  • If the virus locates the Windows\Services folder, it may copy itself to that location as “setup.exe” and also write an HTML file called “index.html” to that folder – the index page if opened will suggest that Macromedia is required to view the page and to click a hyperlink pointing to “setup.exe” in order to install it

  • Code in the virus suggests it may modify mIRC installations however this was not seen in testing

  • Virus may modify the registry to load these files at Windows startup –

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    "svchost" = C:\WINDOWS\svchost.exe
    "WinSyst32" = winsyst32.exe

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce\
    "WinSyst32" = winsyst32.exe

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    "svchost" = C:\WINDOWS\svchost.exe
    "WinSyst32" = winsyst32.exe

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\
    "WinSyst32" = winsyst32.exe

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
    "WinSyst32" = winsyst32.exe

  • Virus may attempt to connect to 127.0.0.1 on TCP 6667 persistently – this is in an effort to monitor messages received and reply to them with an infected file attachment – the virus may also attempt to check for unread messages in the Outlook inbox and reply to these messages with an infected file attachment

  • Virus composes emails based on a hard-coded list of subject lines and body text, and the file attachment name is chosen from a list as well – some of the possible file attachment names are –

    Q349247.exe
    information.DOC.exe
    Saddam_Game.exe
    I_Love_U.exe
    NakedPics.JPG.exe
    FreeSex.exe
    B-ville.exe
    StockInformation.XLS.exe
    SecretFile.exe
    Attachement.exe

  • Virus may also attempt to copy itself to the local system into the shared folder for Kazaa, a peer-to-peer file sharing application –
    Unreal 2 - The Awakening.exe
    Command & Conquer Generals.exe
    Splinter Cell.exe
    Warcraft III - The Frozen Throne.exe
    Gods & Generals.exe
    Unreal 2 Crack.exe
    Command & Conquer Generals Crack.exe
    Gods & Generals Crack.exe
    The Sims 4.exe
    The Sims 4 Crack.exe
    Splinter Cell Crack.exe
    Raven Shield - Crack.exe
    Raven Shield Keygenerator - WORKS ONLINE.exe
    Mortal Kombat - Deadly Alliance.exe
    GTA 4 - BETA.exe

  • Virus contains the string “b0rm_v0.1” in its code

Telemetry logoTelemetry