I-Worm.Cult.b
Description I-Worm.Cult.b
Cult is a worm virus spreading via the Internet as an attachment to infected emails as well as through the Kazaa file sharing network.
The worm itself is a Windows PE EXE file. Two worm varients have been found: They are both about 16KB in length when not compressed and about 9K when compressed by UPX.
Installing
While installing the worm copies itself to the Windows system directory under the name wuauqmr.exe and registers this file in the system registry auto-run keys:
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunOnce
NvCpTDaemon = wuauqmr.exe
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
NvCpTDaemon = wuauqmr.exe
The worm also creates the file awqewqed.dll in the Windows system directory where it writes its MIME (encoded) image.
Spreading: Email
Infected messages contain the following field contents:
Subject: Hi, I sent you an eCard from BlueMountain.com
Body:
To view your eCard, open the attachment
If you have any comments or questions, please visit
http://www.bluemountain.com/customer/index.pd
Thanks for using BlueMountain.com.
Attachment: BlueMountaineCard.pif
The worm activates from infected emails only when a user clicks on the attached file. It then installs itself to the system and runs its spreading routines.
Cult.b sends out infected messages only to randomly generated addresses at the following domains:
chello.nl
chello.pl
otenet.gr
earthlink.net
hotmail.com
adelphia.net
planet.nl
wanadoo.nl
wanadoo.fr
sympatico.ca
Gmx.net
Gmx.de
Btinternet.com
Verizon.net
BellAtlantic.net
Email.com
hotmail.com
hotmail.com
Spreading: Kazaa
The worm creates a subdirectory under the name "jdfghtrg" in the Windows system directory and copies itself to this location using different names (see below). The jdfghtrg directory is then registered as a Kazaa file sharing resource.
Names used for the worm's copies are:
"zoneallarm_pro_crack.exe"
"AVP_Crack.exe"
"SMS_sender.exe"
"DivX 5.03 Codecs.exe"
"Download accelarator.exe"
"PaintShop Pro 7 Crack_By_Force.exe"
"ZoneAlarm Pro KeyGen.exe"
"porn.exe"
"hotgirls.exe"
"SM.exe"
"Battlefield1942_bloodpatch.exe"
"Unreal2_bloodpatch.exe"
"UT2003_bloodpatch.exe"
"AquaNox2 Crack.exe"
"NBA2003_crack.exe"
"FIFA2003 crack.exe"
"C&C Generals_crack.exe"
"UT2003_keygen.exe"
"UT2003_no cd (crack).exe"
"Age of Empires 2 crack.exe"
"Anno 1503_crack.exe"
"C&C Renegade_crack.exe"
"Diablo 2 Crack.exe"
"Gothic 2 licence.exe"
"GTA 3 Crack.exe"
"GTA 3 patch (no cd).exe"
"Hitman_2_no_cd_crack.exe"
"Mafia_crack.exe"
"Neverwinter_Nights_licence.exe"
"NHL 2003 crack.exe"
"WarCraft_3_crack.exe"
"Splinter_Cell_Crack.exe"
"Battlefield1942_keygen.exe"
"Winamp 3.8.exe"
"MediaPlayer Update.exe"
"UT2003_patch.exe"
"ACDSee 5.5.exe"
"DivX Video Bundle 6.5.exe"
"Global DiVX Player 3.0.exe"
"QuickTime_Pro_Crack.exe"
"KaZaA Lite (New).exe"
"iMesh 3.7b (beta).exe"
"iMesh 3.6.exe"
"KaZaA Hack 2.5.0.exe"
"DirectDVD 5.0.exe"
"Flash MX crack (trial).exe"
"Ad-aware 6.5.exe"
"WinZip 9.0b.exe"
"SmartFTP 2.0.0.exe"
"ICQ Lite (new).exe"
"ICQ Pro 2003b (new beta).exe"
"ICQ Pro 2003a.exe"
"AOL Instant Messenger.exe"
"Download Accelerator Plus 6.1.exe"
"Trillian 0.85 (free).exe"
"MSN Messenger 5.2.exe"
"Network Cable e ADSL Speed 2.0.5.exe"
"mIRC 6.40.exe"
"GetRight 5.0a.exe"
"Pop-Up Stopper 3.5.exe"
"Yahoo Messenger 6.0.exe"
"KaZaA Speedup 3.6.exe"
"Nero Burning ROM crack.exe"
"WindowBlinds 4.0.exe"
"Animated Screen 7.0b.exe"
"Living Waterfalls 1.3.exe"
"Matrix Screensaver 1.5.src"
"Popup Defender 6.5.exe"
"Space Invaders 1978.exe"
"SmartRipper v2.7.exe"
"TweakAll 3.8.exe"
"DVD Copy Plus v5.0.exe"
"Serials 2003 v.8.0 Full.exe"
"Zelda Classic 2.00.exe"
"Need 4 Speed crack.exe"
"Links 2003 Golf game (crack).exe"
"Netfast 1.8.exe"
"Guitar Chords Library 5.5.exe"
"DVD Region-Free 2.3.exe"
"Cool Edit Pro v2.55.exe"
"Coffee Cup Free HTML 7.0b.exe"
"Clone CD 5.0.0.3.exe"
"Clone CD 5.0.0.3 (crack).exe"
"Nimo CodecPack (new) 8.0.exe"
"Business Card Designer Plus 7.9.exe"
"Steinberg_WaveLab_5_crack.exe"
"Hot Babes XXX Screen Saver.exe"
"FreeRAM XP Pro 1.9.exe"
"IrfanView 4.5.exe"
"Audiograbber 2.05.exe"
"WinOnCD 4 PE_crack.exe"
"Final Fantasy VII XP Patch 1.5.exe"
"BabeFest 2003 ScreenSaver 1.5.exe"
"PalTalk 5.01b.exe"
"DirectX Buster (all versions).exe"
"DirectX InfoTool.exe"
"Unreal2_crack.exe"
"FlashGet 1.5.exe"
"Babylon 3.50b reg_crack.exe"
"mp3Trim PRO 2.5.exe"
"play station emulator crack.exe"
"play station emulator.exe"
"warcraft 3 serials.pif"
"warcraft 3 crack.exe 100 free essays sc"all
"aol password cracker.exe"
"aim password cracker aol cracker.exe"
"aim cracker.exe steal usernames.exe"
"how to hack.exe "
"divx pro.exe"
"how to use a shell.pif"
"Virtua Girl (Full).exe"
"worldbook.exe"
"GTA 3 Serial.exe"
"GTA 3 Crack.exe "
"gta3.exe "
"driver.exe "
"virtua girl - adriana.pif virtua girl -"...
"Crack McAfee 7.exe"
"Crack Norton 3000.exe"
"Borland KeyGens.exe"
"MP3 encoder_decoderV1.8.exe"
"HackNTTools.zip .exe"
"SophosCrackAllVersion.exe"
"BitDefender.KeyGen.exe"
"Nod32Crack.exe"
"PANDA.lusers.exe"
"PANDA.AVers.lusers.exe"
Payload
The Cult.b worm conducts a DoS attack (Denial of Service) aimed at two servers, they are:
chat.planet.nl
www.chat-planet.nl
Check other viruses! Be aware! Use Antiviral Software
Macro.Word.Breeder
Description Macro.Word.Breeder
The virus contains one macro "AutoOpen" in documents and infects the global macros area on opening an infected document. In NORMAL.DOT this macro is renamed to "FileSave" and the virus infects the files that are saved. The virus does not manifest itself in any way, it contains the comments:
BREEDER BY -=>NEMESIS<=- 5/4/97
"DO NOT PROVOKE THE INTROVERT"
Macro.Word.Buero
Description Macro.Word.Buero
This is an encrypted virus. It contains two macros:
NORMAL.DOT Infected files
DateiSpeichern AutoOpen
BuroNeu BuroNeu
This virus infects the system on AutoOpen and writes itself to files on FileSave (DateiSpeichern).
If the current date is above than 15.8.96, the virus renames the system file IO.SYS to IIO.SYS (then it is impossible to boot DOS system), searches for the C:*.DOC files and deletes them.
|