Computer Protection Program Berkeley Lab
Computer Protection Program at Berkeley Lab Security
Ernest Orlando Lawrence Berkeley National Laboratory
Emergencies | Site Index | Contact Us
CPP Home
Contacts
Scan Information
Policy Guidelines
System Procedures
Tools & Services
ALERTS 
Recent CPP Actions
News & Articles
CPP Intranet
  ALERTS  
Viruses  

The W32.Brid.A Worm

The W32.Brid.A worm (also known as PE_Brid.A) is a mutation of the FunLove worm. It gains access to victim systems by exploiting an Internet Explorer flaw in which an incorrectly formed Multipurpose Internet Mail Extensions (MIME) header can cause a mail attachment to run on the system that received it. After infecting a system, the Brid.A worm tries to download several files, and then to mail itself to other potential victims. The subject of infected messages reads, "[Registered Windows company name]," and the attachment is "Readme.exe." Using its own mail server engine, the Brid.A worm subsequently tries to get the address of the email server for the infected system, and then to connect to it. Fortunately, the Brid.A worm is so similar to FunLove that your antivirus software's signature for FunLove will work in detecting and eradicating W32.Brid.A, provided, of course, that you keep your software's signatures up to date.

Top

The W32.Sobig.B Worm

A Windows worm known as W32.Sobig.B (but also as the Palyh and the Mankx worm) arrives in the form of an attachment in messages that appear to be from Microsoft support (support@microsoft.com). Sobig.B creates and then sends messages to addresses it finds in address books of systems it infects. Subject lines vary, but "Screensaver," "Cool Movie," "Re: My application," "Approved (Ref: 38446-263)," and "Your password" are frequently used. The name of the attachment that contains this worm has a .pif file extension, but the actual name varies. "movie28.pif," "screen_temp.pif," "doc_details.pif," "ref-394755.pif," and "password.pif" are common attachment names. If the recipient of an infected message sent by Sobig.B opens the attachment, the recipient's system becomes infected. Once the system is infected, Sobig.B creates a Registry entry that causes this worm to be started whenever the infected system boots.

If your system becomes infected by Sobig.B, your system administrator should download and run a free Symantec Sobig.B removal tool. Fortunately, the author of this worm included an instruction that makes this worm inactive after June 7, 2003, so it is unlikely that any instances of this worm will infect systems after this date.

Top

The Wallon Worm

W32.Wallon.A@mm (also known as the I-Worm.Wallon, W32/Wallon.worm) affects Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, and Windows XP. It propagates by email; however, unlike many email-based worms, it does not infect by sending copies of itself in attachments. Instead, it sends an email message containing a link that looks like it will take you to a Yahoo page. Once a user clicks on that link, the worm uses the Yahoo redirection service to open another Web page and, through a series of steps, downloads a file that will overwrite the Windows Media Player on an infected computer. Any attempt to run Windows Media Player will instead execute a copy of the worm. The worm continues to propagate itself by sending emails to all addresses it finds in the Windows Address Book.

How Wallon Infects Your System

Wallon exploits an Internet Explorer vulnerability described in Microsoft Security Bulletin MS04-004 and an Outlook Express vulnerability, described in Microsoft Security Bulletin MS04-013.

  1. After sending the user to a phony page, the worm uses the Yahoo redirection service to open another Web page that downloads "terra.html."

  2. The "terra.html" contains an encrypted link to another page — "count.html." This page uses Internet Explorer’s object data vulnerability to download and run the "sys.chm" file.

  3. The "sys.chm" file uses the XMLHTTP/ADODB to download a binary file called "sys.exe."

  4. “sys.exe” overwrites the Windows Media Player file "wmplayer.exe."

  5. The downloaded "sys.exe" binary will be executed whenever a user opens Windows Media Player either directly or via a Web page.

  6. “sys.exe” (a downloader file) downloads a file called NOT.EXE and puts it as ALPHA.EXE into the root folder of C: drive.

  7. ALPHA.EXE is then activated.

  8. It checks the value of “Wh=” in the following Registry key:

    HKCU\SOFTWARE\Microsoft\Internet Explorer\Main

If the value is equal to 'Yes," the worm waits for 5 hours and then opens the pixpox.com Web site with the default Web browser. Then the worm keeps opening that Web site every 10 minutes and does it 10 times.

If that Registry key doesn't exist, the worm creates it. Then it reads the user's SMTP settings from the Registry, locates and opens a WAB (Windows Address Book) file, and sends email messages to all found addresses. Emails sent by the worm look like:

From: pop
Date: Wednesday, May 12, 2004 12:02 PM
To: janed@testnet.local
Subject: RE:

http://drs.yahoo.com/testnet.local/NEWS

The link in the message body contains the domain name of a recipient.

How to Recover If Your System Becomes Infected

For Virus Handling and Prevention information, go here.

Symantec recommends the following steps to recover if your system becomes infected:

  1. Disable System Restore (Windows Me/XP).

  2. Update the virus definitions.

  3. Restart the computer in Safe mode or VGA mode.

  4. Run a full system scan and delete all the files detected as W32.Wallon.A@mm.

  5. Delete the value that was added to the registry.

  6. Reset the Internet Explorer home page.

  7. Reset the Internet Explorer Search page.
For more information on these steps, see Symantec’s page on W32.Wallon.A@mm.

Preventing Wallon Infections

Update your system's anti-virus software daily. Go here for procedures on updating anti-virus software. Refrain from opening links on unfamiliar email or emails you are not expecting.

Top

Web Bugs

This nearly undetectable cousin of the cookie is an electronic tag that helps Web sites and advertisers track visitors' whereabouts in cyberspace without their knowing it.

Most computers have cookies, which are placed on a person's hard drive when a banner ad is displayed or a person signs up for an online service. Savvy Web surfers know they are being tracked when they see a banner ad. But people can't see Web bugs, and anticookie filters won't catch them. So the Web bugs wind up tracking surfers in areas online where banner ads are not present or on sites where people may not expect to be trailed.

Ad networks and agencies say cookies and other tracking devices are used to help both consumers and Web sites. Under fire from privacy advocates, ad executives have consistently said the information collected is kept private and is the sole property of the company that is being advertised.

Web bugs can also be used in e-mail. For example, companies can send a bulk HTML e-mail newsletter that has Web bugs, which will determine how many people read the letter, how often they read it, and whether they forward it to anyone. The email could include your email address in the URL or a coded ID or encrypted email address to track when you opened it.

For further information on Web bugs, see http://news.cnet.com/news/0-1007-200-2247960.html.

Top

The Winevar Worm

A new, destructive email worm is also spreading around the Internet. This worm, named "Winevar," "W32/Winevar.A," the “Korean Worm,” "W32/Winevar@mm," "W32/Korvar," and "I-Worm.Winevar," can potentially erase a victim system’s hard drive, and can also display a taunting message in the process. Found in South Korea, Winevar is an apparent variant of the Bridex (or “Braid”) worm that recently exploited flaws in Microsoft’s Internet Explorer, Outlook, and Outlook Express. Winevar typically arrives in messages with the subject line: “Re: AVAR (Anti-Virus Asia Researchers).” When Winevar starts, it tries to delete processes used by antivirus software. Winevar reproduces by reading addresses in email on the victim’s system, and then by generating a random number that it uses as a title for the attachment, hindering antivirus software’s ability to detect it. When the victim system reboots, a dialog box with the heading “Make a fool of oneself” is displayed. A message in this box reads, “What a foolish thing you have done!” If the user clicks on OK, every file on the victim system is soon erased. If a system is infected by Winevar, it is important to first delete every file Winevar has created before rebooting. Antivirus software updates for Winevar are available. Be sure to also download the latest cumulative patch for your Windows system and Microsoft's latest cumulative patch for Internet Explorer.

Top

Welchia, a Blaster Variant

The recent appearance of the W32.Welchia worm has wreaked havoc on internal networks of large corporations, making it even more difficult for IT administrators to clean up after the Blaster worm.

This Blaster variant targets Windows systems already infected by Blaster. Systems vulnerable to Welchia are the Microsoft IIS Web Server, Windows 2000, and Windows XP. Welchia, also known as Blaster.D and Nachi, lives up to the Blaster name causing system instability on multiple fronts—deleting files, creating more network traffic, and compromising security settings.

Once on a system, Welchia deletes msblast.exe (the Blaster worm), then tries to download the RPC patch from Microsoft's Windows Update Web site, install the patch, and then reboot the computer. Although it purports to be a “good” worm, it can crash systems and can misinstall the patch so that it doesn’t really work. In addition, once on a system, Welchia creates more network traffic by pinging [fn1] to check for active machines to infect, and it exploits a Windows vulnerability that hackers can also use to remotely add and manage content on a Web server.

Welchia propagates through TCP port 135 on Windows XP and Windows 2000 machines that have not patched the vulnerability in the Windows Remote Procedure Call (RPC) Service. Additionally, the worm propagates through TCP port 80 on Microsoft IIS 5.0 systems that have not patched the vulnerability in the Windows WebDav (ntdll.dll) Buffer Overflow.

Protecting Your System Against Welchia

Users and administrators are strongly urged to ensure that patches have been applied to fix vulnerabilities in the Windows Remote Procedure Call (RPC) Service and Windows WebDav Buffer Overflow.

THE TOOLS: Removal Tools

Welchia Removal Tool
Blaster Removal Tool

THE TOOLS: Patches

Windows WebDav Buffer Overflow (Windows 2000) — targets Welchia
Windows NT — targets Blaster
Windows 2000 — targets Blaster
Windows XP — targets Blaster

THE STEPS: Recovering from Welchia

THE STEPS: Recovering from Welchia

Follow the steps in Recovering from MS Blaster and its Variant, Welchia. Note: If you have already run Blaster, you will need to run it again.

[fn1] Ping: a command that uses the Internet Control Message Protocol (a TCP/IP extension) to determine whether a remote computer is active and where it can be contacted.

Top

Worm_YAHA

Yaha is a mass mailing worm that uses e-mail addresses stored in the Windows Address book and also collects addresses from .ht* files to distribute infected messages. Yaha worm is also known as W32.Yaha.A@mm, W32.Yaha-a, and I-Worm.Lentin.a

Yaha arrives as an e-mail attachment, and message subject may be "Melt the Heart of your Valentine with this beautiful Screen saver," "Fw: Melt the Heart of your Valentine with this beautiful Screen saver," or even something else. The attachment can be an scr, a bat, or a pif file, named"valentin." The From field is a randomly-selected email address and may not be the legitimate sender because email forgery is a key aspect of this worm/virus.

The SMTP server used to send the emails is chosen either from the registry or from a list inside the worm body. For more information, see YaHa at Symanatec Security Response and Fire Antivirus Kit on the Yaha Worm.

Top

The Xombe Trojan Horse

A Trojan horse program named “Xombe” or “Downloader” is attached to e-mail that falsely claims to come from Microsoft (windowsupdate@microsoft.com), purportedly to deliver security updates for Windows systems. The subject is "Windows XP Service Pack 1 (Express)-Critical Update." The message starts with the following text:

Window Update has determined that you are running a beta version of Windows XP Service Pack 1 (SP1). To help improve the stability of your computer, Microsoft recommends that you remove the beta version of Windows XP SP1 and re-install Windows XP SP1. If you cannot remove the beta version, you should still reinstall Windows XP SP1.

If the attachment, which is named "winxp_sp1.exe," is downloaded to a system, Xombe goes to a Web site and downloads another program, which in turn downloads and installs still another program that goes to a Russian Web site and downloads many pages, in all likelihood to cause denial of service. It also adds the value "msvcc" = "%system%\msvchost.exe" to the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

causing this program to run each time Windows starts. Recovery can be complicated because of all the changes that Xombe can make. Go here for recovery instructions.

Top

ZaCker

The Maldal.D worm, otherwise known as ZaCker, is another type of dangerous worm that attacks Windows systems. It destroys files as well as antivirus software on infected computers. This slowly spreading worm will invade a system as an e-mail attachment, and after it has infected the system will continue to propagate by sending copies of itself to all addresses in the infected PC's Microsoft Outlook address book. If the attachment is opened, Maldal.D attempts to delete files associated with popular antivirus applications, including programs from Symantec, McAfee, and Zone Labs. The worm also deletes files with common extensions such as .exe, .doc, .ini, .txt, .dat and .jpg.

The first time this worm is run, it lists the subject of the messages it sends as the name of the infected computer plus the .exe extension (e.g., if the computer name is computer1, the attachment name will be computer1.exe). The content of the message will be one of a number of short text messages, such as "Test this game." Additionally, when this worm is run for the first time, it installs itself as \Windows\System\Win.exe. It then adds the value %System%\win.exe to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (a critical Registry key). This Registry modification is an attempt to ensure that the worm will execute the next time that the system starts. This worm is so destructive, however, that once Maldal.D infects a system, the system usually no longer boots. If Maldal.D is run a second time, it lists the subject of the messages it sends as "ZaCker."

If your system becomes infected by Maldal.D, the best thing to do is have a technical support person rebuild your system. This person can also restore data files from a preinfected backup disk. If this alternative is not feasible for you, a riskier alternative is to try deleting every file with the name of W32.Maldal.D@mm and removing %System%\win.exe from HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\
CurrentVersion\Run in the Registry. Next, run Norton AV's LiveUpdate to ensure that your system's virus definitions are up to date. However, if Norton AV does not start, you may have to first reinstall Norton AV, then start Norton AV and scan ALL files on the infected system, deleting all files that are named W32.Maldal.D@mm.

Top

 
 

Home | Contacts | Policy Guidelines | System Procedures | Tools & Services | ALERTS | News & Articles