HackfixNews: Destructive Internet Worm WORM_WINEVAR.A

  • From: "Mike" <mikebike@xxxxxxxxx>
  • To: virusinfo@xxxxxxxxxxxxx
  • Date: Wed, 27 Nov 2002 14:33:44 -0800

From; Trend Micro

Destructive Internet Worm =96 WORM_WINEVAR.A (Medium Risk)
WORM_WINEVAR.A is a destructive Internet worm that runs on all Windows
platforms. It uses its own Simple Mail Transfer Protocol (SMTP) engine to
propagate via email. It sends email messages with random subjects to
addresses listed in the HTML files of the infected user=92s system. When
sending email it uses a known exploit that causes the attachment to
automatically execute when the message is viewed or previewed on Internet
Explorer-based email clients, such as Microsoft Outlook and Outlook Express.
This exploit is known as Automatic Execution of Embedded MIME type. This
worm is capable of terminating monitoring programs and antivirus products
from system memory, and it deletes all files in local drives.

Upon execution, this worm creates a copy of itself in the Windows system
folder as WIN<Random numeric value>.PIF. Due to the use of the random
string, a new copy of this worm is created in the Windows system folder
every time it is executed. It also drops a copy of itself in the Desktop
folder as EXPLORER.PIF. 

It then creates autostart entries in the registry using the generated file
name as the name of the entries. These registry entries allow the dropped
copy to execute at startup. After the worm installs itself, it gathers email
addresses from HTML files on the system. The email addresses saved in the
registry entry are removed upon every subsequent execution and replaced with
newly found email addresses. It then uses the default SMTP server to send
out email messages containing an attached copy of itself to all the gathered

On the next bootup, this worm displays a message box containing the
following text strings: 

Header: Make a fool of oneself
Body: What a foolish thing you have done!

Once the user clicks the OK button, this worm deletes all files from local
drives, except files that are currently running on the system. 

If no Internet connection is detected, this worm simply drops the file
AAVAR.PIF in the Windows system folder, which is a slightly modified version
of PE_FUNLOVE.4099. It executes the dropped virus to infect all .EXE files
in all folders, except the Windows and Program Files folders.

The subject lines of the email messages sent by the worm are constructed in
two ways. The first subject format is used 33% of the time, meaning that, it
generates this subject once in every 3 email messages (where <Registered
Owner> is the registered owner of the machine and <Registered Organization>
is the organization of the owner): 

Subject: AVAR (Association of Anti-Virus Asia Researcher) 
Message Body: <Registered Owner> - <Registered Organization>
WIN<random numeric value>.GIF (120 bytes) MUSIC_2.CEO
WIN<random numeric value>.TXT (12.6 KB) MUSIC_1.HTM 

The second subject line format is used 66% of the time. It generates 2 email
messages of this subject format in every 3 (where <Registered Owner> is the
registered owner of the machine and <Registered Organization> is the
organization of the owner):

Subject: <registered Organization>
Message Body: <Registered Owner> - <Registered Organization>
WIN<random numeric value>.GIF (120 bytes) MUSIC_2.CEO
WIN<random numeric value>.TXT (12.6 KB) MUSIC_1.HTM 

However, at the time of this writing, the virus has a bug that cannot
completely decode the second email subject resulting in its first four
generated characters being unintelligible. Therefore, most of the email it
sends arrive with the subject format N`4_<Registered Organization>.
For additional information about WORM_WINEVAR.A please visit:

See also;
From;  Sophos Alert System 

Name: W32/Winevar-A
Aliases: I-Worm.Winevar, WORM_WINEVAR.A, W32/Korvar,
Worm/Bride.C, W32.HLLW.Winevar
Type: Win32 worm
Date: 25 November 2002

A virus identity file (IDE) which provides protection is
available now from our website and will be incorporated into the
January 2003 (3.65) release of Sophos Anti-Virus.

At the time of writing Sophos has received no reports from users
affected by this worm. However, we have issued this advisory
following enquiries to our support department from customers. 

More information about W32/Winevar-A can be found at
More info;

From; Kaspersky Labs
  "Korean" Worm getting faster in spreading 

Kaspersky Labs is warning all users against the new Internet worm
"Winevar" (also known as "Korean Worm"). This malicious program was
detected last week and was added to the Kaspersky Anti-Virus database.
It has only been during today that we have received registered incidents
of infections by this worm. Up to now, Kaspersky Labs' anti-virus
experts have received messages about Winevar infections from users in
South Korea, Russia and from the Baltic States.

Winevar spreads through e-mail. An infected message can have different
subjects, bodies and names of attached files. 
When the worm gets into a potential victim's e-mail box, it tries to
penetrate the computer unnoticed, using the following vulnerabilities in
the MS Internet Explorer security system: Microsoft VM ActiveX Component
IFRAME Vulnerability Thus allowing an infection of the computer
immediately upon reading the message.

Having penetrated a system, the worm modifies Windows booting files to
activate upon system restart and to initiate its spread. Therefore it
scans all HTM and DBX files found on the computer and extracts e-mail
addresses. To these addresses the worm sends its copies using a direct
connection to the default SMTP e-mail server.

Winevar has several extremely dangerous payloads, which can lead to the
irrecoverable loss of data. Firstly, the worm removes anti-virus
programs, debuggers and firewalls form the memory and from the disks. In
some cases Winevar can also delete all other files on the computer.
Secondly, the worm infects the computer with the virus Win32.Funlove.
Thirdly, Winevar carries out DoS-attacks on Symantec's Web-site by
launching an endless cycle of HTTP-requests sent to it.

Taking into account the spread of the worm in more and more countries,
Kaspersky Labs recommends: immediate installation of the latest updates
for your anti-virus programs; extreme caution when opening emails;
installation of patches for the above mentioned vulnerabilities in the
security system of MS Internet Explorer. 
Useful links: 
Description of Winevar in the Kaspersky Virus Encyclopedia
For the Microsoft VM ActiveX Component vulerability: 

For the IFRAME Vulnerability: 

Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see ~ http://www.mwn.ca 
See my Anti-Virus pages ~ http://virusinfo.hackfix.org
A Technical Support Alliance Charter Member 

To unsubscribe from our list send an email 
to hackfixnews-request@xxxxxxxxxxxxx?Subject=unsubscribe.

For a complete list of email commands for our list send 
an email to ecartis@xxxxxxxxxxxxx with a subject line of 
"info hackfixnews" without the quotes.

Other related posts:

  • » HackfixNews: Destructive Internet Worm – WORM_WINEVAR.A