[virusinfo] W32/Assiral-B

  • From: "Mike" <mikebike@xxxxxxxxx>
  • To: virusinfo@xxxxxxxxxxxxx
  • Date: Tue, 01 Mar 2005 12:31:00 -0800

From; Sophos Alert System:

Name: W32/Assiral-B
Type: Win32 worm
Date: 1 March 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the April 2005 (3.92) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.


Note: The IDE issued for W32/Assiral-B at 13:35 GMT on 01 March
2005 also contained detection for W32/Infor-Zip,
Troj/Dloader-IK, Troj/Banker-GQ, W32/Sdbot-VS, Troj/Bancos-BG
and W32/Jeans-A . This IDE has now been updated to enhance
detection of W32/Jeans-A.

Information about W32/Assiral-B can be found at:
http://www.sophos.com/virusinfo/analyses/w32assiralb.html

W32/Assiral-B is a mass-mailing worm. 
W32/Assiral-B copies itself to the Windows system folder with the filenames 
CmdPrompt32.pif and MSLARISSA.pif, and to the Windows folder with the filename 
SP00Lsv32.pif. W32/Assiral-B then sets the following entries in the registry so 
as to run the copies on system startup: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MSLARISSA 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Cinnabd Prompt32 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
(L4r1$$4) (4nt1) (V1ruz) 
W32/Assiral-B also attempts to copy itself to removable, fixed and remote 
drives with the filename LOVE_LETTER_FOR_YOU.pif. 
W32/Assiral-B searches for email addresses in files of type *.HT* in the 
current folder, in the Windows folder, and in the folder found at the following 
registry entry: 
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Personal 
W32/Assiral-B sends itself to the addresses it finds in emails with the 
following characteristics: 
From address: MSLarissa@xxxxxxxxx 
Subject line from the following list: 
Re: Message
Re: Letter
Re: Information
I LOVE YOU
Re: Your Documents
Re: Account Info
Windows Update
Re: My Letter
Re: Docs
Re: Your Email Info 
Message text from the following list: 
The message is located in the attachments.
The letter you requested is in the attachments.
Information attached.
Kindly read and reply to my LOVE LETTER in the attachments :-)
The documents you requested are in the attachments.
Info reguarding your Email account is in the attachments.
Dear Windows User, Please download the windows updated included in the 
attachments.
My letter is in the attachments.
Please read the documents included in the attachments
Your email account is about to expire, please check the attachments for 
details. 
Attachment name from the following list: 
Message.exe
Letter.exe
Information.exe
LOVE_LETTER_FOR_YOU.exe
Documents.exe
Attached_Message.exe
Microsoft_Update.exe
Private_Letter.exe
Private_Document.exe
Important_Message.exe 
W32/Assiral-B attempts to terminate a number of processes related to security 
and anti-virus programs. 
W32/Assiral-B drops and runs a file C:\WINDOWS\WinVBS.vbs, also detected as 
W32/Assiral-B, which attempts to set the following registry entries in restrict 
the user's activity on the infected machine: 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoRun =
1 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableRegistryTools =
1 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
NoDrives =
67108863 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\
Disabled =
1 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
NoAdminPage =
1 
W32/Assiral-B attempts to load a hidden instance of Microsoft Internet Explorer 
and to load a file at http://www.geocities.com/mslarissac. 
W32/Assiral-B attempts to delete all DLL and EXE files from the folders 
C:\WINDOWS\System32, C:\WINDOWS\System and C:\WINDOWS 
W32/Assiral-B may display fake error message boxes with the title "System 
Error" and the text "Invalid memory address: Program terminating." 
W32/Assiral-B drops 3 files, C:\MESSAGE_TO_USER.txt, C:\MESSAGE_TO_AVs.txt and 
MESSAGE_TO_BROPIA.txt. 
C:\MESSAGE_TO_USER.txt contains the following text: 
Greetz to infected user!
I will survive,
In this moment in time.
Your computer will crash,
So, you will be mine.
I will not crash,
I will not fail.
So, in this moment in time,
I will survive...
- LARISSA AUTHOR : 2-24-05 
C:\MESSAGE_TO_AVs.txt contains the following text: 
Greetz to AVs!
I wanna be in AV industry when I grow up :-)
----------------------------------------
- LARISSA AUTHOR : 2-24-05 
MESSAGE_TO_BROPIA.txt contains the following text: 
Hey Bropia.. stop making MSN worms it's stupid...
... lol -- Larissa Anti Bropia... -- Saving the world from BROPIA!!!
- LARISSA AUTHOR : 2-24-05 

This IDE file also includes detection for:

W32/Infor-Zip
http://www.sophos.com/virusinfo/analyses/w32inforzip.html
Troj/Dloader-IK
http://www.sophos.com/virusinfo/analyses/trojdloaderik.html
Troj/Banker-GQ
http://www.sophos.com/virusinfo/analyses/trojbankergq.html
W32/Sdbot-VS
http://www.sophos.com/virusinfo/analyses/w32sdbotvs.html
Troj/Bancos-BG
http://www.sophos.com/virusinfo/analyses/trojbancosbg.html
W32/Jeans-A
http://www.sophos.com/virusinfo/analyses/w32jeansa.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/assira-b.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member

Other related posts:

  1. Home
  2. virusinfo
  3. Archive
  4. 03-2005