Assiral.A

Summary

Assiral.A is a simple mass mailing worm that also tries to kill the Bropia worm.

Disinfection & Removal

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Technical Details

Assiral.A arrives as a Windows PE executable. It is written in delphi and packed with Aspack executable packer. The worm main executable requires some delphi runtime DLLs to be present so it might not work on all systems.

System installation

When run, the worm copies itself in Windows system directory as MS_LARISSA.EXE and adds the following registry key

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "MS_LARISSA" = "%Sysdir%\MS_LARISSA.EXE"

This will ensure that the worm is run on every system startup. It also tries to copy itself on drives A-Z as "MS_LARISSA.EXE" and in Windows directory as "LOVE_LETTER.TXT.exe".

The worm drops and executes the following files:

C:\WINDOWS\WinVBS_32.vbs
 C:\WINDOWS\System32\REG_32.vbs
 C:\LARISSA_ANTI_BROPIA.html

It also tries to open a web page on www.geocities.com and modify Internet Explorer home page settings.

Email spreading

The script WinVBS_32.vbs contains the mass mailing part of the worm. Similar to Loveletter, it uses Outlook application to send emails to all recipients listed in Outlok address book. The sent emails look as follows:

Subject:  Re: LOV YA !
 Body: Kindly read and reply to my LOVE LETTER in the attachments :-)
 Attachments: LOVE_LETTER.TXT.exe

Where the attachment is previously saved in C:\WINDOWS folder.

The script also checks and modifies the registry:

[HKCU \Software\Microsoft\WAB\EddieMail]

so it send itself out only once per infected computer.

Payload

The worm drops a HTML file, C:\LARISSA_ANTI_BROPIA.html, and shows it. It contains the following text:

Assiral.A also drops a small Visual Basic Script file, C:\WINDOWS\System32\REG_32.vbs, and executes changing some of the policy settings from the Windows registry. This will for example hide all drives from the Explorer and disable registry editing tools.

Additionally the worm drops a file C:\MESSAGE.txt which contains the following message from the author:

Greetz from LARISSA.B!
 I will survive,
 In this moment in time.
 You computer will crash,
 So, you will be mine.
 I never crash,
 I never fail.
 So, in this moment in time,
 I will survive...
     - LARISSA AUTHOR - 5-15-05

The worm also tries to kill processes of the Bropia MSN-worm:

Beautiful Ass.pif
 John Kerry as Super Chicken.scr
 Kool.pif
 Me & you pic!.pif
 Me Pissed!.pif
 sexy.pif
 She Could Fit her Ass in a Teacup.pif
 she's fuckin fit.pif
 titanic2.jpg.pif
 cz.exe
 msnmsr.exe
 Webcam.pif
 bedroom-things.pif
 naked_drunk.pif
 my_pussy.pif
 ROFL.pif
 underware.pif
 Hot.pif
 new_webcam.pif

Finally, it tries to kill the following security related processes:

APVXDWIN.EXE
 ATUPDATER.EXE
 AUPDATE.EXE
 AUTODOWN.EXE
 AUTOTRACE.EXE
 AUTOUPDATE.EXE
 AVENGINE.EXE
 AVPUPD.EXE
 AVWUPD32.EXE
 AVXQUAR.EXE
 Avconsol.exe
 Avsynmgr.exe
 CFIAUDIT.EXE
 DRWEBUPW.EXE
 DefWatch.exe
 ESCANH95.EXE
 ESCANHNT.EXE
 FIREWALL.EXE
 FrameworkService.exe
 ICSSUPPNT.EXE
 ICSUPP95.EXE
 LUALL.EXE
 LUCOMS~1.EXE
 MCUPDATE.EXE
 NISUM.EXE
 NPROTECT.EXE
 NUPGRADE.EXE
 OUTPOST.EXE
 PavFires.exe
 Rtvscan.exe
 RuLaunch.exe
 SAVScan.exe
 SHSTAT.EXE
 SNDSrvc.exe
 UPDATE.EXE
 UpdaterUI.exe
 VsStat.exe
 VsTskMgr.exe
 Vshwin32.exe
 alogserv.exe
 bawindo.exe
 blackd.exe
 ccEvtMgr.exe
 ccProxy.exe
 ccPxySvc.exe
 mcagent.exe
 mcshield.exe
 mcvsescn.exe
 mcvsrte.exe
 mcvsshld.exe
 navapsvc.exe
 navapw32.exe
 nopdb.exe
 pavProxy.exe
 pavsrv50.exe
 symlcsvc.exe
 SpySweeper.exe
 ISASS.EXE

Detection

F-Secure Anti-Virus detects Assiral.A with the following update:

Detection Type: PC
Database: 2005-02-22_01

Technical Details: Jarkko Turkulainen, Katrin Tocheva and Sami Rautiainen Feb 23rd, 2005