Assiral.A is a simple mass mailing worm that also tries to kill the Bropia worm.
Disinfection & Removal
Assiral.A arrives as a Windows PE executable. It is written in delphi and packed with Aspack executable packer. The worm main executable requires some delphi runtime DLLs to be present so it might not work on all systems.
When run, the worm copies itself in Windows system directory as MS_LARISSA.EXE and adds the following registry key
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "MS_LARISSA" = "%Sysdir%\MS_LARISSA.EXE"
This will ensure that the worm is run on every system startup. It also tries to copy itself on drives A-Z as "MS_LARISSA.EXE" and in Windows directory as "LOVE_LETTER.TXT.exe".
The worm drops and executes the following files:
C:\WINDOWS\WinVBS_32.vbs C:\WINDOWS\System32\REG_32.vbs C:\LARISSA_ANTI_BROPIA.html
It also tries to open a web page on www.geocities.com and modify Internet Explorer home page settings.
The script WinVBS_32.vbs contains the mass mailing part of the worm. Similar to Loveletter, it uses Outlook application to send emails to all recipients listed in Outlok address book. The sent emails look as follows:
Subject: Re: LOV YA ! Body: Kindly read and reply to my LOVE LETTER in the attachments :-) Attachments: LOVE_LETTER.TXT.exe
Where the attachment is previously saved in C:\WINDOWS folder.
The script also checks and modifies the registry:
so it send itself out only once per infected computer.
The worm drops a HTML file, C:\LARISSA_ANTI_BROPIA.html, and shows it. It contains the following text:
Assiral.A also drops a small Visual Basic Script file, C:\WINDOWS\System32\REG_32.vbs, and executes changing some of the policy settings from the Windows registry. This will for example hide all drives from the Explorer and disable registry editing tools.
Additionally the worm drops a file C:\MESSAGE.txt which contains the following message from the author:
Greetz from LARISSA.B! I will survive, In this moment in time. You computer will crash, So, you will be mine. I never crash, I never fail. So, in this moment in time, I will survive... - LARISSA AUTHOR - 5-15-05
The worm also tries to kill processes of the Bropia MSN-worm:
Beautiful Ass.pif John Kerry as Super Chicken.scr Kool.pif Me & you pic!.pif Me Pissed!.pif sexy.pif She Could Fit her Ass in a Teacup.pif she's fuckin fit.pif titanic2.jpg.pif cz.exe msnmsr.exe Webcam.pif bedroom-things.pif naked_drunk.pif my_pussy.pif ROFL.pif underware.pif Hot.pif new_webcam.pif
Finally, it tries to kill the following security related processes:
APVXDWIN.EXE ATUPDATER.EXE AUPDATE.EXE AUTODOWN.EXE AUTOTRACE.EXE AUTOUPDATE.EXE AVENGINE.EXE AVPUPD.EXE AVWUPD32.EXE AVXQUAR.EXE Avconsol.exe Avsynmgr.exe CFIAUDIT.EXE DRWEBUPW.EXE DefWatch.exe ESCANH95.EXE ESCANHNT.EXE FIREWALL.EXE FrameworkService.exe ICSSUPPNT.EXE ICSUPP95.EXE LUALL.EXE LUCOMS~1.EXE MCUPDATE.EXE NISUM.EXE NPROTECT.EXE NUPGRADE.EXE OUTPOST.EXE PavFires.exe Rtvscan.exe RuLaunch.exe SAVScan.exe SHSTAT.EXE SNDSrvc.exe UPDATE.EXE UpdaterUI.exe VsStat.exe VsTskMgr.exe Vshwin32.exe alogserv.exe bawindo.exe blackd.exe ccEvtMgr.exe ccProxy.exe ccPxySvc.exe mcagent.exe mcshield.exe mcvsescn.exe mcvsrte.exe mcvsshld.exe navapsvc.exe navapw32.exe nopdb.exe pavProxy.exe pavsrv50.exe symlcsvc.exe SpySweeper.exe ISASS.EXE
F-Secure Anti-Virus detects Assiral.A with the following update:
Detection Type: PC
Technical Details: Jarkko Turkulainen, Katrin Tocheva and Sami Rautiainen Feb 23rd, 2005