| ALIAS: | I-Worm.Neveg.b |
The executable was compiled with Microsoft's Visual C++ compiler with the stack protection option enabled. It's possible to appreciate in the code this feature, which protects the stack by placing a 'canary' value between the function's local variables and the return address. In this scenario if a buffer overflow would occur, it would be detected before the function returns, making the exploitation of an overflow a non trivial task.
The stack protection is enabled with the /GS option. More documentation on its implementation can be found from "Compiler Security Checks In Depth":
http://go.microsoft.com/fwlink/?Linkid=7260
It's worth mentioning that some older worm could be taken over because of a buffer overflow in its networking code. It's interesting that malware writers are also paying attention to security related issues.
Once executed it creates a a mutex named:
"4D36E64A-W325-121E-BFC1-080C2BE11318"
in order to avoid being run more than once. And copies itself to
%WinDir%\system\services.exe
A registry key will be set to point to the dropped file, the name of the key will be randomly chosen from:
BuildLab RegDone ccApps Microsoft Visual SourceSafe TEXTCONV FriendlyTypeName .Prog WMAudio
therefore, the registry key might look as follows:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\] "WMAudio" = "%WinDir%\system\services.exe"
Where %WinDir% is the main Windows folder.
E-Mail spreading
When massmailing, it will attach itself with names such as:
office.exe notes.exe doom3demo.exe resume.exe files.exe request.exe info.exe details.exe result.exe results.exe install.exe setup.exe test.exe google.exe se_files.exe
[FSAV_Database_Version]
Version=2004-08-10_01
Technical Details:
Ero Carrera, August 10th, 2004;
F-Secure Corporation