Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Cali.A


Aliases:


Cali.A
I-Worm.Neveg.b

Malware
Worm
W32

Summary

The Cali worm was found on 10th of August 2004. It's a massmailer.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

Cali is packed with Yoda and UPX. It's packed size is 51270 bytes. Once unpacked it grows up to 100KiB.

The executable was compiled with Microsoft's Visual C++ compiler with the stack protection option enabled. It's possible to appreciate in the code this feature, which protects the stack by placing a 'canary' value between the function's local variables and the return address. In this scenario if a buffer overflow would occur, it would be detected before the function returns, making the exploitation of an overflow a non trivial task.

The stack protection is enabled with the /GS option. More documentation on its implementation can be found from "Compiler Security Checks In Depth":

http://go.microsoft.com/fwlink/?Linkid=7260

It's worth mentioning that some older worm could be taken over because of a buffer overflow in its networking code. It's interesting that malware writers are also paying attention to security related issues.

Once executed it creates a a mutex named:

"4D36E64A-W325-121E-BFC1-080C2BE11318"


in order to avoid being run more than once. And copies itself to:

%WinDir%\system\services.exe


A registry key will be set to point to the dropped file, the name of the key will be randomly chosen from:

BuildLab
 RegDone
 ccApps
 Microsoft Visual SourceSafe
 TEXTCONV
 FriendlyTypeName
 .Prog
 WMAudio
 

therefore, the registry key might look as follows:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
 "WMAudio" = "%WinDir%\system\services.exe"
 

Where %WinDir% is the main Windows folder.


E-Mail spreading

When massmailing, it will attach itself with names such as:

office.exe
 notes.exe
 doom3demo.exe
 resume.exe
 files.exe
 request.exe
 info.exe
 details.exe
 result.exe
 results.exe
 install.exe
 setup.exe
 test.exe
 google.exe
 se_files.exe
 


Detection

Detection for Cali worm is available since the following FSAV updates:

Detection Type: PC
Database: 2004-08-10_01



Technical Details: Ero Carrera, August 10th, 2004



Scan and clean your PC




F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Disinfect your PC




F-Secure Anti-Virus will disinfect your PC and remove all harmful files