1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Cali.A

Cali.A

ALIAS:I-Worm.Neveg.b

Summary

The Cali worm was found on 10th of August 2004. It's a massmailer.

Additional Details

Cali is packed with Yoda and UPX. It's packed size is 51270 bytes. Once unpacked it grows up to 100KiB.

The executable was compiled with Microsoft's Visual C++ compiler with the stack protection option enabled. It's possible to appreciate in the code this feature, which protects the stack by placing a 'canary' value between the function's local variables and the return address. In this scenario if a buffer overflow would occur, it would be detected before the function returns, making the exploitation of an overflow a non trivial task.

The stack protection is enabled with the /GS option. More documentation on its implementation can be found from "Compiler Security Checks In Depth":

http://go.microsoft.com/fwlink/?Linkid=7260

It's worth mentioning that some older worm could be taken over because of a buffer overflow in its networking code. It's interesting that malware writers are also paying attention to security related issues.

Once executed it creates a a mutex named: 


 "4D36E64A-W325-121E-BFC1-080C2BE11318"

in order to avoid being run more than once. And copies itself to 


 %WinDir%\system\services.exe

A registry key will be set to point to the dropped file, the name of the key will be randomly chosen from: 


 BuildLab
 RegDone
 ccApps
 Microsoft Visual SourceSafe
 TEXTCONV
 FriendlyTypeName
 .Prog
 WMAudio

therefore, the registry key might look as follows: 


 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
 "WMAudio" = "%WinDir%\system\services.exe"

Where %WinDir% is the main Windows folder.

E-Mail spreading

When massmailing, it will attach itself with names such as: 


 office.exe
 notes.exe
 doom3demo.exe
 resume.exe
 files.exe
 request.exe
 info.exe
 details.exe
 result.exe
 results.exe
 install.exe
 setup.exe
 test.exe
 google.exe
 se_files.exe



Detection

Detection for Cali worm is available since the following FSAV updates:

[FSAV_Database_Version]

Version=2004-08-10_01

Technical Details: Ero Carrera, August 10th, 2004;

F-Secure Corporation