This is a polymorphic Visual Basic Script e-mail worm (mass-mailer) that spreads using two different ways - via Outlook Application and by collecting email addresses from database files that belong to various e-mail clients.
Disinfection & Removal
Cuerpo is a polymorphic Visual Basic Script mass-mailer. Its polymorphism consists of replacing all variables every time it replicates on a system. For each variable it sets from 2 to 10 random characters. These polymorphic variables are located in a commented line on the top of the worm code. Cuerpo also saves itself and most of its components in files with random names.
Once executed, the worm first generates a new polymorphic copy of itself that it saves to the Windows System directory with a random name. Next it drops another file to the System directory, again with a random name, that contains a payload script. This script is added to the registry:
so it will be executed every time when the system is restarted.
The script checks if four days has passed since the infection, and if so, it sets the Internet Explorer start page to www.freedonation.com. Otherwise Cuerpo drops to the System directory a file "blank.html" which contains a Java Script code. This code opens a new browser window to www.freedonation.com and executes the worm. This html file is set to be the Internet Explorer start page.
The worm spreads trough the Internet using two different ways. The first method of spreading uses Outlook Application and its folders. This is the first mass-mailing routine. It goes through Inbox, Sent Mail, Outbox and Deleted Items folders from the user's Outlook installation looking for messages that contains an attachment. When find such messages, it replies to those messages with the same subject, sending itself as an attachment that contains the name of the attachment of the original message adding to it the following string:
" (9 Kbytes).vbs"
Then the worm creates "wininit.bat" that drops the worm into the system and modifies "autoexec.bat" so that the worm is set to start in each system restart via the registry.
Then Cuerpo sends itself to all recipients in all address books using one subject/attachment name combination from the scanned folders. These messages, however, contain the worm code also embedded as HTML into the message as well.
Cuerpo uses another method to spread. Additional to sending itself to e-mail addresses listed in Outlook Application's address book, it also collects all email-like strings, searching for special character, in files which are database files for various e-mail clients. These databases files are with extensions:
"txt", "na2", "wab", "mbx" and "dbx"
In addition it searches for all "dat" files that are located in directory, which contains string found from registry key
Cuerpo stores all these email addresses into an HTML file in the system directory. This HTML file contains a form that is sent to virus writer's web site. It is referred from the "blank.html" thus causing that the information is sent as soon as infected user opens the Internet Explorer. Then from that remote location the worm spreads as an embedded HTML in empty message, to all received e-mail addresses previously collected from the above database files. The virus writer's web page has been disabled in a few hours after the worm was discovered. Therefore the second mass-mailing part of the worm does not work anymore.
Technical Details: Katrin Tocheva and Sami Rautiainen, F-Secure; August 31, 2001