I-Worm.Finaldo.b, Final Doom, FinalDoom, Finaldo.b
Finaldo is a mass-mailer, virus and network worm. It is a very
fast infector, it infects EXE, OCX and SCR files. It also infects
ASP, HTM and HTML files with a small script code that opens a
specific EML file. Due to numerus bugs the worm fails to work
correctly and often causes crashes or even makes a system
unusable after infection.
Finaldo worm's dropper that is received by e-mail is polymorphic.
When the dropper runs, it drops and activates the FINALDOOM.DLL
file that is the main virus-worm code. This code is only
compressed with UPX and is not polymorphic. The file has hidden
attributes and is usually located in \Windows\Temp\ or in \Temp\
folder.
After that the worm creates an EXE file which is its dropper and
also creates FINALDOOM.EML file that is a pre-formatted
multipartite mime message. The worm then mime-encodes the dropped
EXE file into the EML file and deletes the EXE file. The
FINALDOOM.EML file is then ready to be sent out.
When spreading Finaldo reads e-mails from MAPI-compatible e-mail
browsers and 'replies' to existing e-mails by sending itself (EML
file with encoded worm's body) to sender's e-mail addresses. The
worm deletes sent message from outgoing message folder. It should
be noted that e-mail spreading routine might not work due to bugs
in Finaldo's code.
The worm uses the 'i-frame' trick and the attachment that has the
name '.EXE' can be automatically activated by Outlook, IE 5.0 or
5.01 that do not have latest security patches. This vulnerability
is fixed and a patch for it is available on Microsoft site:
Shortly after activation Finaldo runs its spreading routine. It
enumerates network resources and starts to look for *.OCX, *.EXE
and *.SCR files and infect them. It also infects files on all
local hard drives. The infection is appending and polymorphic.
Infection size is variable. Infected files might crash
immediately when run or shortly after being run. The worm doesn't
infect NTOSKRNL.EXE file and files with _winzip_ sections (WinZip
self-extracting archives).
Finaldo also looks for *.ASP, *.HTM and *.HTML files and appends
a small javascript code to the end of these files. This code is
almost the same as Nimda worm uses to infect such type of files.
But this routine doesn't seem to work. The worm should also drop
its EML files to remote and local systems (like Nimda does), but
this functionality fails too.
The worm also uses stealth techniques to hide its files from
being shown in Windows Explorer even if 'Show All Files' option
is enabled.
The virus-worm has the following text strings inside:
Coded_by_CJH
Finaldoom is coming! Don't worry... It's no harm to your system !
It's only a demo version
Made in china
By the time of this description creation Finaldo was not in the
wild. F-Secure Anti-Virus detects Finaldo virus-worm with the
latest updates.
[Analysis: Alexey Podrezov; F-Secure Corp.; November 6th-7th, 2001]
![](/images/pixel.gif"){kind=tracking}
