1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Invalid

Invalid

ALIAS:I-Worm.Invalid, Ivalid, I-Worm.Invalid.A, Invalid.Worm
SIZE:12288

Summary

Invalid is an Internet worm written in pure Assembly. The worm's file is a 12288 bytes long PE EXE file. The worm's file is not compressed.

Additional Details

When the worm's file is run it first checks for available Internet connection. If a connection is not found the worm starts to recursively look for '*.exe' files. If an EXE file is found, the worm gets external cetrificate from Windows crypto library, generates a new key. If key generation fails, the worm exits. Otherwise the worm encrypts a found file with a generated key. When the worm reaches root directory, the encryption process stops and the worm exits.

If Internet connection is found, the worm gets information about its own file, allocates 2 memory buffers, reads itself into the first memory buffer and then encodes itself with BASE64 encoding (encoding subroutine is inside the worm's file) into the second memory buffer. After that the worm gets the special folder location and looks for '*.ht*' (*.HTM, *.HTML, etc.) files there. When an appropriate file is found, the worm loads it into memory and starts looking for 'mailto:' strings inside the file. If this string is found the worm gets an e-mail address after it and sends itself to this address. Then the worm continues to search for 'mailto:' string in the same file and will send itself out if other e-mail addresses are found. If no more addresses are found, the worm looks for more HTML files.

When sending e-mails the worm connects to 'mail.bezeqint.net' e-mail server and sends out the following message: 

 From: "Microsoft Support" <support@microsoft.com>
 Subject: Invalid SSL Certificate



 Hello,



 Microsoft Corporation announced that an invalid SSL certificate
 that web sites use is required to be installed on the user
 computer to use the https protocol. During the installation, the
 certificate causes a buffer overrun in Microsoft Internet
 Explorer and by that allows attackers to get access to your
 computer. The SSL protocol is used by many companies that
 require credit card or personal information so, there is a high
 possibility that you have this certificate installed.



 To avoid of being attacked by hackers, please download and
 install the attached patch. It is strongly recommended to
 install it because almost all users have this certificate
 installed without their knowledge.



 Have a nice day,
 Microsoft Corporation


The worm's file encoded in BASE64 format is attached to this message as 'sslpatch.exe' file.

The worm has a dangerous payload. It encrypts all EXE files it can find in current directory and upper directories with a generated key (see above). The payload is activated if Internet connection is not present or in case of errors during worm's operations.

The worm has a few bugs that affect its ability to spread and to encrypt files.

[Analysis: Alexey Podrezov; F-Secure Corp.; August 31, 2001]