Morbex is a worm that spreads using multiple methods, including email, IRC, MSN Messenger and Kazaa file sharing. When infecting the system this worm drops an SdBot based IRC trojan also. Email addresses are collected from the user's Microsoft Outlook and Outlook Express Inbox.
Disinfection & Removal
The worm was written using Borland Delphi and is around 55 kilobytes in size. Morbex features several infection vectors:
The worm uses the Microsoft Mail API to collect email addresses where it sends infected messages with the following characteristics:
'Check this out' 'This is what you wanted, right?' 'Microsoft Windows Security Update' 'See if you can get this to work' 'I admit it ... I love you' 'S*x me up baby' 'This is so funny' 'To be or not to be?' 'B-ville did it again ...' 'Company information'
'Here you go, I recall you asked for this.' 'Hey sweety, check the attachment.' 'How do you feel about this?' 'Please do not make this public, thank you.' 'Please install this update, its required' 'Come on honey!' 'I love this funny game, check it out.' 'This is the stock information you wanted.' 'Keep it a secret please!' 'With love from b-ville!'
'Q349247.exe' 'information.DOC.exe' 'Saddam_Game.exe' 'I_Love_U.exe' 'NakedPics.JPG.exe' 'FreeS*x.exe' 'B-ville.exe' 'StockInformation.XLS.exe' 'SecretFile.exe' 'Attachement.exe'
Spreading through MSN Messenger and IRC
Morbex has a built-in web server that listens on port 81 on the infected computer. This web server serves a simple web page trying to fool the visitor to believe that it contains a browser plug-in that needs to be installed.
The web server serves files from a directory called 'services' located in the Windows directory. This directory contains two files, 'index.html' and 'setup.exe', both of them dropped by the worm.
Morbex modifies the ini file of mIRC so that the client will send messages to users who join the channel where the worm infected IRC client is present.
The worm also looks for ongoing discussions in MSN Messenger and plants there messages including a link to itself.
The messages are chosen from a predefined list of messages in the worm body, and the URL to the worm is appended to them. The following messages are listed:
'Check this out, ' 'btw, download this, ' 'I wanted to show you this, ' 'please check out, ' 'hey go to, ' 'See if you can get this to work, ' 'this is cool, ' 'this is funny, ' 'Free p*rn at ' 'lol, ' 'is this you? ' 'whats this? ' 'This is me, ' 'Whats wrong with? ' 'wtf? ' 'hmmmm, ' 'Hahaha, ' 'F*ck this, ' 'weird, ' 'HOLY SH*T, ' 'WOW CHECK THIS OUT, ' 'omg omg omg I found the best app, ' 'What have they done with you? ' 'Is this possible? ' 'rofl, ' 'b*tch ;), ' 'How come this happened? ' 'This is me naked, ' 'S*x me up ' 'This guy is a moron, '
Users who visit the URL see a web page served by the worm's own web server.
Spreading through Kazaa
If Morbex finds that the Kazaa file sharing client is installed on the computer it creates a directory called 'explorer' under the Windows directory and add it to Kazaa shared directories. It populates the directory with copies of itself using many catchy filenames:
'Unreal 2 - The Awakening.exe' 'Command & Conquer Generals.exe' 'Splinter Cell.exe' 'Warcraft III - The Frozen Throne.exe' 'Gods & Generals.exe' 'Unreal 2 Crack.exe' 'Command & Conquer Generals Crack.exe' 'Gods & Generals Crack.exe' 'The Sims 4.exe' 'The Sims 4 Crack.exe' 'Splinter Cell Crack.exe' 'Raven Shield - Crack.exe' 'Raven Shield Keygenerator - WORKS ONLINE.exe' 'Mortal Kombat - Deadly Alliance.exe'
When Morbex enters the system it copies itself to the Windows directory using the name 'svchost.exe'. This copy is then added to the registry as
to ensure that the worm is started when the computer starts.
The worm drops an SdBot based trojan to Windows directory as 'msapi.exe' and runs it.
F-Secure Anti-Virus with the latest updates detects both this worm and the trojan it drops.
Technical Details: Gergely Erdelyi; F-Secure Corp.; April 16th, 2003