Morbex is a worm that spreads using multiple methods, including email,
IRC, MSN Messenger and Kazaa file sharing. When infecting the system
this worm drops an SdBot based IRC trojan also. Email addresses are
collected from the user's Microsoft Outlook and Outlook Express Inbox.
The worm was written using Borland Delphi and is around 55 kilobytes in size.
Morbex features several infection vectors:
The worm uses the Microsoft Mail API to collect email addresses where it
sends infected messages with the following characteristics:
'Check this out'
'This is what you wanted, right?'
'Microsoft Windows Security Update'
'See if you can get this to work'
'I admit it ... I love you'
'S*x me up baby'
'This is so funny'
'To be or not to be?'
'B-ville did it again ...'
'Here you go, I recall you asked for this.'
'Hey sweety, check the attachment.'
'How do you feel about this?'
'Please do not make this public, thank you.'
'Please install this update, its required'
'Come on honey!'
'I love this funny game, check it out.'
'This is the stock information you wanted.'
'Keep it a secret please!'
'With love from b-ville!'
Spreading through MSN Messenger and IRC
Morbex has a built-in web server that listens on port 81 on the infected computer.
This web server serves a simple web page trying to fool the visitor
to believe that it contains a browser plug-in that needs to be installed.
The web server serves files from a directory called 'services' located in the
Windows directory. This directory contains two files, 'index.html' and
'setup.exe', both of them dropped by the worm.
Morbex modifies the ini file of mIRC so that the client will send messages
to users who join the channel where the worm infected IRC client is present.
The worm also looks for ongoing discussions in MSN Messenger and plants
there messages including a link to itself.
The messages are chosen from a predefined list of messages in the worm body,
and the URL to the worm is appended to them. The following messages are
'Check this out, '
'btw, download this, '
'I wanted to show you this, '
'please check out, '
'hey go to, '
'See if you can get this to work, '
'this is cool, '
'this is funny, '
'Free p*rn at '
'is this you? '
'whats this? '
'This is me, '
'Whats wrong with? '
'F*ck this, '
'HOLY SH*T, '
'WOW CHECK THIS OUT, '
'omg omg omg I found the best app, '
'What have they done with you? '
'Is this possible? '
'b*tch ;), '
'How come this happened? '
'This is me naked, '
'S*x me up '
'This guy is a moron, '
Users who visit the URL see a web page served by the worm's own web server.
Spreading through Kazaa
If Morbex finds that the Kazaa file sharing client is installed on the computer it
creates a directory called 'explorer' under the Windows directory and add it to
Kazaa shared directories. It populates the directory with copies of itself using
many catchy filenames:
'Unreal 2 - The Awakening.exe'
'Command & Conquer Generals.exe'
'Warcraft III - The Frozen Throne.exe'
'Gods & Generals.exe'
'Unreal 2 Crack.exe'
'Command & Conquer Generals Crack.exe'
'Gods & Generals Crack.exe'
'The Sims 4.exe'
'The Sims 4 Crack.exe'
'Splinter Cell Crack.exe'
'Raven Shield - Crack.exe'
'Raven Shield Keygenerator - WORKS ONLINE.exe'
'Mortal Kombat - Deadly Alliance.exe'
When Morbex enters the system it copies itself to the Windows directory
using the name 'svchost.exe'. This copy is then added to the registry
to ensure that the worm is started when the computer starts.
The worm drops an SdBot based trojan to Windows directory as 'msapi.exe' and
F-Secure Anti-Virus with the latest updates detects both this worm and
the trojan it drops.
[Analysis: Gergely Erdelyi; F-Secure Corp.; April 16th, 2003]