F-Secure Virus Descriptions : Nymph
|
|
|
Nymph is a mass-mailer with backdoor capabilities created by
ASM/iKX group. It is one of the first worms that uses search
engine of a webserver to find victim's e-mail addresses. The worm
is disguised as 'E-fortune cookie generator'. This worm is a
variant of W32/Roach worm and it has a few serious bugs that
don't allow it to work even for a short while on an infected
system. The worm itself is a Windows PE EXE file about 29kb long.
The code of the worm is encrypted with a simple XOR encryption
loop.
When started the worm first gets API addresses of certain
functions from KERNEL32.DLL, WSOCK32.DLL, WININET.DLL,
USER32.DLL, MPR.DLL, ADVAPI32.DLL, IMAGEHLP.DLL, SETUPAPI.DLL.
Many of the functions are not used in this worm version, but
might be added in the future. The the worm would get the ability
to spread in Windows networks, infect files, intercept EXE file
starting, use miltiple IRC servers and so on.
First the worm checks from what file is started. If the file name
ends with 'okie' (cookie.exe), the worm generates a random number
and shows a messagebox with a text that corresponds to this
number (see cookie texts below). This is done to disguise worm
installation to a system. If the worm is started from a file
which name ends in 'om32' (dccom32.exe), the worm sets a flag
that it is already installed and doesn't show any messageboxes.
The worm then gets to \Windows\System\ directory and drops a
short ZIP archive from inside its body as EGGCASE.ATT. This
archive has only FILE_ID.DIZ file with the following text:
FortuneCookie 32 - Version 1.0
* FREEWARE *
DESCRIPTION:
============
FortuneCookie 32 is a Windows 32 version of the classical
fortune cookies you can get at some restaurants. It's very
simple double clicking on the cookie.exe file will bring up a
fortune cookie.
This program is freeware so feel free to send out a word of
wisdom to your friends!
If the worm fails to drop this archive to \Windows\System\
directory, it tries to drop it into temporary folder. After that
the worm looks for EGGCASE*.ATT files and immediately finds a
dropped EGGCASE.ATT file. The worm then copies its file as
DCCOM32.EXE into Temp and \Windows\System\ folders and creates a
startup key with the name 'dcomdriver' for one of dropped files
in the default Run keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\]
Then the worm adds its file as COOKIE.EXE to the ZIP archive
(eggcase.att) that it previously dropped. The worm does not use
any ZIPping utility, it just adds its file 'as is' to the end of
the archive, corrects and adds necessary data to make an archive
valid. This archive will be used by the worm as an attachment to
infected messages.
After that the worm waits for some time and then verifies
Internet connection state. If there's no connection, the worm
waits and tries again. If a valid connection is found, the worm
creates additional 2 threads and puts its main thread into
infinite wait loop. The first thread is the worm spreading
thread, the second thread is a backdoor thread that uses IRC.
When thread 1 is started it waits for some time, checks Internet
connection state and if a valid connection is found, it creates 3
sockets, resolves host name for 'pop.hotpop.com',
'diemen.nl.eu.undernet.org' (IRC server, there's one more server
name in the worm's body, but it's never used) and 'wwp.icq.com'
(ICQ Personal Communication Center) servers. The worm then reads
settings from Microsoft Internet Account Manager or if it is not
available from Outlook OMI Account Manager. It gets information
about a default account and tries to connect to user's SMTP
server. If the server is not available, the worm tries to use
'mail.hotmail.com' server. If user's SMTP server is accessible,
the worm still changes it to 'smtp.hotpop.com' and then changes
user's e-mail address to 'fearandwonder@hotpop.com'. These
changes are in effect only when the worm is active, as it doesn't
modify these settings in the Registry.
Then the worm gets Windows registered user name from the
Registry. If there's no user name there, the worm generates a
random number and selects the name corresponding to this number
from its internal table:
dark
evil
lost
cool
kewl
fool
hack
dead
head
bozz
This name will be used in 'From:' field of an infected e-mail
that the worm sends itself out. Then the worm generates 3 more
random numbers and fills a search form that will be used to
search for e-mail addresses on a webserver. The form looks like
that:
POST /scripts/srch.dll HTTP/1.1
User-Agent: Mozilla/4.73 (Windows 95; U) Opera 4.02 [en]
Host: wwp.icq.com
Accept: text/html, image/png, image/jpeg, image/gif,
image/x-xbitmap, image/vnd.wap.wbmp;level=0, */*
Accept-Language: en
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Referer: http://www.icq.com/whitepages/search.html
Connection: Keep-Alive
Content-type: application/x-www-form-urlencoded
Content-length: 212
FirstName=&LastName=&NickName=&Email=&AgeRange=0-0&Gender=0&Lang=12
&City=&State=&Country=0&Occupation=0&Dept=&Company=&PastInfo=0
&PastInfoText=&Interest=0&InterestText=&SubInterest=&Group=0
&GroupText=&SEND=Search
Finally the worm connects to a webserver and sends the form
there. When it gets a reply it looks for e-mail address and then
sends an infected e-mail to that address. The worm uses Microsoft
anonymous SMTP server to send e-mails. The worm randomly composes
sender's name from 2 tables and adds '@hotmail.com' in the end.
The first table is shown above, the second table is:
trooper
travler
nemonic
_maniac
_master
_avatar
_jesuzz
riddler
_satan_
lucifer
The subject line if an infected e-mail is 'Subject: Fw:' followed
by one of the randomly selected cookie texts (see table below).
The recepient info is 'To: <removed>'. The worm uses EGGCASE.ATT
archive (with FILE_ID.DIZ and its file COOKIE.EXE) as an
attachment. The attachment name is FORTUNE.ZIP and it is sent
MIME-encoded. The worm also sends the second attachment - a body
of itself as SETUP.EXE file hoping that a user will run at least
one of the attachments. The message body is in HTML format, it
looks like that (black text on bright blue background):
SMACK!!!
You have been hit
This is the funny-attachment war! You have just been hit and by
the rule book you can't hit this person back. To be in the game
you need to send this message to five of your friends, try to
find some small and funny attachment to send along. If you don't
have time use the one you got hit by, go ahead hit someone!
In the end of the infected e-mail there is '--nymph--' text.
When thread 2 is started, it generates a nick from 'nymph' plus
random 4-digit number ('nymph1234' for example), connects to
'diemen.nl.eu.undernet.org' IRC server and sets invisible mode
for a user with the generated nick. Then the worm joins #nymph
channel and sends a private message:
[I-Worm-Nymph v.1.1] by Asm/iKX
Then the worm enters the loop that handles incoming IRC messages.
The worm responds to 'PING', 'JOIN', 'INVI', 'PRIV' and '319'
messages. The worm can join a channel when instructed by join and
invitation commands and enters a private chat session on PRIV
command. In the private channel session the worm has backdoor
capabilities. It responds to 3 messages: 'msgx' - quit, 'msgi' -
get information about worm version and 'msgu' - upload and run a
file. When 'msgu' message is received, the worm creates an
additional thread that allows to download and run a specified
file on an infected computer. The file is downloaded with a
random name into Temp folder and is activated by the worm.
The worm has the following cookie texts:
it is predictable, but I wouldn't like to predict it myself. - C. Lawson
100,000 lemmings can't be wrong.
A friend in need is a pain in the ass.
A man is as old as he feels. But never as important.
A man is as old as the woman he feels.
Always be sincere - Even when you don't mean it.
Always tell her she's pretty, especially when she isn't.
Anyone who can see through a woman is missing a lot.
Avoid life - It'll kill you in the end.
Do to the other fellow as he would do unto you. But for God's
sake do it first!
Experience, the name given by men to their mistakes.
Get stoned - Drink liquid cement.
Happiness can't buy money.
If a woman wants to learn to drive, don't stand in her way.
Join the army, travel the world, meet interesting people and shoot them.
Just because you're paranoid it doesn't mean they aren't out to get you.
Life is a sexually transmitted disease.
Love Thy Neighbour - But don't get caught.
Money can't buy friends but it can buy a better class of enemy.
- Spike Milligan.
Never put off till tomorrow what you can avoid altogether.
Racial prejudice is a pigment of the imagination
Smoking - think of it as evolution in action.
Sudden prayers make God jump.
When faced with two evils I like to do the one I've never tried
before. - Mae West
Live fast, Die young, Leave a good looking corpse.
A Wise Man can see more from the bottom of a well than a Fool
can see from the top of a mountain.
Walk softly but carry a big stick.
TO DO IS TO BE - Socrates%TO BE IS TO DO - Sartre%DO BE DO BE DO - Sinatra
It is better to keep your mouth closed and let people think you
are a fool than to open it and remove all doubt. - Samual
Clemmens
What you can not avoid, Welcome.
If you can't tie good knots... tie many.
Anything free is worth what you pay for it.
Two wrongs do not make a right; it usually takes three or more.
The worm also has the following text strings that are never
displayed:
[I-Worm.Nymph@MM v.1.1] by Asmodeus iKX
creech, creech... we will infest.
Info - this is a stripped version of W32/Roach,
it will pave way for its larger cousin.
Greets : Lifewire/iKX, BillyBel/iKX, StarZero/iKX
SimpelSimon, Ultras, Vecna, T-2000, and the rest
of the ikx family
[Analysis: Alexey Podrezov, F-Secure Corp., July 2001]
|
