F-Secure Virus Descriptions : Silver
Silver is a dangerous worm spreading through the Internet and IRC
channels, as well as infecting files on a local network. The worm
itself is a Windows application written in Delphi. It is about 90Kb
long (the worm also may be compressed by a PE EXE compression
tool, so the actual file size can be less than original).
The worm tries two different methods to send infected e-mails from infected
computers. First of all, it looks for Eudora e-mailer installed in a system.
If it is present, the worm scans Eudora outgoing email database (OUT.MBX
file), gets e-mail addresses from there and sends infected e-mails with the
attached worm's copy to these addresses. The worm's messages look like this:
Subject: concerning last week ...
Text: Please review the enclosed and get back with me ASAP.
Double click the Icon to open it.
Attach: c:\silver.exe
Then the worm tries to access an installed e-mail system not
depending on the brand. The worm uses MAPI functions to do this:
it connects to the installed e-mail system, gets messages from there,
reads e-mail addresses and uses them to send its copies. In this
case the messages look like this:
Subject: Re: now this is a nice pic :-)
Text: Thought you might be interested in seeing her
Attach: naked.jpg.exe
To affect IRC clients the worm looks for C:\MIRC, C:\MIRC32,
C:\PIRCH98 directories and overwrites IRC scripts in there with a
program that sends a copy of the worm to each user who enters an infected
IRC channel.
The mIRC script has also additional features. When a user sends a
message to IRC channel that contains a word 'silverrat', the worm
replies to that user with 'I have the Silver Rat virus' message
(so the worm reports about infected computers). If the
'pyrealrat' text is found in a channel, the script opens the C:
drive on affected machine as file server (that gives access to
all data on the C: drive to a hacker).
To infect remote computers on the network, the worm scans all
drives from C: to Z: and looks for WINDOWS directory. If there
is one, the worm copies itself there and registers itself in Windows.
The worm adds its execution string to auto-run section in WIN.INI
file, or to Registry depending on Windows version (Win9x or WinNT).
This means that the worm is able to infect remote computers in case
their drives are shared for reading/writing.
To install itself into the system, the worm copies itself to
directories with these names:
to Windows dir: SILVER.EXE, SILVER.VXD, NAKED.JPG.EXE, NAKED.JPG.SCR
to C: drive root dir: SILVER.EXE
The worm then registers itself in auto-run fields in the system
registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKU\Software\Microsoft\Windows\CurrentVersion\Run
All these fields contain the instruction:
"Silver Rat" = WinDir\silver.exe
where "WinDir" is the name of the Windows directory.
As a result the worm copy is executed four times on each Windows
startup. Furthermore, the worm affects more registry keys to run
itself more times (and to send more infected emails as a result).
Windows applications are linked with filename extensions by
special records in the system registry. These records point to
application that is run to process files with specified
extension. When a file is opened, Windows gets its extension and
then refers to system registry to get the name of application
that processes files of that type.
The worm uses that Windows feature and modifies more than 100
such registry keys - it replaces original reference to
applications with a reference to its own copy (SILVER.VXD). The
worm does that for three different keys per application:
\shell\open\command
\shell\edit\command
\Shell\play\command
The patched registry keys looks like follows:
HKCR\AIFFFILE\shell\open\command = "C:\WINDOWS\silver.vxd 33157 "%1" %"
HKCR\AIFFFILE\shell\play\command = "C:\WINDOWS\silver.vxd 53157 "%1" %"
HKCR\ASFFILE\shell\open\command = "C:\WINDOWS\silver.vxd 379157 "%1" %"
where digits in the line are IDs to run the host file (see
below).
The list of affected applications (registry keys that link
filename extension with application) is rather large:
accesshtmlfile iqyfile regedit fonfile
accessthmltemplate IVFfile regfile GatewayFile
AIFFFILE jpegfile SHCmdFile htafile
AllaireTemplate JSFile SoundRec icsfile
anifile ldap tgafile mhtmlfile
artfile mailto txtfile MMS
aspfile mic VBSFile MMST
AudioCD MIDFile wab_auto_file MMSU
aufile money Winamp.File NSM
AVIFile MOVFile WinRAR MSBD
Briefcase MPEGFILE WinRAR.ZIP motiffile
cdafile MPlayer WinZip Msi.Package
Chat mscfile wrifile Msi.Patch
CSSfile msee WSFFile ofc.Document
curfile msgfile x-internet-signup ofx.Document
Drive MSProgramGroup xbmfile pjpegfile
DrWatsonLog Net2PhoneApp xmlfile PNM
Excel.Workspace NetscapeMarkup xnkfile qwb.Document
ftp news xslfile rtsp
giffile nntp m3ufile scpfile
helpfile Notes.Link ASFFile scriptletfile
hlpfile ossfile ASXFile SSM
htfile outlook BeHostFile ThemeFile
htmlfile PBrush ChannelFile TIFImage.Document
http pcxfile chm.file ttffile
https pngfile CMCD WangImage.Document
icofile powerpointhtmlfile Connection Manager Profile Whiteboard
icquser ramfile eybfile WIFImage.Document
inifile RealMedia File fndfile WSHFile
The worm stores original keys in the another registry key:
HKLM\Software\Silver Rat
This key contains the list of all keys that were replaced as it
was shown above. This list is used by the worm to run original
application: the worm gets application name and command line from
that "backup" list, and spawns it.
Such method of affecting system registry is very dangerous. In the
case that the worm copy is removed from the system, Windows cannot
pass files to applications that are listed above. As a result,
Windows stays mostly nonfunctional after that. In a case that a file
from affected list is opened, it reports an error message that the
associated SILVER.VXD cannot be found.
The worm pays special attention to system backup files and gets
rid of them to prevent restoring the registry files from backup.
The worm corrupts (overwrites first 5K of each file with trash
data) and deletes the files to do this:
USER.DA0 and SYSTEM.DA0 in Windows directory
SYSTEM.1ST in root directory of C: drive
The worm has a payload routine that is run in a case of
"uninstalling". The worm creates the "uninstall" key in system
registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Silver Rat
DisplayName = "Silver Rat Virus"
UninstallString = "c:\silver.exe /uninstall"
As a result, the worm record is visible in
ControlPanel/AddRemovePrograms window as "Silver Rat Virus". If
the "Remove" button is pressed, the worm displays the message
box:
Blood
"I have to return some videos" - American Psycho
and fills the header line in the Recycle Bin window with garbage.
The worm looks for active anti-virus applications and terminates
them by their names:
AVP Monitor
Norton AntiVirus Auto-Protect
Norton AntiVirus v5.0
VShieldWin_Class
NAI_VS_STAT
McAfee VirusScan Scheduler
ZoneAlarm
WRQ NAMApp Class
It also looks for anti-virus files (databases) and deletes them:
*.AVC (AVP)
*.DAT (NAI)
BAVAP.VXD, NAVKRNLN.VXD (NAV)
The worm also tries to affect VBS files but fails because of a
bug.
[Analysis: Eugene Kaspersky, KL]
|
