We received reports about a new worm that spreads itself from a website located in the USA on March 24th, 2004. The worm sends messages with a link to an HTML page that runs a script dropper, that in its turn drops the worm's binary file to a user's computer.
Disinfection & Removal
Snapper is a multi-component e-mail worm. It consists of an HTML page, a script dropper and a DLL file that is installed on a user's computer.
The worm's distribution cycle starts from an e-mail. The e-mail contains a link to the "banner.htm" webpage on a webserver in the USA. This link can be automatically activated on certain e-mail clients because the worm uses the Iframe exploit in its e-mail message. So the worm doesn't send itself as an attachment, it sends a link with an exploit.
When the link is activated, the worm connects to the web site and executes the script. The script determines the version version of Internet Explorer. For versions 5.0, 5.5 and 6.0, the worm uses the Object data Remove Execution (MS03-032) vulnerability to run another script written with Visual Basic Script, "htmlhelp.cgi", from the same web site. This VBS script then drops the binary part as "Ieload.dll" to the Windows installation directory and executes it.
Further information about the vulnerability is available from Microsoft:
The binary part of the worm is a Windows DLL file 8704 bytes long. The DLL has 2 functions: InstallDLL and MessageHandler that does the e-mail spreading.
The script dropper activates the InstallDLL function and then deletes the DLL file from Windows folder. When the DLL is activated, it copies itself as IELOAD.DLL to Windows System folder and registers itself as a Browser Helper Object. The worm creates a unique class ID under the following Registry key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
That class ID points to IELOAD.DLL file that is located in Windows System folder.
After that the worm opens a connection to a website (different from the one that has the BANNER.HTM and worm's DLL) and reports that it has been installed and sends country info there.
Then the worm gets user's SMTP information (account, e-mail, user name) from the Registry, opens users Windows Address Book file, reads it and send e-mails to all found e-mail addreses.
The e-mail sent by the worm has 'Re:' as a subject and the body contains Iframe exploit and the link to BANNER.HTM file that is located on a website in the USA. When that e-mail is opened on a recipient's system, IFrame exploit allows the link to automatically activate and a recipient's computer gets infected. However, only certain e-mail clients are affected by this exploit.
When the DLL gets loaded next time, it does the following:
1. Creates/updates the following key values in the Registry:
[HKCC\Software\Microsoft\windows\CurrentVersion\Internet Settings] "TimerTicks" "PopupsLoaded"
2. Starts the MessageHandler routine.
When the MessageHandler routine is started, the worm goes to the website located in the USA (different from the one that has the BANNER.HTM and worm's DLL) and reports country again. Then it waits for a reply from the site. If the reply is 'WAIT', then the worm tries to reconnect again later. If the reply is 'URL=', then the worm opens Internet Explorer and goes to the URL, received from the website.
The worm has a payload. It kills the following processes:
NAVAPW32.EXE CCAPP.EXE OUTPOST.EXE SPIDERML.EXE
This payload only works during the worm's installation process.
Please note that F-Secure Anti-Virus does not detect neither "Ieload.dll" nor "htmlhelp.cgi" with the default on-access scanner extension list, unless "cgi" and "dll" are added to the list manually.
All files are scanned by default settings of on-demand scan.
Detection for this malware was published on March 24th, 2004 in the following F-Secure
Detection Type: PC
Description Created: Alexey Podrezov, March 24th, 2004
Technical Details: Katrin Tocheva, Sami Rautiainen, Alexey Podrezov, March 24th, 2004
Description Last Modified: Alexey Podrezov, March 25th, 2004