F-Secure Virus Descriptions : Spester
|
|
|
At the time of writing of this description, F-Secure has received
no reports about this worm from the field.
Spester consists of tree parts: a binary dropper, a Visual Basic
Script worm and an IRC worm.
Binary dropper
The binary dropper of the worm usually arrives in a ZIP archive
attached to an e-mail message. The archive name is SPDTEST.ZIP
and it contains SPDTEST.EXE file, the dropper itself. When a user
extracts and runs the EXE file, a system becomes infected.
The binary component of Spester worm is an EXE file 19968 bytes
long. When packed into a ZIP archive for spreading it is less
than 9350 bytes long. The worm's executable file is disguised as
a joke program. When it's run it shows a dialog box with a single
button and asks a user to click it. When a user moves a cursor
close to a button, it moves away and the text on it changes. Text
strings on the button can be the following:
If you're really fast try to click me
You must do it faster. Try again!
Oh, come on! You can't be so slow!
I think, you should change your mouse.
I don't have whole day! Click me right now!
My grandma is faster than you. You suck!
Click this button or I'll format your hard disk.
Nobody's perfect but you're a totally loser!
Hit me baby one more time.
After this the binary part of the worm displays a big button with
the following text:
OK. I'll help you. Look I'm big now. Click me !!!
When a user clicks on a big button, the worm shows a messagebox:
You made it, at last! But you were too slow. I will format your hard disk. Sorry.
And then it starts to simulate hard disk formatting. But after
some time the worm shows another messagebox:
Relax. I was only kidding!
While a user is busy with a joke part of the worm, it drops
several files to a user's system. The worm drops SCRIPT.INI and a
packed copy of itself as SPDTEST.ZIP into C:\Mirc\ folder. The
SCRIPT.INI file contains commands that will send the worm's ZIP
archive to all users joining an IRC channel that an infected user
occupies.
The worm also drops a packed copy of itself as SPDTEST.ZIP and a
VBS script named ONECLOCK.VBS into c:\Program Files\Internet
Explorer\ folders. The worm then creates a special key in the
Registry that will run the VBS file on next Windows startup.
Visual basic Script worm
When executed the script first checks for a file ONE.DAT in
"c:\Program Files\Common Files\" folder and if it does not exist
it runs its spreading routine. Then it creates an empty file with
this name (to use it later as an infection marker) and runs its
payload.
The spreading routine uses Outlook application and sends messages
to all address listed in Outlook address book. These messages
look as follows:
Subject: game: Speed tester v. 1.0 - check your mouse skills
Body: Hello,
How good are your mouse movement skills? Wanna test it? If
yes try game Speed tester v.1.0. (you have it in attachment).
It's really funny.
Software requirements:
- Windows operating system
- Java Virtual Machine
regards
As an attachment the script uses SPDTEST.ZIP file from
"C:\Program Files\Internet Explorer" folder if it is present. If
not the script attaches itself only.
The payload in the script part of the worm activates on 25th,
10th, 31st, 9th and 12th of each month.
When the day is 25th it runs the spreading routine. On 10th of
each month it shows the following message box:
Tip Of The Day: You look really beautiful today.
On 9th and 12th the virus shows another message box:
Happy Birthday!!!
When the day is 31st it runs another routine which creates in the
root of C: drive 3 types of directories:
51 directories with the following names:
1o
1oo
1ooo
...and so on.
91 directories with the following names:
2n
2nn
2nnn
...and so on.
and 131 directories with the following names:
3e
3ee
3eee
...and so on.
F-Secure Anti Virus detects Spester worm with the current
database updates.
[Analysis: Katrin Tocheva and Alexey Podrezov, F-Secure Corp.; January 16th, 2002]
|
