At the time of writing of this description, F-Secure has received no reports about this worm from the field.Spester consists of tree parts: a binary dropper, a Visual Basic Script worm and an IRC worm.
Disinfection & Removal
The binary dropper of the worm usually arrives in a ZIP archive attached to an e-mail message. The archive name is SPDTEST.ZIP and it contains SPDTEST.EXE file, the dropper itself. When a user extracts and runs the EXE file, a system becomes infected.The binary component of Spester worm is an EXE file 19968 bytes long. When packed into a ZIP archive for spreading it is less than 9350 bytes long. The worm's executable file is disguised as a joke program. When it's run it shows a dialog box with a single button and asks a user to click it. When a user moves a cursor close to a button, it moves away and the text on it changes. Text strings on the button can be the following:
If you're really fast try to click me You must do it faster. Try again! Oh, come on! You can't be so slow! I think, you should change your mouse. I don't have whole day! Click me right now! My grandma is faster than you. You suck! Click this button or I'll format your hard disk. Nobody's perfect but you're a totally loser! Hit me baby one more time.
After this the binary part of the worm displays a big button with the following text:
OK. I'll help you. Look I'm big now. Click me !!!
When a user clicks on a big button, the worm shows a messagebox:
You made it, at last! But you were too slow. I will format your hard disk. Sorry.
And then it starts to simulate hard disk formatting. But after some time the worm shows another messagebox:
Relax. I was only kidding!
While a user is busy with a joke part of the worm, it drops several files to a user's system. The worm drops SCRIPT.INI and a packed copy of itself as SPDTEST.ZIP into C:\Mirc\ folder. The SCRIPT.INI file contains commands that will send the worm's ZIP archive to all users joining an IRC channel that an infected user occupies.The worm also drops a packed copy of itself as SPDTEST.ZIP and a VBS script named ONECLOCK.VBS into c:\Program Files\Internet Explorer\ folders. The worm then creates a special key in the Registry that will run the VBS file on next Windows startup.Visual basic Script worm When executed the script first checks for a file ONE.DAT in "c:\Program Files\Common Files\" folder and if it does not exist it runs its spreading routine. Then it creates an empty file with this name (to use it later as an infection marker) and runs its payload.The spreading routine uses Outlook application and sends messages to all address listed in Outlook address book. These messages look as follows:
Subject: game: Speed tester v. 1.0 - check your mouse skills Body: Hello, How good are your mouse movement skills? Wanna test it? If yes try game Speed tester v.1.0. (you have it in attachment). It's really funny. Software requirements: - Windows operating system - Java Virtual Machine regards
As an attachment the script uses SPDTEST.ZIP file from "C:\Program Files\Internet Explorer" folder if it is present. If not the script attaches itself only.The payload in the script part of the worm activates on 25th, 10th, 31st, 9th and 12th of each month.When the day is 25th it runs the spreading routine. On 10th of each month it shows the following message box:
Tip Of The Day: You look really beautiful today.
On 9th and 12th the virus shows another message box:
When the day is 31st it runs another routine which creates in the root of C: drive 3 types of directories: 51 directories with the following names:
1o 1oo 1ooo ...and so on.
91 directories with the following names:
2n 2nn 2nnn ...and so on.
and 131 directories with the following names:
3e 3ee 3eee ...and so on.
F-Secure Anti Virus detects Spester worm with the current database updates.
Technical Details: Katrin Tocheva and Alexey Podrezov, F-Secure Corp.; January 16th, 2002