The worm's file is a Windows PE executable about 91Kb long. The
worm was written in Microsoft Visual C++. It should be noted,
that Winevar resembles Bridex worm that appeared earlier. The
Winevar worm has many bugs that can cause damage to infected
systems and limit the worm's spreading.
When the worm's file is run, it copies itself as WINxxxx.PIF file
(xxxx - random characters) to Windows System directory. It
creates startup keys for this file in the System Registry:
The worm creates subkeys in the Run key with the names that
correspond to the worm's installed file names (for example
'WIN1205') and also it modifies the default value of Run key
where it stores execution path for the last started worm's copy.
After that the worm creates a dropper for Funlove.4099 virus as
WINxxxx.PIF file (xxxx - random characters) to Windows System
directory. The original text is replaced with the following line:
~AAVAR 2002 in Seoul~
The original Funlove's dropper name (FLCSS.EXE) is replaced with
AAVAR.PIF filename. The description of Funlove virus is here:
Being active the Winevar worm continuously looks for and
terminates processes and services that contain the following
However, the worm doesn't kill the above mentioned processes and
services if the following text is present in them:
The worm scans hard drives for files and folders with the
following text in their names:
If such folder or file is found, the worm attempts to delete all
files in that folder. Due to a bug in this routine, the worm
deletes all files on an infected hard drive.
To get e-mail addresses the worm looks for *.HTM and *.DBX files
and extracts emails addresses from them. The worm ignores e-mail
addresses with the following text: '@microsoft' to prevent its
spreading to Microsoft. To send infected messages the worm uses a
direct connection to a default SMTP server.
The worm stores e-mail addresses to where it already sent itself
in the following Registry key:
When sending itself out the worm appends the following
information to its attachment:
- country or region ID (for example: [KOR], [RUS] - for Korea and Russia)
- current date and time
- user name and company name (this info is taken from the Registry)
Using this data it is possible to trace a particular worm's copy
The infected messages can have different data in body and subject
fields. The subject is randomly (depending on worm's generation)
selected from the following variants:
Re: AVAR(Association of Anti-Virus Asia Reseachers)
N`4 Trand Microsoft Inc.
The last (third) variant is selected in case there is no
"RegistreredOrganization" key in the System Registry. The "N`4"
string is actually a "Re:" string that was not decrypted by the
worm during e-mail message composition.
The message body is also selected depending on the worm's
generation. It can be:
%RegisteredOwner% - %RegisteredOrganization%
AVAR(Association of Anti-Virus Asia Reseachers) - Report.
Invariably, Anti-Virus Program is very foolish.
The %RegisteredOwner% and the %RegisteredOrganization%
information is taken from the Registry and represent the name to
whom Windows is registered and an organization that owns the
The attached worm's file names can be different:
WINxxx.TXT (12.6 KB) MUSIC_1.HTM
WINxxx.GIF (120 bytes) MUSIC_2.CEO
The 'xxx' represents random characters. In some cases the subject
and message body can be different. The .CEO and .PIF files are the
same and represent the worm's executable file.
The .HTM file contains the VM ActiveX Component exploit. It
contains a script that will add .CEO extension to the Registry
and associate it with executable files. So a user will be able to
run files with CEO extensions as executables. This is a security
hole and we recommend to add this extension to the list of
scanned extensions of F-Secure Anti-Virus if it's not present
To run from an infected message the worm uses the Iframe exploit,
that is widely used in present day e-mail worms. The IFrame
vulnerability is fixed and the patch for it is available on
Also the worm uses Microsoft VM ActiveX Component vulnerability:
In case the worm fails to spread and or in case of file deletion
payload activation, it displays a messagebox:
Make a fool of oneself
What a foolish thing you have done!
The worm continuosly tries to download the front page of
www.symantec.com website to a temporary file, then deletes this
file. This might create a DoS (Denial Of Service) attack in case
the worm becomes widespread.
Winevar attempts to copy itself as EXPLORER.PIF to a desktop
folder. The worm also contains code, that looks like an
incomplete network spreading routine.
The worm changes Windows registration information on an infected
Registered Organization: Trand Microsoft Inc.
Registered Owner: AntiVirus
Winevar creates a mutex for itself with the following name:
~~ Drone Of StarCraft~~
F-Secure Anti-Virus detects Winevar worm with the updates
published on November 25th, 2002:
[Analysis: F-Secure Corporation and Kaspersky Labs; November 24-25th, 2002]