Classification

Category :

Malware

Type :

Virus

Aliases :

Winevar, HLLM.Seoul, Korvar, I-Worm.Winevar, Braid.C

Summary

The Winevar email worm was found in-the-wild in Korea in the end of November 2002. Apparently it was released by the virus writer on purpose during the AVAR 2002 Conference (Anti-Virus Researcher's Asia) in Seoul, South Korea.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm's file is a Windows PE executable about 91Kb long. The worm was written in Microsoft Visual C++. It should be noted, that Winevar resembles Bridex worm that appeared earlier. The Winevar worm has many bugs that can cause damage to infected systems and limit the worm's spreading.

When the worm's file is run, it copies itself as WINxxxx.PIF file (xxxx - random characters) to Windows System directory. It creates startup keys for this file in the System Registry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]

The worm creates subkeys in the Run key with the names that correspond to the worm's installed file names (for example 'WIN1205') and also it modifies the default value of Run key where it stores execution path for the last started worm's copy.

After that the worm creates a dropper for Funlove.4099 virus as WINxxxx.PIF file (xxxx - random characters) to Windows System directory. The original text is replaced with the following line:

~AAVAR 2002 in Seoul~

The original Funlove's dropper name (FLCSS.EXE) is replaced with AAVAR.PIF filename. The description of Funlove virus is here:

https://www.europe.f-secure.com/v-descs/funlove.shtml

Being active the Winevar worm continuously looks for and terminates processes and services that contain the following text:

view
debu
scan
mon
vir
iom
ice
anti
fir
prot
secu
dbg
avk
pcc
spy

However, the worm doesn't kill the above mentioned processes and services if the following text is present in them:

microsoft
ms
_np
r n
cicer
irmon
smtpsvc
moniker
office
program
explorewclass

The worm scans hard drives for files and folders with the following text in their names:

antivirus
cillin
nlab
vacc

If such folder or file is found, the worm attempts to delete all files in that folder. Due to a bug in this routine, the worm deletes all files on an infected hard drive.

To get email addresses the worm looks for *.HTM and *.DBX files and extracts emails addresses from them. The worm ignores email addresses with the following text: '@microsoft' to prevent its spreading to Microsoft. To send infected messages the worm uses a direct connection to a default SMTP server.

The worm stores email addresses to where it already sent itself in the following Registry key:

[HKEY_LOCAL_MACHINE\Software\Microsoft\DataFactory]

When sending itself out the worm appends the following information to its attachment:

- country or region ID (for example: [KOR], [RUS] - for Korea and Russia)
- current date and time
- user name and company name (this info is taken from the Registry)

Using this data it is possible to trace a particular worm's copy "migration" process.

The infected messages can have different data in body and subject fields. The subject is randomly (depending on worm's generation) selected from the following variants:

Re: AVAR(Association of Anti-Virus Asia Reseachers)

 N`4 %RegisteredOrganization%

 N`4 Trand Microsoft Inc.

The last (third) variant is selected in case there is no "RegistreredOrganization" key in the System Registry. The "N`4" string is actually a "Re:" string that was not decrypted by the worm during email message composition.

The message body is also selected depending on the worm's generation. It can be:

%RegisteredOwner% - %RegisteredOrganization%

or:

AVAR(Association of Anti-Virus Asia Reseachers) - Report.

 Invariably, Anti-Virus Program is very foolish.

The %RegisteredOwner% and the %RegisteredOrganization% information is taken from the Registry and represent the name to whom Windows is registered and an organization that owns the lisence respectively.

The attached worm's file names can be different:

WINxxx.TXT (12.6 KB) MUSIC_1.HTM
WINxxx.GIF (120 bytes) MUSIC_2.CEO
WINxxx.PIF

The 'xxx' represents random characters. In some cases the subject and message body can be different. The .CEO and .PIF files are the same and represent the worm's executable file.

The .HTM file contains the VM ActiveX Component exploit. It contains a script that will add .CEO extension to the Registry and associate it with executable files. So a user will be able to run files with CEO extensions as executables. This is a security hole and we recommend to add this extension to the list of scanned extensions of F-Secure Anti-Virus if it's not present there yet.

To run from an infected message the worm uses the Iframe exploit, that is widely used in present day email worms. The IFrame vulnerability is fixed and the patch for it is available on Microsoft's website:

https://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp

Also the worm uses Microsoft VM ActiveX Component vulnerability:

https://www.microsoft.com/technet/security/bulletin/MS00-075.asp

In case the worm fails to spread and or in case of file deletion payload activation, it displays a messagebox:

Make a fool of oneself
What a foolish thing you have done!

The worm continuosly tries to download the front page of www.symantec.com website to a temporary file, then deletes this file. This might create a DoS (Denial Of Service) attack in case the worm becomes widespread.

Winevar attempts to copy itself as EXPLORER.PIF to a desktop folder. The worm also contains code, that looks like an incomplete network spreading routine.

The worm changes Windows registration information on an infected computer:

Registered Organization: Trand Microsoft Inc.
Registered Owner: AntiVirus

Winevar creates a mutex for itself with the following name:

~~ Drone Of StarCraft~~