Skip to main content

Assiral.A

Classification

Category:Malware
Type:-
Platform:-
Aliases:

Assiral.A, Email-Worm.Win32.Ariss.a

Summary

Assiral.A is a simple mass mailing worm that also tries to kill the Bropia worm.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Assiral.A arrives as a Windows PE executable. It is written in delphi and packed with Aspack executable packer. The worm main executable requires some delphi runtime DLLs to be present so it might not work on all systems.

System installation

When run, the worm copies itself in Windows system directory as MS_LARISSA.EXE and adds the following registry key 

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "MS_LARISSA" = "%Sysdir%\MS_LARISSA.EXE"

This will ensure that the worm is run on every system startup. It also tries to copy itself on drives A-Z as "MS_LARISSA.EXE" and in Windows directory as "LOVE_LETTER.TXT.exe".

The worm drops and executes the following files:

 C:\WINDOWS\WinVBS_32.vbs C:\WINDOWS\System32\REG_32.vbs C:\LARISSA_ANTI_BROPIA.html

It also tries to open a web page on www.geocities.com and modify Internet Explorer home page settings.

Email spreading

The script WinVBS_32.vbs contains the mass mailing part of the worm. Similar to Loveletter, it uses Outlook application to send emails to all recipients listed in Outlok address book. The sent emails look as follows:

 Subject: Re: LOV YA ! Body: Kindly read and reply to my LOVE LETTER in the attachments :-) Attachments: LOVE_LETTER.TXT.exe

Where the attachment is previously saved in C:\WINDOWS folder.

The script also checks and modifies the registry:

 [HKCU \Software\Microsoft\WAB\EddieMail]

so it send itself out only once per infected computer.

Payload

The worm drops a HTML file, C:\LARISSA_ANTI_BROPIA.html, and shows it. It contains the following text:

Assiral.A also drops a small Visual Basic Script file, C:\WINDOWS\System32\REG_32.vbs, and executes changing some of the policy settings from the Windows registry. This will for example hide all drives from the Explorer and disable registry editing tools.

Additionally the worm drops a file C:\MESSAGE.txt which contains the following message from the author:

 Greetz from LARISSA.B! I will survive, In this moment in time. You computer will crash, So, you will be mine. I never crash, I never fail. So, in this moment in time, I will survive... - LARISSA AUTHOR - 5-15-05

The worm also tries to kill processes of the Bropia MSN-worm:

 Beautiful Ass.pif John Kerry as Super Chicken.scr Kool.pif Me & you pic!.pif Me Pissed!.pif sexy.pif She Could Fit her Ass in a Teacup.pif she's fuckin fit.pif titanic2.jpg.pif cz.exe msnmsr.exe Webcam.pif bedroom-things.pif naked_drunk.pif my_pussy.pif ROFL.pif underware.pif Hot.pif new_webcam.pif

Finally, it tries to kill the following security related processes:

 APVXDWIN.EXE ATUPDATER.EXE AUPDATE.EXE AUTODOWN.EXE AUTOTRACE.EXE AUTOUPDATE.EXE AVENGINE.EXE AVPUPD.EXE AVWUPD32.EXE AVXQUAR.EXE Avconsol.exe Avsynmgr.exe CFIAUDIT.EXE DRWEBUPW.EXE DefWatch.exe ESCANH95.EXE ESCANHNT.EXE FIREWALL.EXE FrameworkService.exe ICSSUPPNT.EXE ICSUPP95.EXE LUALL.EXE LUCOMS~1.EXE MCUPDATE.EXE NISUM.EXE NPROTECT.EXE NUPGRADE.EXE OUTPOST.EXE PavFires.exe Rtvscan.exe RuLaunch.exe SAVScan.exe SHSTAT.EXE SNDSrvc.exe UPDATE.EXE UpdaterUI.exe VsStat.exe VsTskMgr.exe Vshwin32.exe alogserv.exe bawindo.exe blackd.exe ccEvtMgr.exe ccProxy.exe ccPxySvc.exe mcagent.exe mcshield.exe mcvsescn.exe mcvsrte.exe mcvsshld.exe navapsvc.exe navapw32.exe nopdb.exe pavProxy.exe pavsrv50.exe symlcsvc.exe SpySweeper.exe ISASS.EXE

More Support

Community

Ask questions in our Community.

User guides

Check the user guide for instructions.

Contact Support

Chat with with or call an agent.

Submit a Sample

Submit a file or URL for analysis.