Assiral.A

Assiral.A arrives as a Windows PE executable. It is written in delphi and packed with Aspack executable packer. The worm main executable requires some delphi runtime DLLs to be present so it might not work on all systems.

System installation

When run, the worm copies itself in Windows system directory as MS_LARISSA.EXE and adds the following registry key

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"MS_LARISSA" = "%Sysdir%\MS_LARISSA.EXE"
 

This will ensure that the worm is run on every system startup. It also tries to copy itself on drives A-Z as "MS_LARISSA.EXE" and in Windows directory as "LOVE_LETTER.TXT.exe".

The worm drops and executes the following files:

C:\WINDOWS\WinVBS_32.vbs
C:\WINDOWS\System32\REG_32.vbs
C:\LARISSA_ANTI_BROPIA.html
 

It also tries to open a web page on www.geocities.com and modify Internet Explorer home page settings.

Email spreading

The script WinVBS_32.vbs contains the mass mailing part of the worm. Similar to Loveletter, it uses Outlook application to send emails to all recipients listed in Outlok address book. The sent emails look as follows:

Subject:
Re: LOV YA !
Body: Kindly read and reply to my LOVE LETTER in the attachments :-)
Attachments: LOVE_LETTER.TXT.exe
 

Where the attachment is previously saved in C:\WINDOWS folder.

The script also checks and modifies the registry:

[HKCU \Software\Microsoft\WAB\EddieMail]
 

so it send itself out only once per infected computer.

Payload

The worm drops a HTML file, C:\LARISSA_ANTI_BROPIA.html, and shows it. It contains the following text:

Assiral.A also drops a small Visual Basic Script file, C:\WINDOWS\System32\REG_32.vbs, and executes changing some of the policy settings from the Windows registry. This will for example hide all drives from the Explorer and disable registry editing tools.

Additionally the worm drops a file C:\MESSAGE.txt which contains the following message from the author:

Greetz from LARISSA.B!
I will survive,
In this moment in time.
You computer will crash,
So, you will be mine.
I never crash,
I never fail.
So, in this moment in time,
I will survive...


- LARISSA AUTHOR - 5-15-05
 

The worm also tries to kill processes of the Bropia MSN-worm:

Beautiful Ass.pif
John Kerry as Super Chicken.scr
Kool.pif
Me & you pic!.pif
Me Pissed!.pif
sexy.pif
She Could Fit her Ass in a Teacup.pif
she's fuckin fit.pif
titanic2.jpg.pif
cz.exe
msnmsr.exe
Webcam.pif
bedroom-things.pif
naked_drunk.pif
my_pussy.pif
ROFL.pif
underware.pif
Hot.pif
new_webcam.pif
 

Finally, it tries to kill the following security related processes:

APVXDWIN.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVENGINE.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
Avconsol.exe
Avsynmgr.exe
CFIAUDIT.EXE
DRWEBUPW.EXE
DefWatch.exe
ESCANH95.EXE
ESCANHNT.EXE
FIREWALL.EXE
FrameworkService.exe
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
LUCOMS~1.EXE
MCUPDATE.EXE
NISUM.EXE
NPROTECT.EXE
NUPGRADE.EXE
OUTPOST.EXE
PavFires.exe
Rtvscan.exe
RuLaunch.exe
SAVScan.exe
SHSTAT.EXE
SNDSrvc.exe
UPDATE.EXE
UpdaterUI.exe
VsStat.exe
VsTskMgr.exe
Vshwin32.exe
alogserv.exe
bawindo.exe
blackd.exe
ccEvtMgr.exe
ccProxy.exe
ccPxySvc.exe
mcagent.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
mcvsshld.exe
navapsvc.exe
navapw32.exe
nopdb.exe
pavProxy.exe
pavsrv50.exe
symlcsvc.exe
SpySweeper.exe
ISASS.EXE