Threat Description

Assiral.A

Details

Category: Malware
Platform: W32
Aliases: Assiral.A, Email-Worm.Win32.Ariss.a

Summary


Assiral.A is a simple mass mailing worm that also tries to kill the Bropia worm.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


Assiral.A arrives as a Windows PE executable. It is written in delphi and packed with Aspack executable packer. The worm main executable requires some delphi runtime DLLs to be present so it might not work on all systems.

System installation

When run, the worm copies itself in Windows system directory as MS_LARISSA.EXE and adds the following registry key

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]  "MS_LARISSA" = "%Sysdir%\MS_LARISSA.EXE"   

This will ensure that the worm is run on every system startup. It also tries to copy itself on drives A-Z as "MS_LARISSA.EXE" and in Windows directory as "LOVE_LETTER.TXT.exe".

The worm drops and executes the following files:

C:\WINDOWS\WinVBS_32.vbs  C:\WINDOWS\System32\REG_32.vbs  C:\LARISSA_ANTI_BROPIA.html   

It also tries to open a web page on www.geocities.com and modify Internet Explorer home page settings.

Email spreading

The script WinVBS_32.vbs contains the mass mailing part of the worm. Similar to Loveletter, it uses Outlook application to send emails to all recipients listed in Outlok address book. The sent emails look as follows:

Subject:  Re: LOV YA !  Body: Kindly read and reply to my LOVE LETTER in the attachments :-)  Attachments: LOVE_LETTER.TXT.exe   

Where the attachment is previously saved in C:\WINDOWS folder.

The script also checks and modifies the registry:

[HKCU \Software\Microsoft\WAB\EddieMail]   

so it send itself out only once per infected computer.

Payload

The worm drops a HTML file, C:\LARISSA_ANTI_BROPIA.html, and shows it. It contains the following text:

Assiral.A also drops a small Visual Basic Script file, C:\WINDOWS\System32\REG_32.vbs, and executes changing some of the policy settings from the Windows registry. This will for example hide all drives from the Explorer and disable registry editing tools.

Additionally the worm drops a file C:\MESSAGE.txt which contains the following message from the author:

Greetz from LARISSA.B!  I will survive,  In this moment in time.  You computer will crash,  So, you will be mine.  I never crash,  I never fail.  So, in this moment in time,  I will survive...      - LARISSA AUTHOR - 5-15-05   

The worm also tries to kill processes of the Bropia MSN-worm:

Beautiful Ass.pif  John Kerry as Super Chicken.scr  Kool.pif  Me & you pic!.pif  Me Pissed!.pif  sexy.pif  She Could Fit her Ass in a Teacup.pif  she's fuckin fit.pif  titanic2.jpg.pif  cz.exe  msnmsr.exe  Webcam.pif  bedroom-things.pif  naked_drunk.pif  my_pussy.pif  ROFL.pif  underware.pif  Hot.pif  new_webcam.pif   

Finally, it tries to kill the following security related processes:

APVXDWIN.EXE  ATUPDATER.EXE  AUPDATE.EXE  AUTODOWN.EXE  AUTOTRACE.EXE  AUTOUPDATE.EXE  AVENGINE.EXE  AVPUPD.EXE  AVWUPD32.EXE  AVXQUAR.EXE  Avconsol.exe  Avsynmgr.exe  CFIAUDIT.EXE  DRWEBUPW.EXE  DefWatch.exe  ESCANH95.EXE  ESCANHNT.EXE  FIREWALL.EXE  FrameworkService.exe  ICSSUPPNT.EXE  ICSUPP95.EXE  LUALL.EXE  LUCOMS~1.EXE  MCUPDATE.EXE  NISUM.EXE  NPROTECT.EXE  NUPGRADE.EXE  OUTPOST.EXE  PavFires.exe  Rtvscan.exe  RuLaunch.exe  SAVScan.exe  SHSTAT.EXE  SNDSrvc.exe  UPDATE.EXE  UpdaterUI.exe  VsStat.exe  VsTskMgr.exe  Vshwin32.exe  alogserv.exe  bawindo.exe  blackd.exe  ccEvtMgr.exe  ccProxy.exe  ccPxySvc.exe  mcagent.exe  mcshield.exe  mcvsescn.exe  mcvsrte.exe  mcvsshld.exe  navapsvc.exe  navapw32.exe  nopdb.exe  pavProxy.exe  pavsrv50.exe  symlcsvc.exe  SpySweeper.exe  ISASS.EXE   


Detection


F-Secure Anti-Virus detects Assiral.A with the following update:

Detection Type: PC
Database: 2005-02-22_01



Technical Details:Jarkko Turkulainen, Katrin Tocheva and Sami Rautiainen Feb 23rd, 2005


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More