Threat Description

Cali.A

Details

Aliases: Cali.A, I-Worm.Neveg.b
Category: Malware
Type: Worm
Platform: W32

Summary


The Cali worm was found on 10th of August 2004. It's a massmailer.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


Cali is packed with Yoda and UPX. It's packed size is 51270 bytes. Once unpacked it grows up to 100KiB.

The executable was compiled with Microsoft's Visual C++ compiler with the stack protection option enabled. It's possible to appreciate in the code this feature, which protects the stack by placing a 'canary' value between the function's local variables and the return address. In this scenario if a buffer overflow would occur, it would be detected before the function returns, making the exploitation of an overflow a non trivial task.

The stack protection is enabled with the /GS option. More documentation on its implementation can be found from "Compiler Security Checks In Depth":

https://go.microsoft.com/fwlink/?Linkid=7260

It's worth mentioning that some older worm could be taken over because of a buffer overflow in its networking code. It's interesting that malware writers are also paying attention to security related issues.

Once executed it creates a a mutex named:

"4D36E64A-W325-121E-BFC1-080C2BE11318"   

in order to avoid being run more than once. And copies itself to:

%WinDir%\system\services.exe   

A registry key will be set to point to the dropped file, the name of the key will be randomly chosen from:

BuildLab  RegDone  ccApps  Microsoft Visual SourceSafe  TEXTCONV  FriendlyTypeName  .Prog  WMAudio   

therefore, the registry key might look as follows:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]  "WMAudio" = "%WinDir%\system\services.exe"   

Where %WinDir% is the main Windows folder.

E-Mail spreading

When massmailing, it will attach itself with names such as:

office.exe  notes.exe  doom3demo.exe  resume.exe  files.exe  request.exe  info.exe  details.exe  result.exe  results.exe  install.exe  setup.exe  test.exe  google.exe  se_files.exe   


Detection


Detection for Cali worm is available since the following FSAV updates:

Detection Type: PC
Database: 2004-08-10_01



Technical Details:Ero Carrera, August 10th, 2004


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More