Cali.A

Classification

Malware

Worm

W32

Cali.A, I-Worm.Neveg.b

Summary

The Cali worm was found on 10th of August 2004. It's a massmailer.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Find out more
Knowledge Base

Find the latest advice in our Community Knowledge Base.

Product Manual

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Cali is packed with Yoda and UPX. It's packed size is 51270 bytes. Once unpacked it grows up to 100KiB.

The executable was compiled with Microsoft's Visual C++ compiler with the stack protection option enabled. It's possible to appreciate in the code this feature, which protects the stack by placing a 'canary' value between the function's local variables and the return address. In this scenario if a buffer overflow would occur, it would be detected before the function returns, making the exploitation of an overflow a non trivial task.

The stack protection is enabled with the /GS option. More documentation on its implementation can be found from "Compiler Security Checks In Depth":

https://go.microsoft.com/fwlink/?Linkid=7260

It's worth mentioning that some older worm could be taken over because of a buffer overflow in its networking code. It's interesting that malware writers are also paying attention to security related issues.

Once executed it creates a a mutex named:

"4D36E64A-W325-121E-BFC1-080C2BE11318"
 

in order to avoid being run more than once. And copies itself to:

%WinDir%\system\services.exe
 

A registry key will be set to point to the dropped file, the name of the key will be randomly chosen from:

BuildLab
RegDone
ccApps
Microsoft Visual SourceSafe
TEXTCONV
FriendlyTypeName
.Prog
WMAudio
 

therefore, the registry key might look as follows:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
"WMAudio" = "%WinDir%\system\services.exe"
 

Where %WinDir% is the main Windows folder.

email spreading

When massmailing, it will attach itself with names such as:

office.exe
notes.exe
doom3demo.exe
resume.exe
files.exe
request.exe
info.exe
details.exe
result.exe
results.exe
install.exe
setup.exe
test.exe
google.exe
se_files.exe
 

Date Created: -

Date Last Modified: -