The Cali worm was found on 10th of August 2004. It's a massmailer.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
Cali is packed with Yoda and UPX. It's packed size is 51270 bytes. Once unpacked it grows up to 100KiB.
The executable was compiled with Microsoft's Visual C++ compiler with the stack protection option enabled. It's possible to appreciate in the code this feature, which protects the stack by placing a 'canary' value between the function's local variables and the return address. In this scenario if a buffer overflow would occur, it would be detected before the function returns, making the exploitation of an overflow a non trivial task.
The stack protection is enabled with the /GS option. More documentation on its implementation can be found from "Compiler Security Checks In Depth":
It's worth mentioning that some older worm could be taken over because of a buffer overflow in its networking code. It's interesting that malware writers are also paying attention to security related issues.
Once executed it creates a a mutex named:
in order to avoid being run more than once. And copies itself to:
A registry key will be set to point to the dropped file, the name of the key will be randomly chosen from:
BuildLab RegDone ccApps Microsoft Visual SourceSafe TEXTCONV FriendlyTypeName .Prog WMAudio
therefore, the registry key might look as follows:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\] "WMAudio" = "%WinDir%\system\services.exe"
Where %WinDir% is the main Windows folder.
When massmailing, it will attach itself with names such as:
office.exe notes.exe doom3demo.exe resume.exe files.exe request.exe info.exe details.exe result.exe results.exe install.exe setup.exe test.exe google.exe se_files.exe