Classification

Category :

Malware

Type :

Worm

Aliases :

Cuerpo, VBS/Cuerpo, I-Worm.Cuervo

Summary

This is a polymorphic Visual Basic Script e-mail worm (mass-mailer) that spreads using two different ways - via Outlook Application and by collecting email addresses from database files that belong to various e-mail clients.

Removal

Based on the settings of your F-Secure security program, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Variant:Cuerpo.A

Cuerpo is a polymorphic Visual Basic Script mass-mailer. Its polymorphism consists of replacing all variables every time it replicates on a system. For each variable it sets from 2 to 10 random characters. These polymorphic variables are located in a commented line on the top of the worm code. Cuerpo also saves itself and most of its components in files with random names.

Once executed, the worm first generates a new polymorphic copy of itself that it saves to the Windows System directory with a random name. Next it drops another file to the System directory, again with a random name, that contains a payload script. This script is added to the registry:

     HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

so it will be executed every time when the system is restarted.

The script checks if four days has passed since the infection, and if so, it sets the Internet Explorer start page to www.freedonation.com. Otherwise Cuerpo drops to the System directory a file "blank.html" which contains a Java Script code. This code opens a new browser window to www.freedonation.com and executes the worm. This html file is set to be the Internet Explorer start page.

The worm spreads trough the Internet using two different ways. The first method of spreading uses Outlook Application and its folders. This is the first mass-mailing routine. It goes through Inbox, Sent Mail, Outbox and Deleted Items folders from the user's Outlook installation looking for messages that contains an attachment. When find such messages, it replies to those messages with the same subject, sending itself as an attachment that contains the name of the attachment of the original message adding to it the following string:

	"  (9 Kbytes).vbs"

Then the worm creates "wininit.bat" that drops the worm into the system and modifies "autoexec.bat" so that the worm is set to start in each system restart via the registry.

Then Cuerpo sends itself to all recipients in all address books using one subject/attachment name combination from the scanned folders. These messages, however, contain the worm code also embedded as HTML into the message as well.

Cuerpo uses another method to spread. Additional to sending itself to e-mail addresses listed in Outlook Application's address book, it also collects all email-like strings, searching for special character, in files which are database files for various e-mail clients. These databases files are with extensions:

	"txt", "na2", "wab", "mbx" and "dbx"

In addition it searches for all "dat" files that are located in directory, which contains string found from registry key

     HKCU\Software\Mirabilis\ICQ\Owners\LastOwner

Cuerpo stores all these email addresses into an HTML file in the system directory. This HTML file contains a form that is sent to virus writer's web site. It is referred from the "blank.html" thus causing that the information is sent as soon as infected user opens the Internet Explorer. Then from that remote location the worm spreads as an embedded HTML in empty message, to all received e-mail addresses previously collected from the above database files. The virus writer's web page has been disabled in a few hours after the worm was discovered. Therefore the second mass-mailing part of the worm does not work anymore.