Invalid

Classification

Malware

Worm

W32

Invalid, I-Worm.Invalid, Ivalid, I-Worm.Invalid.A, Invalid.Worm

Summary

Invalid is an Internet worm written in pure Assembly. The worm's file is a 12288 bytes long PE EXE file. The worm's file is not compressed.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Find out more
Knowledge Base

Find the latest advice in our Community Knowledge Base.

Product Manual

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

When the worm's file is run it first checks for available Internet connection. If a connection is not found the worm starts to recursively look for '*.exe' files. If an EXE file is found, the worm gets external cetrificate from Windows crypto library, generates a new key. If key generation fails, the worm exits. Otherwise the worm encrypts a found file with a generated key. When the worm reaches root directory, the encryption process stops and the worm exits.

If Internet connection is found, the worm gets information about its own file, allocates 2 memory buffers, reads itself into the first memory buffer and then encodes itself with BASE64 encoding (encoding subroutine is inside the worm's file) into the second memory buffer. After that the worm gets the special folder location and looks for '*.ht*' (*.HTM, *.HTML, etc.) files there. When an appropriate file is found, the worm loads it into memory and starts looking for 'mailto:' strings inside the file. If this string is found the worm gets an email address after it and sends itself to this address. Then the worm continues to search for 'mailto:' string in the same file and will send itself out if other email addresses are found. If no more addresses are found, the worm looks for more HTML files.

When sending emails the worm connects to 'mail.bezeqint.net' email server and sends out the following message:

From: "Microsoft Support" [support@microsoft.com]
Subject: Invalid SSL Certificate
Hello,
Microsoft Corporation announced that an invalid SSL certificate
that web sites use is required to be installed on the user
computer to use the https protocol. During the installation, the
certificate causes a buffer overrun in Microsoft Internet
Explorer and by that allows attackers to get access to your
computer. The SSL protocol is used by many companies that
require credit card or personal information so, there is a high
possibility that you have this certificate installed.
To avoid of being attacked by hackers, please download and
install the attached patch. It is strongly recommended to
install it because almost all users have this certificate
installed without their knowledge.
Have a nice day,
Microsoft Corporation

The worm's file encoded in BASE64 format is attached to this message as 'sslpatch.exe' file.

The worm has a dangerous payload. It encrypts all EXE files it can find in current directory and upper directories with a generated key (see above). The payload is activated if Internet connection is not present or in case of errors during worm's operations.

The worm has a few bugs that affect its ability to spread and to encrypt files.

Date Created: -

Date Last Modified: -