Invalid is an Internet worm written in pure Assembly. The worm's file is a 12288 bytes long PE EXE file. The worm's file is not compressed.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
When the worm's file is run it first checks for available Internet connection. If a connection is not found the worm starts to recursively look for '*.exe' files. If an EXE file is found, the worm gets external cetrificate from Windows crypto library, generates a new key. If key generation fails, the worm exits. Otherwise the worm encrypts a found file with a generated key. When the worm reaches root directory, the encryption process stops and the worm exits.
If Internet connection is found, the worm gets information about its own file, allocates 2 memory buffers, reads itself into the first memory buffer and then encodes itself with BASE64 encoding (encoding subroutine is inside the worm's file) into the second memory buffer. After that the worm gets the special folder location and looks for '*.ht*' (*.HTM, *.HTML, etc.) files there. When an appropriate file is found, the worm loads it into memory and starts looking for 'mailto:' strings inside the file. If this string is found the worm gets an email address after it and sends itself to this address. Then the worm continues to search for 'mailto:' string in the same file and will send itself out if other email addresses are found. If no more addresses are found, the worm looks for more HTML files.
When sending emails the worm connects to 'mail.bezeqint.net' email server and sends out the following message:
From: "Microsoft Support" [firstname.lastname@example.org] Subject: Invalid SSL Certificate Hello, Microsoft Corporation announced that an invalid SSL certificate that web sites use is required to be installed on the user computer to use the https protocol. During the installation, the certificate causes a buffer overrun in Microsoft Internet Explorer and by that allows attackers to get access to your computer. The SSL protocol is used by many companies that require credit card or personal information so, there is a high possibility that you have this certificate installed. To avoid of being attacked by hackers, please download and install the attached patch. It is strongly recommended to install it because almost all users have this certificate installed without their knowledge. Have a nice day, Microsoft Corporation
The worm's file encoded in BASE64 format is attached to this message as 'sslpatch.exe' file.
The worm has a dangerous payload. It encrypts all EXE files it can find in current directory and upper directories with a generated key (see above). The payload is activated if Internet connection is not present or in case of errors during worm's operations.
The worm has a few bugs that affect its ability to spread and to encrypt files.
Date Created: -
Date Last Modified: -