Nymph is a mass-mailer with backdoor capabilities created by ASM/iKX group. It is one of the first worms that uses search engine of a webserver to find victim's e-mail addresses. The worm is disguised as 'E-fortune cookie generator'. This worm is a variant of W32/Roach worm and it has a few serious bugs that don't allow it to work even for a short while on an infected system. The worm itself is a Windows PE EXE file about 29kb long. The code of the worm is encrypted with a simple XOR encryption loop.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
More information on scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
When started the worm first gets API addresses of certain functions from KERNEL32.DLL, WSOCK32.DLL, WININET.DLL, USER32.DLL, MPR.DLL, ADVAPI32.DLL, IMAGEHLP.DLL, SETUPAPI.DLL. Many of the functions are not used in this worm version, but might be added in the future. The the worm would get the ability to spread in Windows networks, infect files, intercept EXE file starting, use miltiple IRC servers and so on.
First the worm checks from what file is started. If the file name ends with 'okie' (cookie.exe), the worm generates a random number and shows a messagebox with a text that corresponds to this number (see cookie texts below). This is done to disguise worm installation to a system. If the worm is started from a file which name ends in 'om32' (dccom32.exe), the worm sets a flag that it is already installed and doesn't show any messageboxes.
The worm then gets to \Windows\System\ directory and drops a short ZIP archive from inside its body as EGGCASE.ATT. This archive has only FILE_ID.DIZ file with the following text:
FortuneCookie 32 - Version 1.0 * FREEWARE * DESCRIPTION: ============ FortuneCookie 32 is a Windows 32 version of the classical fortune cookies you can get at some restaurants. It's very simple double clicking on the cookie.exe file will bring up a fortune cookie. This program is freeware so feel free to send out a word of wisdom to your friends!
If the worm fails to drop this archive to \Windows\System\ directory, it tries to drop it into temporary folder. After that the worm looks for EGGCASE*.ATT files and immediately finds a dropped EGGCASE.ATT file. The worm then copies its file as DCCOM32.EXE into Temp and \Windows\System\ folders and creates a startup key with the name 'dcomdriver' for one of dropped files in the default Run keys:
Then the worm adds its file as COOKIE.EXE to the ZIP archive (eggcase.att) that it previously dropped. The worm does not use any ZIPping utility, it just adds its file 'as is' to the end of the archive, corrects and adds necessary data to make an archive valid. This archive will be used by the worm as an attachment to infected messages.
After that the worm waits for some time and then verifies Internet connection state. If there's no connection, the worm waits and tries again. If a valid connection is found, the worm creates additional 2 threads and puts its main thread into infinite wait loop. The first thread is the worm spreading thread, the second thread is a backdoor thread that uses IRC.
When thread 1 is started it waits for some time, checks Internet connection state and if a valid connection is found, it creates 3 sockets, resolves host name for 'pop.hotpop.com', 'diemen.nl.eu.undernet.org' (IRC server, there's one more server name in the worm's body, but it's never used) and 'wwp.icq.com' (ICQ Personal Communication Center) servers. The worm then reads settings from Microsoft Internet Account Manager or if it is not available from Outlook OMI Account Manager. It gets information about a default account and tries to connect to user's SMTP server. If the server is not available, the worm tries to use 'mail.hotmail.com' server. If user's SMTP server is accessible, the worm still changes it to 'smtp.hotpop.com' and then changes user's e-mail address to 'email@example.com'. These changes are in effect only when the worm is active, as it doesn't modify these settings in the Registry.
Then the worm gets Windows registered user name from the Registry. If there's no user name there, the worm generates a random number and selects the name corresponding to this number from its internal table:
dark evil lost cool kewl fool hack dead head bozz
This name will be used in 'From:' field of an infected e-mail that the worm sends itself out. Then the worm generates 3 more random numbers and fills a search form that will be used to search for e-mail addresses on a webserver. The form looks like that:
POST /scripts/srch.dll HTTP/1.1 User-Agent: Mozilla/4.73 (Windows 95; U) Opera 4.02 [en] Host: wwp.icq.com Accept: text/html, image/png, image/jpeg, image/gif, image/x-xbitmap, image/vnd.wap.wbmp;level=0, */* Accept-Language: en Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0 Referer: http://www.icq.com/whitepages/search.html Connection: Keep-Alive Content- application/x-www-form-urlencoded Content-length: 212 FirstName=&LastName=&NickName=&Email=&AgeRange=0-0&Gender=0&Lang=12 &City=&State=&Country=0&Occupation=0&Dept=&Company=&PastInfo=0 &PastInfoText=&Interest=0&InterestText=&SubInterest=&Group=0 &GroupText=&SEND=Search
Finally the worm connects to a webserver and sends the form there. When it gets a reply it looks for e-mail address and then sends an infected e-mail to that address. The worm uses Microsoft anonymous SMTP server to send e-mails. The worm randomly composes sender's name from 2 tables and adds '@hotmail.com' in the end. The first table is shown above, the second table is:
trooper travler nemonic _maniac _master _avatar _jesuzz riddler _satan_ lucifer
The subject line if an infected e-mail is 'Subject: Fw:' followed by one of the randomly selected cookie texts (see table below). The recepient info is 'To: <removed>'. The worm uses EGGCASE.ATT archive (with FILE_ID.DIZ and its file COOKIE.EXE) as an attachment. The attachment name is FORTUNE.ZIP and it is sent MIME-encoded. The worm also sends the second attachment - a body of itself as SETUP.EXE file hoping that a user will run at least one of the attachments. The message body is in HTML format, it looks like that (black text on bright blue background):
SMACK!!! You have been hit This is the funny-attachment war! You have just been hit and by the rule book you can't hit this person back. To be in the game you need to send this message to five of your friends, try to find some small and funny attachment to send along. If you don't have time use the one you got hit by, go ahead hit someone!
In the end of the infected e-mail there is '--nymph--' text.
When thread 2 is started, it generates a nick from 'nymph' plus random 4-digit number ('nymph1234' for example), connects to 'diemen.nl.eu.undernet.org' IRC server and sets invisible mode for a user with the generated nick. Then the worm joins #nymph channel and sends a private message:
[I-Worm-Nymph v.1.1] by Asm/iKX
Then the worm enters the loop that handles incoming IRC messages. The worm responds to 'PING', 'JOIN', 'INVI', 'PRIV' and '319' messages. The worm can join a channel when instructed by join and invitation commands and enters a private chat session on PRIV command. In the private channel session the worm has backdoor capabilities. It responds to 3 messages: 'msgx' - quit, 'msgi' - get information about worm version and 'msgu' - upload and run a file. When 'msgu' message is received, the worm creates an additional thread that allows to download and run a specified file on an infected computer. The file is downloaded with a random name into Temp folder and is activated by the worm.
The worm has the following cookie texts:
it is predictable, but I wouldn't like to predict it myself. - C. Lawson 100,000 lemmings can't be wrong. A friend in need is a pain in the ass. A man is as old as he feels. But never as important. A man is as old as the woman he feels. Always be sincere - Even when you don't mean it. Always tell her she's pretty, especially when she isn't. Anyone who can see through a woman is missing a lot. Avoid life - It'll kill you in the end. Do to the other fellow as he would do unto you. But for God's sake do it first! Experience, the name given by men to their mistakes. Get stoned - Drink liquid cement. Happiness can't buy money. If a woman wants to learn to drive, don't stand in her way. Join the army, travel the world, meet interesting people and shoot them. Just because you're paranoid it doesn't mean they aren't out to get you. Life is a sexually transmitted disease. Love Thy Neighbour - But don't get caught. Money can't buy friends but it can buy a better class of enemy. - Spike Milligan. Never put off till tomorrow what you can avoid altogether. Racial prejudice is a pigment of the imagination Smoking - think of it as evolution in action. Sudden prayers make God jump. When faced with two evils I like to do the one I've never tried before. - Mae West Live fast, Die young, Leave a good looking corpse. A Wise Man can see more from the bottom of a well than a Fool can see from the top of a mountain. Walk softly but carry a big stick. TO DO IS TO BE - Socrates%TO BE IS TO DO - Sartre%DO BE DO BE DO - Sinatra It is better to keep your mouth closed and let people think you are a fool than to open it and remove all doubt. - Samual Clemmens What you can not avoid, Welcome. If you can't tie good knots... tie many. Anything free is worth what you pay for it. Two wrongs do not make a right; it usually takes three or more.
The worm also has the following text strings that are never displayed:
[I-Worm.Nymph@MM v.1.1] by Asmodeus iKX creech, creech... we will infest. Info - this is a stripped version of W32/Roach, it will pave way for its larger cousin. Greets : Lifewire/iKX, BillyBel/iKX, StarZero/iKX SimpelSimon, Ultras, Vecna, T-2000, and the rest of the ikx family
Technical Details:Alexey Podrezov, F-Secure Corp., July 2001