Classification

Category :

Malware

Type :

Worm

Aliases :

Spester, I-Worm.Spdtest

Summary

At the time of writing of this description, F-Secure has received no reports about this worm from the field.Spester consists of tree parts: a binary dropper, a Visual Basic Script worm and an IRC worm.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Variant:Spester.A

Binary dropper

The binary dropper of the worm usually arrives in a ZIP archive attached to an email message. The archive name is SPDTEST.ZIP and it contains SPDTEST.EXE file, the dropper itself. When a user extracts and runs the EXE file, a system becomes infected.The binary component of Spester worm is an EXE file 19968 bytes long. When packed into a ZIP archive for spreading it is less than 9350 bytes long. The worm's executable file is disguised as a joke program. When it's run it shows a dialog box with a single button and asks a user to click it. When a user moves a cursor close to a button, it moves away and the text on it changes. Text strings on the button can be the following:

If you're really fast try to click me
You must do it faster. Try again!
Oh, come on! You can't be so slow!
I think, you should change your mouse.
I don't have whole day! Click me right now!
My grandma is faster than you. You suck!
Click this button or I'll format your hard disk.
Nobody's perfect but you're a totally loser!
Hit me baby one more time.
 

After this the binary part of the worm displays a big button with the following text:

OK. I'll help you. Look I'm big now. Click me !!!

When a user clicks on a big button, the worm shows a messagebox:

You made it, at last! But you were too slow. I will format your hard disk. Sorry.

And then it starts to simulate hard disk formatting. But after some time the worm shows another messagebox:

	Relax. I was only kidding!

While a user is busy with a joke part of the worm, it drops several files to a user's system. The worm drops SCRIPT.INI and a packed copy of itself as SPDTEST.ZIP into C:\Mirc\ folder. The SCRIPT.INI file contains commands that will send the worm's ZIP archive to all users joining an IRC channel that an infected user occupies.The worm also drops a packed copy of itself as SPDTEST.ZIP and a VBS script named ONECLOCK.VBS into c:\Program Files\Internet Explorer\ folders. The worm then creates a special key in the Registry that will run the VBS file on next Windows startup.Visual basic Script worm When executed the script first checks for a file ONE.DAT in "c:\Program Files\Common Files\" folder and if it does not exist it runs its spreading routine. Then it creates an empty file with this name (to use it later as an infection marker) and runs its payload.The spreading routine uses Outlook application and sends messages to all address listed in Outlook address book. These messages look as follows:

	Subject: game: Speed tester v. 1.0 - check your mouse skills 	Body:
 Hello,
 How good are your mouse movement skills? Wanna test it? If
 yes try game Speed tester v.1.0. (you have it in attachment). 	It's really funny. 	Software requirements: 	- Windows operating system 	- Java Virtual Machine 	regards

As an attachment the script uses SPDTEST.ZIP file from "C:\Program Files\Internet Explorer" folder if it is present. If not the script attaches itself only.The payload in the script part of the worm activates on 25th, 10th, 31st, 9th and 12th of each month.When the day is 25th it runs the spreading routine. On 10th of each month it shows the following message box:

	Tip Of The Day: You look really beautiful today.

On 9th and 12th the virus shows another message box:

	Happy Birthday!!!

When the day is 31st it runs another routine which creates in the root of C: drive 3 types of directories: 51 directories with the following names:

	1o 	1oo
 1ooo
 ...and so on.

91 directories with the following names:

	2n 	2nn
 2nnn
 ...and so on.

and 131 directories with the following names:

	3e 	3ee
 3eee
 ...and so on.

F-Secure Anti Virus detects Spester worm with the current database updates.