Threat Description

Universe

Details

Category: Malware
Type: Worm
Platform: W32
Aliases: Universe, I-Worm.Universe, IWorm_Universe, Unis

Summary


Universe is a complex modular worm written by Benny of the 29a virus group.

The versions of this worm we've seen do not work. Thus, this worm does not pose any threat at this time.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.



Technical Details


The worm attempts to download additional modules (plugins) which change its functionality. Some of the modules are capable of spreading the worm over e-mail and to IRC channels.

One of the modules tries to send fake e-mail messages which mentions F-Secure, Symantec and Microsoft companies as well as names virus researchers from Symantec and F-Secure.

The fake e-mail looks like this:

From: "Microsoft Support" [support@microsoft.com]   
Reply-To: "Peter Szor" [pszor@symantec.com]   
To: "Mikko Hypponen" [mikko.hypponen@f-secure.com]   
Subject: Virus Alert     
Dear user     
F-Secure, Symantec and Microsoft, top leaders in IT technologies have   
discovered one very dangerous Internet worm called I-Worm.Universe in the   
wild. Author of this viral program is well known hacker from Europe under   
"Benny" nickname from 29A virus writting group.   
Universe is fast-spreading worm that already destroyed computer systems in   
FBI and Microsoft. It is heavilly encrypted and very complex. It consists   
from many independed parts called "modules", which are very variable - every   
second hour is producted one new module, that completelly changes behaviour   
of worm, including anti-detection tricks.   
You should check your system by our anti-virus attached to this mail. All   
reports please send to our mail address: universe@microsoft.com and/or   
universe@f-secure.com     
Have a nice day,         
F-Secure, Symantec and Microsoft, top leaders in IT technologies.

If you receive this fake e-mail, ignore it.

Technical description

The worm is capable of spreading through IRC channels as well as an attachment to e-mails. It is also able to affect RAR archives - it appends its code to RAR archives contents.

The worm code has many bugs and infected files halt the system in most of cases and fails to send its copies to Inet. So, the worm has very few chances to be discovered in-the-wild.

The worm functionality is based on so-called "plugins". The main worm component (Win32 EXE file about 12Kb long) that is sent with emails and to IRC channels is just a "loader" that connects to a user's webpage at Hyperlink.cz website, gets more worm components (plugins) from there, and then executes them. So, the worm functionality is completely dependent on plugins. There are five plugins known at the moment. All known worm components (main EXE file and plugins) are compressed with TeLoc Win32 PE EXE file compressor.

When the main worm EXE file is executed (from attached email file, for example), it stays in the system as a service (hidden application), copies itself to Windows System directory with the MSVBVM60.EXE name (do not mix it up with MSVBVM60.DLL Windows VisualBasic library) and registers this copy in Windows auto-run registry key:

SOFTWARE\Microsoft\Windows\CurrentVersion\Run  

The worm then gets connection to a user's page on Hyperlink.cz website (the site is located in Czech republic), gets its plugins from there (the plugins are listed in special file at that site) and stores them in Windows system directory with the following names:

MSVBVM6A.DLL  MSVBVM6B.DLL  MSVBVM6C.DLL  MSVBVM6D.DLL  e.t.c.  

These plugins are encrypted by Windows RSA crypto library, so the worm first decrypts them and then activates.

The worm then "sleeps" for some time (randomly selected - up to 5 minutes), and repeats all the above described steps again.

The main worm component contains the following text:

[I-Worm.Universe] by Benny/29A   

The 'Payload' plugins depending on system timer calls one of three procedures:

1. Affects MS Explorer: it sets default start, local, "what's new" and search pages to Therainforestsite.com website.

2. Gets the UNIVERSE.JPG file from worm's Web site and registers it as Windows desktop WallPaper.

3. Messes up the Desktop - randomly moves the blocks of it.

The 'Feedback' plugins reports about infected machine: it sends the report to "benny_29a@hushmail.com". The report contains the Internet name of an infected machine and the date and time of infection.

The 'Mail' plugins scans all HTML files in Internet cache directory, gets e-mail addresses from there and sends messages to these addresses. The sample of a message is given in the beginnning of the description.

The attached file UNICLEAN.ZIP actually is worm main component (loader), not a ZIP archive. If a victim user tries to open that file from email message a ZIP archiver will start and it will report about broken archive or wrong archive format. So the worm code will not be activated as a result under standard Windows installation.

The 'mIRC' plugins just drops to C:\MIRC32 directory (if exists) a new SCRIPT.INI file that contains the text:

;Default mIRC32 script  ;** DO NOT EDIT **  

and the instruction that sends worm "loader" to any user who enters an infected IRC channel.





Description Details: [Mikko Hypponen, F-Secure Corp., Eugene Kaspersky, KL; January 2000]


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More