W32.Icabdi.A

Classification

Category :

Malware

Type :

Virus

Aliases :

W32.Icabdi.A, Trojan-Dropper.Win32.Agent.akc

Summary

W32.Icabdi.A is a proof-of-concept virus that infects Microsoft InfoPath 2003 .xsn files. When run the virus executable searches for local .xsn files, modifies them by attempting to inject malicious script, and then attempts to rebuild the .xsn file so that its tracks are covered. The .xsn file then sits in wait for a user to access the file and launch the malicious script.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The virus arrives as an executable (.exe) file.When the W32.Icabdi.A file is executed it first searches for .xsn files within the same directory.

For each .xsn file that it finds the virus will then extract the file contents into a temporarily created directory named "iCab". The .xsn file type is a kind of cabinet (cab) file that contains additional parts and files.

The virus then searches the extracted files for "script.js" and attempts to insert its own script into the file. Once the script is inserted, the virus then attempts to rebuild the cabinet files as a .xsn and puts it back into place where it was found, replacing the original file.

When the inserted script is run:It uses ActiveX to create an file named "iCab.txt". This file is used the rebuild the iCab.exe file.It next creates a random number the result of which will generate one of ten messages that will apear on the user's screen. See the image below for an example:

The messages include:

"Fighting for peace is like f**king for virginity!"
Freedom is just another word for nothing left to lose!" 
- (Me And Bobby McGee by Janis Joplin) 
I do not know with what weapons World War III will be fought, but World War IV will be fought with sticks and stones."
(by Albert Einstein) 
"I'm not a prisoner - I'm a FREE man!" 
- (The Prisoner by Iron Maiden)
"Imagine all the people living life in PEACE!"

-
(Imagine by John Lennon) 
"No Gods, No Masters" 
- Against all Authority: ANARCHISM!" 
"Our Word is Our Weapon." 
- (by Subcomandante Marcos) 
"Sometime they will give a war and nobody will come!"
- (by Carl Sandberg)

"The easiest way to gain control of the population is to carry out acts of terror the public will clamor for such laws if the personal security is threatened."
- (by Joseph Stalin)

Inside of the script used there is also an additional message:"This proof-of-concept Infopath virus has been done by [Second Part To Hell]" and includes links to the virus writer's web page(s).

The rebuilt "iCab.exe" file is located to the C: drive and the script then checks for itself so as to avoid a loop of reinfection.