Installation and Autostart Technique

Upon execution, this memory-resident worm displays the following fake error message:

ERROR: CRC not complete

It then drops the following copies of itself in the %Windows%\Connection Wizard\Status folder:

• CSRSS.EXE
• SERVICES.EXE
• SMSS.EXE

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It then terminates its original file. Afterward, it executes its dropped file SERVICES.EXE and uses the other dropped files, SMSS.EXE and CSRSS.EXE, as the subprocesses of the executed dropped copy of itself.

It also drops the following BASE64-encoded versions of itself in the said location:

• Packed1.sbr
• Packed2.sbr
• Packed3.sbr

It also drops the following files, which it uses to store collected email addresses for its mass-mailing routine:

• Sacri1.ggg
• Sacri2.ggg
• Sacri3.ggg
• Voner1.von
• Voner2.von
• Voner3.von

It also drops the following files:

• %Windows%\Connection Wizard\Status\fastso.ber
• %System%\adcmmmmq.hjg
• %System%\langeinf.lin
• %System%\nonrunso.ber
• %System%\seppelmx.smx
• %System%\xcvfpokd.tqa

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP.)

This worm then creates the following registry entry to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
WinStart = "%Windows%\Connection Wizard\Status\services.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
WinStart = "%Windows%\Connection Wizard\Status\services.exe"

Mass-Mailing Routine

This worm uses its own SMTP (Simple Mail Transfer Protocol) engine to mass-mail copies of itself to email addresses it obtains from files with the following extensions:

• ABC
• ABD
• ABX
• ADB
• ADE
• ADP
• ADR
• ASP
• BAK
• BAS
• CFG
• CGI
• CLS
• CMS
• CSV
• CTL
• DBX
• DHTM
• DOC
• DSP
• DSW
• EML
• FDB
• FRM
• HLP
• IMB
• IMH
• IMH
• IMM
• INBOX
• INI
• JSP
• LDB
• LDIF
• LOG
• MBX
• MDA
• MDB
• MDE
• MDW
• MDX
• MHT
• MMF
• MSG
• NAB
• NCH
• NFO
• NSF
• NWS
• ODS
• OFT
• PHP
• PHTM
• PL
• PMR
• PP
• PPT
• PST
• RTF
• SHTML
• SLK
• SLN
• STM
• TBB
• TXT
• UIN
• VAP
• VBS
• VCF
• WAB
• WSH
• XHTML
• XLS
• XML

However, it avoids addresses that contain any of the following strings:

• -dav
• .dial.
• .kundenserver.
• .ppp.
• .qmail@
• .sul.t-
• @arin
• @avp
• @ca.
• @example.
• @foo.
• @from.
• @gmetref
• @iana
• @ikarus.
• @kaspers
• @messagelab
• @nai.
• @panda
• @smtp.
• @sophos
• @www
• abuse
• announce
• antivir
• anyone
• anywhere
• bellcore.
• bitdefender
• clock
• detection
• domain.
• emsisoft
• ewido.
• free-av
• freeav
• ftp.
• gold-certs
• google
• host.
• iana-
• iana@
• icrosoft.
• info@
• ipt.aol
• law2
• linux
• mailer-daemon
• mozilla
• mustermann@
• nlpmail01.
• noreply
• nothing
• ntp-
• ntp.
• ntp@
• reciver@
• secure
• smtp-
• somebody
• someone
• spybot
• sql.
• subscribe
• support
• t-dialin
• t-ipconnect
• test@
• time
• user@
• variabel
• verizon.
• viren
• virus
• whatever@
• whoever@
• winrar
• winzip
• you@
• yourname

This worm sends email messages in German when it obtains email addresses with GMX as the domain name (for example, if the email address has gmx.de or gmx.net as its extension), or with any of the following domain extensions:

• AT
• CH
• DE
• LI

The messages this worm sends out contain the following details:

From: (any of the following)
• Admin
• Hostmaster
• Info
• Postmaster
• Register
• Service
• Webmaster

German Subjects: any of the following
• Glueckwunsch: Ihr WM Ticket
• Ich bin's, was zum lachen ;)
• Ihr Passwort
• Ihre E-Mail wurde verweigert
• Mail-Fehler!
• WM Ticket Verlosung
• WM-Ticket-Auslosung

English Subjects: any of the following
• mailing error
• Re:
• Registration Confirmation
• Your email was blocked
• Your Password

Message body (German): any of the following

• Passwort und Benutzer-Informationen befinden sich in der beigefuegten Anlage.
*-* http://www.<generated string>
*-* MailTo: PasswordHelp

• Diese E-Mail wurde automatisch erzeugt
Mehr Information finden Sie unter http://www.<generated string>

• ----------
Folgende Fehler sind aufgetreten:

Fehler konnte nicht Explicit ermittelt werden

End Transmission
----------

• Aus Datenschutzrechtlichen Gruenden, muss die vollstaendige E-Mail incl. Daten gezippt & angehaengt werden.
Wir bitten Sie, dieses zu beruecksichtigen.
Auto ReMailer# [<generated string>]

• Nun sieh dir das mal an!
Was ein Ferkel ....

Herzlichen Glueckwunsch,

beim Run auf die begehrten Tickets f

Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang

Ihr ok2006 Team
St. Rainer Gellhaus


--- FIFA-Pressekontakt:
--- Pressesprecher Jens Grittner und Gerd Graus
--- FIFA Fussball-Weltmeisterschaft 2006
--- Organisationskomitee Deutschland
--- Tel. 069 / 2006 - 2600
--- Jens.Grittner@ok2006.de
--- Gerd.Graus@ok2006.de

followed by any of the following:

• **** Mail-Scanner: Es wurde kein Virus festgestellt
**** <generated string> AntiVirus Service
**** WebSite: http://www.<generated string>

• **** AntiVirus: Kein Virus gefunden
**** <generated string> AntiVirus Service
**** WebSite: http://www.<generated string>

• **** AntiVirus-System: Kein Virus erkannt
**** <generated string> AntiVirus Service
**** WebSite: http://www.<generated string>

Message body (English): any of the following

• Account and Password Information are attached!

Visit: http://www.<generated string>

• This is an automatically generated E-Mail Delivery Status Notification.

Mail-Header, Mail-Body and Error Description are attached

• ok ok ok,,,,, here is it

followed by any of the following:

• *** Attachment-Scanner: Status OK
*** <generated string> Anti-Virus
*** http://www.<generated string>

• *** AntiVirus: No Virus found
*** <generated string> Anti-Virus
*** http://www.<generated string>

• *** Server-AntiVirus: No Virus (Clean)
*** <generated string> Anti-Virus
*** http://www.<generated string>

Attachment: (any of the following)
• _PassWort-Info.zip
• account_info.zip
• account_info-text.zip
• account_info-text.zip
• autoemail-text.zip
• error-mail_info.zip
• Fifa_Info-Text.zip
• LOL.zip
• mail_info.zip
• okTicket-info.zip
• our_secret.zip

It also has the capability to delete certain files. It may delete files with the following strings:

• A*.exe
• Luc*.exe
• Ls*.exe
• Luu*.exe

Other Details

Based on its code, this worm checks for network connection by conducting the following steps:

1. Check if at least one RAS (Remote Access Services) connection is active
2. Connect to one of the following NTP servers using port 37/TCP:
   
   • cuckoo.nevada.edu
   • ntp.lth.se
   • ntp.massayonet.com.br
   • ntp.metas.ch
   • ntp.pads.ufrj.br
   • ntp1.arnes.si
   • ntp-1.ece.cmu.edu
   • ntp-2.ece.cmu.edu
   • ntp3.fau.de
   • ntp-sop.inria.fr
   • Rolex.PeachNet.edu
   • rolex.usg.edu
   • sundial.columbia.edu
   • time.kfki.hu
   • time.nist.gov
   • time.xmission.com
   • time-a.timefreq.bldrdoc.gov
   • time-ext.missouri.edu
   • timelord.uregina.ca
   • time-server.ndo.com
   • utcnist.colorado.edu
3. Connect to one of the following URLs:
   • aol.com
   • arcor.de
   • bluewin.ch
   • cia.gov
   • fbi.gov
   • google.com
   • heise.de
   • hotmail.com
   • ibm.com
   • icq.com
   • microsoft.com
   • msdn.microsoft.com
   • ragnarokonline.com
   • security.nl
   • symantec.com
   • t-online.de
   • yahoo.com

It also disables the Windows XP SP2 firewall as well as the Windows Update Automatic Update feature by modifying the following registry entries, if they exist:

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\
SharedAccess\Parameters\FirewallPolicy\StandardProfile
EnableFirewall = “0”

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\StandardProfile
EnableFirewall = “0”

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\WindowsUpdate\Auto Update
AUOptions = “0”

It is compiled using Visual Basic 5.00/6.00, a high-level programming language.