Description
Win32.HLLM.Borm.55808 is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems.
The worm is written in high-level programming language Borland Delphi and packed with UPX compression utility.
To propagate the worm exploits e-mail, sending its viral copies to all the addresses found in the Inbox folder of Microsoft Outlook Express, the ICQ network and also makes attempts to disseminate through file-sharing networks.
The worm drops a Trojan component, which opens port 81, that leads to system compromizing.
Launching
To secure its automatic execution at every Windows startup the worm modifies the following registry keys:
\"svchost\" = %WinDir%\\SVCHOST.EXE
\"svchost\" = %WinDir%\\SVCHOST.EXE
Spreading
The mail message generated by the worm may look as follows::
-
The subject of the message is chosen by the worm from the following list of subjects:
Check this out, btw, download this, I wanted to show you this, please check out, hey go to, See if you can get this to work, this is cool, this is funny, Free porn at lol, is this you? whats this? This is me, Whats wrong with? wtf? hmmmm, Hahaha, F**k this, weird, HOLY S**T, WOW CHECK THIS OUT, omg omg omg I found the best app, What have they done with you? Is this possible? rofl, b**** ;), How come this happened? This is me naked, Sex me up This guy is a moron, Check this out This is what you wanted, right? Microsoft Windows Security Update See if you can get this to work I admit it ... I love you Sex me up baby This is so funny To be or not to be? B-ville did it again ... Company information Here you go, I recall you asked for this. Hey sweety, check the attachement. How do you feel about this? Please do not make this public, thank you. Please install this update, its required Come on honey! I love this funny game, check it out. This is the stock information you wanted. Keep it a secret pleaseThe attachment may bear one of the following names:
Q349247.exe information.DOC.exe Saddam_Game.exe I_Love_U.exe NakedPics.JPG.exe FreeSex.exe B-ville.exe StockInformation.XLS.exe SecretFile.exe Attachement.exeAttachment size: 55 808 bytes. To propagate across file – sharing networks the worm places into the system its numerous copies:
Command & Conquer Generals.exe Command & Conquer Generals Crack.exe Gods & Generals.exe Gods & Generals Crack.exe The Sims 4.exe The Sims 4 Crack.exe Splinter Cell.exe Splinter Cell Crack.exe Raven Shield - Crack.exe Raven Shield Keygenerator - WORKS ONLINE.exe Mortal Kombat - Deadly Alliance.exe GTA 4 - BETA.exe Unreal 2 Crack.exe Unreal 2 - The Awakening.exe Warcraft III - The Frozen Throne.exe
To spread via mIRC the worm modifies the MIRC.INI file in the mIRC directory. After the changes made when a user of the infected machine connects to IRC server the worm starts sending the link containing the IP-address of the infected computer and the number of port opened in it to all users of the network.
Action
Having been executed, the worm drops to the Windows folder (in Windows 9x/ME/XP it’s C:\\Windows, in Windows NT/2000 it’s C:\\WINNT ) files SVCHOST.EXE and SETUP.EXE.
The Trojan component of the worm MSAPI.EXE is placed by the worm to the same folder. Its size is 16, 416 bytes. The file of the same length but named WINSYST32.EXE is dropped to the Windows\\System folder (in Windows 9x/ME it’s C:\\Windows\\System, in Windows NT/2000 it’s C:\\WINNT\\System32, in Windows XP it’s C:\\Windows\\System32)..
To secure its automatic execution at every Windows restart the Trojan modifies the following registry entries
- HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
- HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\ RunServices
- HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce
- HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
- HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce
\"WinSyst32\" = WINSYST32.EXE
There is a string in the worm’s code:
- b0rm_v0.1