i-worm.cul
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
I-Worm.Cult
This is a worm virus spreading via the Internet being attached to infected emails and through the Kazaa file sharing network. The worm also has a backdoor component.
The worm itself is a Windows PE EXE file about 13Kb of length (compressed by FSG).
Installing
While installing the worm copies itself to the Windows system directory with the "winupdate.exe" name and registers that file in the system registry auto-run keys:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Microsoft auto update = winupdate.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft auto update = winupdate.exe
The worm also creates a system registry key and keeps its internal data in there:
HKLM\SOFTWARE\Microsoft\WDXDriver
stv1=
stv2=
stv3=
stv4=
xdvd=
The worm then displays fake error message:
Application Error
The instruction at |0x776456de| referenced memory at |0x623525dg3|. The memory
could not be |read|
Click on OK to terminate the application
Spreading: EMail
The infected messages have following fields:
Subject:
Hi, I sent you an eCard from BlueMountain.com
Message body:
To view your eCard, open the attachment
<
If you have any comments or questions, please visit
http://www.bluemountain.com/customer/index.pd
Thanks for using BlueMountain.com.
Attached file name:
BlueMountaineCard.pif
The worm activates from infected emails only in case a user clicks on the attached file. The worm then installs itself to the system and runs spreading routines.
Spreading: Kazaa
The worm creates subdirectory with the "Kazaa" name in Windows system directory and copies itself to there with the names:
"SMS_sender.exe"
"DivX 5.03 Codecs.exe"
"Download accelarator.exe"
"PaintShop Pro 7 Crack_By_Force.exe"
"ZoneAlarm Pro KeyGen.exe"
The "Kazaa" directory is then registered as Kazaa file sharing resource.
The Backdoor Routine
The backdoor routine connects to an IRC channel, listens to commands from its "master" and performs several actions by "master"'s request:
- reports system information
- downloads a file from an URL
- runs files
- e.t.c.
Copyright @2006 i-worm.cul