Worm/Cuervo - Worm

Siehe auch

Vollständig

Alias:	VBS/Cuerpo.A
Type:	Worm
Size:
Origin:
Date:	00-00-0000
Damage:	Sent by email.
VDF Version:	6.23.00.00
Danger:	Low
Distribution:	Medium

DistributionThe worm searches for email addresses in all files with extension: .txt, .na2, .wab, .mbx, .dbx and .dat. It sends itself using Microsoft Outlook. The email looks like this:

Subject: the subject is the attachment name, without extension
Attachment: the file name is variable, but it is the same as the name of the file created in system directory.

Technical DetailsWorm/Cuervo is programmed in Visual Basic. It creates a series of .HTML and .VBS files, it modifies registry entries and it replaces the Internet Explorer start site with its own HTML file.
Cuervo looks into Outlook Inbox for emails with attachments. If it finds such an email, the worm copies its code, in the system directory, into a file named after the attachment found, using the extension .VBS.

After running WINSTART.BAT, the worm tries to copy itself in the following directories:
C:\%WinDIR%\startm~1\programs\startup\
C:\%WinDIR%\menu"~1\programmes\"marrage\
C:\%WinDIR%\menuin~1\programas\inicio\ C:\%WinDIR%\alluse~1\menuin~1\programas\iniciar\ C:\%WinDIR%\startmenü\programme\autostart\

Worm/Cuervo also creates a file in C:\RECYCLED directory and in Windows system directory and registers them:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\%entry% = %filename%.vbs

Then, the worm replaces the Internet Explorer start site with a file named BLANK.HTM from system directory. After the infection, it opens the following Internet site: http://www.freedonation.com.

The following registry entry is made:
HKLM\Software\Microsoft\Internet Explorer\Main\Start Page = C:\%WinDIR%\%SystemDIR%\BLANK.HTML

Kurzfassung hier.

Beschreibung erstellt von Crony Walker am Tue, 15 Jun 2004 14:00 (GMT+1)

» Über Malware
» Über Phishing
» In-the-Wild-Viren

« zurück