Virus:Worm/Small.B.3
Date discovered:03/06/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:119.296 Bytes
MD5 checksum:58180E0Dd5ff2df69979336c343e32f0
VDF version:6.34.01.182
IVDF version:6.34.01.188 - Tuesday, June 6, 2006

 General Method of propagation:
   • Email


Aliases:
   •  Kaspersky: Email-Worm.Win32.Small.b
   •  TrendMicro: WORM_SMALL.MS
   •  Eset: Win32/PSW.Delf.NAM
   •  Bitdefender: Win32.Olia.A@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Drops a malicious file
   • Uses its own Email engine
   • Registry modification
   • Steals information


Right after execution the following information is displayed:


 Files It copies itself to the following locations:
   • %SYSDIR%\krnl32.dll
   • %malware execution directory%\photos.exe



The following files are created:

– Non malicious files:
   • %SYSDIR%\photo1.jpg
   • %SYSDIR%\photo2.jpg
   • %SYSDIR%\photo3.jpg
   • %user defined settings%\photo1.jpg
   • %user defined settings%\photo2.jpg
   • %user defined settings%\photo3.jpg

%SYSDIR%\krnl32.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Worm/Small.B.4

%malware execution directory%\~$run.$$$ Further investigation pointed out that this file is malware, too. Detected as: Worm/Small.B.4

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • %SYSDIR%\krnl32.exe

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
Additionally it has the ability to send an email with information about the system. It is most likely that the receiver is the author.


From:
The sender of the email is one of the following:
   • Olia-muk@rambler.ru
   • ZanOlia@rambler.ru
   • oliechka84@rambler.ru


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
– Generated addresses


Subject:
The following:
   • %russian text% %current date% %current hour%



Body:
The body of the email is the following:
   • %russian text%


Attachment:

   • photos.exe

   • photo1.jpg

   • photo2.jpg

   • photo3.jpg


 Mailing Search addresses:
It searches the following files for email addresses:
   • %temporary internet files%\*.htm
   • %temporary internet files%\*.html
   • %temporary internet files%\*.shtml
   • %temporary internet files%\*.phtml
   • %temporary internet files%\*.php
   • %temporary internet files%\*.txt
   • %temporary internet files%\*.pas
   • %temporary internet files%\*.tmp


MX Server:
It does not use the standard MX server.
It has the ability to contact the MX server:
   • mail.rambler.ru

 Stealing It tries to steal the following information:
– Recorded passwords used by the AutoComplete function
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– Passwords from the following programs:
   • The Bat!
   • Opera

 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packers:
   • ASPack
   • UPX

Description inserted by Andrei Gherman on Friday, June 9, 2006
Description updated by Andrei Gherman on Friday, June 9, 2006

Back . . . .