Virus:Worm/Soccer.A.1
Date discovered:19/06/2006
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:39.904 Bytes
MD5 checksum:18dae171a9bd885fbc83e89af23d0072
VDF version:6.35.00.43
IVDF version:6.35.00.50 - Wednesday, June 21, 2006
Heuristic:HEUR/Malware.Crypted.PSM

 General Method of propagation:
   • Email


Aliases:
   •  Kaspersky: Email-Worm.Win32.Delf.v
   •  Sophos: W32/Sixem-A
   •  VirusBuster: I-Worm.Delf.QWI


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Uses its own Email engine
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %SYSDIR%\msctools.exe



The following files are created:

– A file that contains collected email addresses:
   • %SYSDIR%\cats2.jpg

– A file that is for temporary use and it might be deleted afterwards:
   • %SYSDIR%\cats.jpg




It tries to download a file:

– The location is the following:
   • http://couplesexxx.com/tumbs/**********
It is saved on the local hard drive under: %TEMPDIR%\temps%several random digits%.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Delf.apo

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "nsdevice"="%SYSDIR%\msctools.exe"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "nsdevice"="%SYSDIR%\msctools.exe"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
   • "nsdevice"="%SYSDIR%\msctools.exe"



The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL]
   • "mls"="%number%"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


To:
– Email addresses found in specific files on the system.


Email design:
 


From: newsreader@hotmail.com
Subject: Naked World Cup game set
Body:
   • Nudists are organising their own tribute to the world cup, by staging their own nude soccer game, though it is not clear how the teams will tell each other apart. Good photos ;)
Attachment:
   • soccer_nudist.bmp.exe
 


From: todaynews@cnn.com
Subject: Crazy soccer fans
Body:
   • Crazy soccer fans killed two teens, watch what they make on photos. Please report on this all who know.
Attachment:
   • soccer_pics.jpg.exe
 


From: kellyjast@hotmail.com
Subject: Please reply me Tomas
Body:
   • Halo Markus, i sent my nude pics. Please reply me with you nude photos ;). Best regard You Sweet Kitty
Attachment:
   • kelly_nude_imgs.jpg.exe
 


From: hotnews@cnn.com
Subject: Soccer fans killed five teens
Body:
   • Soccer fans killed five teens, watch what they make on photos. Please report on this all who know.
Attachment:
   • soccer_fans.jpg.exe
 


From: lindasal@gmail.com
Subject: My tricks for you
Body:
   • I wait you photos from New York. I sent my pics where i naked for you. Please reply me. Linda Salivan
Attachment:
   • linda_bigtit.gif.exe

The attachment is a copy of the malware itself.



The email may look like one of the following:




 Mailing Search addresses:
It searches the following files for email addresses:
   • wab; adb; msg; dbx; mbx; mdx; eml; nch; txt; tbb; tbi; html; htm; xml;
      doc; rtf; xls; sht


Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • abuse; admin; webmaster; support; submit; service; sendmail; secur;
      samples; ripe.; privacy; postmaster; panda; nothing; nodomai; nobody;
      mydomai; mozilla; linux; kernel; inpris; icrosof; ibm.com; google;
      example; contact; certific; borlan; berkeley; anyone; policy; apache;
      webmin; webmist; random; local; anonymous; addres; defend; kaspersk;
      mcafee; microsof; norton; symantec; virus; reply; report

 Process termination List of processes that are terminated:
   • _AVP32.EXE; _AVPCC.EXE; _AVPM.EXE; AVP32.EXE; AVPCC.EXE; AVPM.EXE;
      AVP.EXE; iamapp.exe; iamserv.exe; FRW.EXE; blackice.exe; blackd.exe;
      zonealarm.exe; vsmon.exe; VSHWIN32.EXE; VSECOMR.EXE; WEBSCANX.EXE;
      AVCONSOL.EXE; VSSTAT.EXE; OUTPOST.EXE; REGEDIT.EXE; NETSTAT.EXE;
      TASKMGR.EXE; MSCONFIG.EXE; NAVAPW32.EXE; NAVW32.EXE; UPDATE.EXE


 Backdoor Contact server:
The following:
   • http://sextraf.com/ms/**********

As a result it may send some information. This is done via the HTTP POST method using a PHP script.


Sends information about:
    • Collected Email addresses

 File details Programming language:
 The malware program was written in Delphi.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • FSG

Description inserted by Victor Tone on Monday, June 19, 2006
Description updated by Andrei Ivanes on Wednesday, June 21, 2006

Back . . . .