Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:03/02/2004
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium to high
Damage Potential:Low to medium
Static file:Yes
File size:49.152 Bytes
MD5 checksum:e8d54b8ac74c2982fad37567b3bd1ced
VDF version:

 General Methods of propagation:
   • Email
   • Local network

   •  Symantec: W32.Wullik@mm
   •  Kaspersky: Email-Worm.Win32.Wukill
   •  TrendMicro: WORM_WUKILL.B
   •  Sophos: W32/Wukill-B
   •  Grisoft: I-Worm/Wukill.B
   •  VirusBuster: virus I-Worm.Wukill.B
   •  Bitdefender: Win32.Rays.A@mm

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops malicious files
   • Registry modification

Right after execution the following information is displayed:

 Files It copies itself to the following locations:
   • %WINDIR%\system\%random character string%.exe
   • %WINDIR%\web\%random character string%.exe
   • %WINDIR%\fonts\%random character string%.exe
   • %WINDIR%\temp\%random character string%.exe
   • %WINDIR%\help\%random character string%.exe
   • %drive%:\winfile.exe
   • %current directory%\%current directory name%.exe

It drops copies of itself using a filename from lists
– To: c:\windows Using one of the following names:
   • Mstray.exe
   • MsHelp.exe

The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %TEMPDIR%\~%hex number%.tmp

%drive%:\desktop.ini This is a non malicious text file with the following content:
   • [.ShellClassInfo]
     ConfirmFileOp = 0

%drive%:\comment.htt Further investigation pointed out that this file is malware, too. Detected as: VBS/Starter.B

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "RavTimeXP"="%malware execution directory%\%executed file%"
   • "RavTimXP"="%malware execution directory%\%executed file%"

The value of the following registry key is removed:

–  [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "RavTimXP"="%malware execution directory%\%executed file%"

The following registry keys are changed:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • "Hidden"=%user defined settings%
   • "HideFileExt"=%user defined settings%
   New value:
   • "Hidden"=dword:00000000
   • "HideFileExt"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
   Old value:
   • "fullpath" = %user defined settings%
   New value:
   • "fullpath" = dword:00000001

 Email It uses Microsoft Outlook in order to send emails. The characteristics are described below:

The sender address is the user's Outlook account.

– Email addresses gathered from WAB (Windows Address Book)

The following:
   • MS-DOS????

– Contains HTML code.
The body of the email is the following:

   • 这是一款相当好的MS—DOS帮助文件。

The filename of the attachment is:
   • MShelp.EXE

The attachment is a copy of the malware itself.

The email looks like the following:

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops a copy of itself to the following network share:
   • %current directory%

 File details Programming language:
The malware program was written in Visual Basic.

Description inserted by Daniel Constantin on Monday, March 13, 2006
Description updated by Andrei Gherman on Friday, April 24, 2009

Back . . . .