Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Rays
Date discovered:03/02/2004
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium to high
Damage Potential:Low to medium
Static file:Yes
File size:49.152 Bytes
MD5 checksum:e8d54b8ac74c2982fad37567b3bd1ced
VDF version:6.24.00.34

 General Methods of propagation:
   • Email
   • Local network


Aliases:
   •  Symantec: W32.Wullik@mm
   •  Kaspersky: Email-Worm.Win32.Wukill
   •  TrendMicro: WORM_WUKILL.B
   •  Sophos: W32/Wukill-B
   •  Grisoft: I-Worm/Wukill.B
   •  VirusBuster: virus I-Worm.Wukill.B
   •  Bitdefender: Win32.Rays.A@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Registry modification


Right after execution the following information is displayed:


 Files It copies itself to the following locations:
   • %WINDIR%\system\%random character string%.exe
   • %WINDIR%\web\%random character string%.exe
   • %WINDIR%\fonts\%random character string%.exe
   • %WINDIR%\temp\%random character string%.exe
   • %WINDIR%\help\%random character string%.exe
   • %drive%:\winfile.exe
   • %current directory%\%current directory name%.exe



It drops copies of itself using a filename from lists
– To: c:\windows Using one of the following names:
   • Mstray.exe
   • MsHelp.exe




The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %TEMPDIR%\~%hex number%.tmp

%drive%:\desktop.ini This is a non malicious text file with the following content:
   • [.ShellClassInfo]
     HTMLInfoTipFile=file://Comment.htt
     ConfirmFileOp = 0

%drive%:\comment.htt Further investigation pointed out that this file is malware, too. Detected as: VBS/Starter.B

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "RavTimeXP"="%malware execution directory%\%executed file%"
   • "RavTimXP"="%malware execution directory%\%executed file%"



The value of the following registry key is removed:

–  [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "RavTimXP"="%malware execution directory%\%executed file%"



The following registry keys are changed:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • "Hidden"=%user defined settings%
   • "HideFileExt"=%user defined settings%
   New value:
   • "Hidden"=dword:00000000
   • "HideFileExt"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
   CabinetState]
   Old value:
   • "fullpath" = %user defined settings%
   New value:
   • "fullpath" = dword:00000001

 Email It uses Microsoft Outlook in order to send emails. The characteristics are described below:


From:
The sender address is the user's Outlook account.


To:
– Email addresses gathered from WAB (Windows Address Book)


Subject:
The following:
   • MS-DOS????



Body:
– Contains HTML code.
The body of the email is the following:

   • 这是一款相当好的MS—DOS帮助文件。
     看看吧,对你有好处的。


Attachment:
The filename of the attachment is:
   • MShelp.EXE

The attachment is a copy of the malware itself.



The email looks like the following:


 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops a copy of itself to the following network share:
   • %current directory%

 File details Programming language:
The malware program was written in Visual Basic.

Description inserted by Daniel Constantin on Monday, March 13, 2006
Description updated by Andrei Gherman on Friday, April 24, 2009

Back . . . .