Win32.Worm.Mexer.E - Webmaster Forums UK SEO SEM Webmaster Community Forum

#1 (**permalink**) 09-26-2004, 06:18 PM

Name: Win32.Worm.Mexer.E
Type: Executable Worm Mass Mailer
Size: 30,720 bytes (UPX packed), 64,512 bytes unpacked
Discovered: 21.09.2004
Detected: 21.09.2004
Spreading: Very low
Damage: Medium
Symptoms:
- Presence of the folder C:\sysnet
- Presence of next file in C:\sysnet folder:
Ruby31.exe (30,720 bytes)
- Presence of many copies of Ruby31.exe (30,720 bytes) in C:\sysnet folder under various names
- Presence of the next registry keys or entries:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run]
"Ruby13"="c:\sysnet\Ruby13.exe"
where %WINDOWS% points to Windows folder (or WinNT on Windows NT based systems)
%SYSTEM% points to "System" folder on Windows 9x systems and "System32" folder on WinNT systems.

Technical description:
The virus spreads through e-mail and also Kazaa and Imesh networks.
It usually arrives via e-mail. The mail format is as follows:

From: (spoofed)
To: (harvested addresss)
Subject: EBAY Information
Body: EBAY Installer...
Attachment: EBAY.exe
Subject: VISA Information
Body: Security Tool...
Attachment: VISA.EXE
Subject: Provider Information
Body: New account data...
Attachment: PROVIDER.EXE
Subject: Your Crack
Body: Here is your crack!
Attachment: (one of the copies of the virus)
Subject: Internet Information
Body: New account data...
Attachment: INTERNET.EXE
When the virus is run, it does the following:
1. Display the following message:
Ruby V1.3
Serial: %random%
File crack...
Note: %random% is a random number (eg: Serial: 41365345)
2. Creates C:\sysnet folder where it creates copies of itself as:
A+ Certification Test.exe
Borland KeyGens.exe
BurnDvds.exe
Cisco Certification Test.exe
Counter-Strike, Condition Zero - Activation Key.exe
Counterstrike aim hack.exe
Counterstrike hacks.exe
Crack McAfee 7.exe
Crack Norton 3000.exe
Diablo 2 map hack.exe
Diablo 2 no-cd hack.exe
Dvd Ripper.exe
Dvd To Vcd.exe
Easy Dvd Ripper.exe
EZ Dvd Ripper.exe
icqbomber.exe
Information.exe
MP3 encoder decoder V1.8.exe
MSCE Certification Test.exe
Nero Burning ROM v6.3 Ultra - Enterprise edition key.exe
Nimo Codec Pack Updater.exe
PANDA.AVers.lusers.exe
PANDA.lusers.exe
s Diablo 2 hero editor.exe
SophosCrackAllVersion.exe
Starcraft + Broodwar 1.10 map hack.exe
Starcraft + Broodwar 1.10 no-cd hack.exe
The Frozen Throne map hack.exe
Warcraft 3 Frozen Throne cd-cd hack.exe
Warcraft 3 Frozen Throne map hack.exe
Warcraft 3 map hack.exe
Warcraft 3 no-cd hack.exe
Warcraft 3 stat hack.exe
Windows Nt Certification Test.exe
XBOX X-Fer Ripper and Transfer.exe
Xvid Codec Installer.exe
And also creates copies of itself by adding
Keygen.exe
Serial.exe
NoCD.exe
Crack.exe
to the names:
Adobe Photoshop CS and ImageReady CS 8.0
Airport Tycoon II -
All Adobe Products
All Macromedia Products
All Microsoft Products
American Conquest -
Apache AH-64 Air Assault -
Battlefield 1942 The Road to Rome -
Battlefield Vietnam -
BitDefender
Bridge Baron 13
Command and Conquer Generals
Deus Ex -
Divx Pro 5.1
Doom 3 -
Dvd Plus
Dvd Wizard Pro
Dvd Xcopy
DvdCopyOne
DvdToVcd
Easy Dvd creator
Eonix Realm Of Hepmia -
Fetish Fighters -
Forbidden Siren -
Freelancer -
Grom -
Harry Potter and the Prisoner of Azkaban KeyGen and
Harry Potter und der Gefangene von Askaban
I Was An Atomic Mutant -
IGI-2 Covert Strike -
Impossible Creatures -
Ipswich Town Official Management Game -
Jamella
Kazaa all
Microsoft Windows XP Professional
Nascar Racing 2003 Season
Nero Burning Rom
Nod32
Norton AntiVirus 2004 Pro Activation Key &
Norton AntiVirus 2005
Norton Internet Security 2004 Keygen &
Norton Internet Security 2004 Pro
Norton Internet Security 2005 Pro
Office XP Universal
Private Nurse -
Robot Arena Design And Destroy -
Serious Sam - Gold Edition -
Shadow of Memories -
Shrek 2
Sim City 4 -
Slot City 3
Spellforce - Breath of Winter
Spider-Man 2
Symantec Antivirus 2005
Symantec Internet Secutiy 2005
Test Drive -
The Campaigns of La Grande Armee -
The Emperors Mahjong -
Tom Clancys Splinter Cell -
Tombstone 1882 -
Unreal II The Awakening -
WinACE
Windows Server 2003
WinRAR 3
WinZIP 9
World Of Outlaws Sprint Car Racing 2002 -
Zone Alarm 5.0 pro

(example: Zone Alarm 5.0 pro Crack.exe, BitDefender Keygen.exe)

3. Sets the default Kazaa and Imesh download/shared folder to c:\sysnet

4. Creates the registry entry

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run]
"Ruby13"="c:\sysnet\Ruby13.exe"

in order to run at startup.

5. Starts to harvest e-mail addresses in files matching:

*.wab
*.dbx
*.htm
*.sht
*.txt
*.doc
*.rtf

but avoiding e-mail addresses containing:

supp
webm
viru
newv
kasp
micr
root
admi
host

And send itself to each e-mail address found in the e-mail format described above using it's own smtp engine.

6. May display a message:

Ruby V1.3, (c)BI 16.08.2004
Fight against MICROSOFT and make a virus!