Win32.Vivael.A@mm

( Win32/Vivael, W32/Colevo@MM )
Ausbreitung : medium
Schaden : low
Size: 188.928 bytes
Entdeckt : 2005 May 31

SYMPTOMS:

  • Sensible decrease in hard-drive free space;

  • Files with the following names and locations:
    C:\\windows\\command.exe
    C:\\windows\\system.exe
    C:\\windows\\Hot Girl.scr
    C:\\windows\\All Users.exe
    C:\\windows\\tnf.exe
    C:\\windows\\temp.exe
    C:\\windows\\Internet download.exe
    C:\\windows\\shell.exe
    C:\\windows\\system32.exe
    C:\\windows\\system64.pif
    C:\\windows\\Internet File.exe
    C:\\windows\\Part Hard Disk.exe
    C:\\windows\\system32\\command.com
    C:\\windows\\system32\\inf.exe
    C:\\windows\\system32\\net.com
    C:\\windows\\system32\\www.microsoft.com
    C:\\Recycled\\Evo Morales.scr

    • TECHNICAL DESCRIPTION:

    The virus is a mass-mailer, written in Delphi and compressed with ASPack 2.12. Upon execution, the virus creates some new registry keys and modifies some old keys.

    New keys created:

    [HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\1\\2\\3\\4]
    “system=c:\\windows\\temp.exe”

    [HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]
    “system=c:\\windows\\system.exe”

    [HKLM\\Software\\Microsoft\\Windows\\RunSevices]
    “system=c:\\windows\\commands.com”


    Additionally, the virus changes file extension associations for the following:

    [HKLM\\Software\\CLASSES\\exefile]
    [HKLM\\Software\\CLASSES\\comfile]
    [HKLM\\Software\\CLASSES\\baffile]
    [HKLM\\Software\\CLASSES\\piffile]
    [HKLM\\Software\\CLASSES\\htafile]

    This means that for every file opened with the extension *.exe, *.com, *.bat, *.pif, *.hta the virus is executed. Additionally, the virus will add the NeverShowExt key under [HKLM\\Software\\CLASSES\\exefile]. This hiddens the extension for files that have the .exe extension.

    The virus also modifies the following files (the modifications are shown for each file in particular):

    C:\\Windows\\system.ini
    [boot]
    Shell=explorer.exe temp.exe

    C:\\windows\\win.ini
    [windows]
    load=archivo.exe
    run=archivo.exe

    ####Viva el EVO, y jamas erradicaran la Coca Cola!!! mentira colla maldito!! (PYN Pablo_Hack@hotmail.com)####

    C:\\windows\\winstart.bat
    c:\\windows\\shell.exe

    C:\\windows\\wininit.ini
    Null=c:\\windows\\system.exe

    This also ensures the virus will be active as soon as the system boots up.

    Additionally, the virus will begin copying itself over and over again within windows directory and its subdirectories in the following way: it will create in the current directory several copies with names taken from the current directory’s subdirectories.

    Example:

    If we have the following directory structure:

    \\oobe\\file.htm
    \\oobe\\file2.htm
    \\other\\file.cab
    \\other\\xfile.gif

    under a current directory, then the virus will copy itself with the following names in this directory:

    oobefile.htm.exe
    oobefile2.htm.exe
    otherfile.cab.exe
    otherxfile.gif.exe

    The algorithm is: take the directory name, append the file name and then add the extension .exe. However, with the virus being 188K in size, this will result in a rapid free space decrease (hundreds of megabytes, maybe even gigabytes). This, coupled with the virus hiding the extension for .exe files will mean that the user will most probably accidentally launch the virus, thinking it was a web page or other non-harmful file.

    The virus will open the default browser with these addresses:
    Http://jeremybigwood.net
    http://news.bbc.co.uk
    http://commondreams.org
    http://www-ni.laprensa.com.ni
    http://www.soc.uu.se
    http://www.chilevile.cl
    http://members.lycos.fr
    http://www.movimientos.org

    The complete addresses are links to image files (jpg, gif) and therefore are not dangerous or viral.

    The virus will spread using email addresses taken from the MSN Messenger contact list.

    E-mail format:

    Subject: El adelanto de matrix ta gueno‼

    Body: Pablo_Hack
    Oye te U paso el programa para entrar a cuentas del messenger, y facilingo te lo paso a voz nomas, prometeme que no se lo pasas a nadie, ya?Respondeme que tal te parecio. chau‼

    Attachment: hotmailpass.exe

    The virus contains much typo’s and mistakes, making infections less dangerous on non-spanish windows versions and suggesting that the virus was written without much care.

    Removal instructions:

    BitDefender can disinfect or delete automatically the files infected by this particular virus. The modified registry entries should be corrected manually.

    1. If you don\'t have BitDefender installed click here to download an evaluation version;

    2. Make sure that you have the latest updates using BitDefender Live!;

    3. Make the following changes in the windows registry:

      Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

      1. Select Run... from Start, then type regedit and press Enter;

      2. Delete the following keys:
        [HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\1\\2\\3\\4]
        “system=c:\\windows\\temp.exe”

        [HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]
        “system=c:\\windows\\system.exe”

        [HKLM\\Software\\Microsoft\\Windows\\RunSevices]
        “system=c:\\windows\\commands.com”

        [HKLM\\Software\\CLASSES\\exefile]
        [HKLM\\Software\\CLASSES\\comfile]
        [HKLM\\Software\\CLASSES\\baffile]
        [HKLM\\Software\\CLASSES\\piffile]
        [HKLM\\Software\\CLASSES\\htafile]

    4. Reboot the computer

    5. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Vivael.A@mm.

    ANALYZED BY:

    Daniel Ionita
    BitDefender Virus Researcher