Worm.Win32.Chainsaw.a

0 0

This is a network worm with Internet spreading ability. When the worm is run on a system for the first time, it installs itself. To do this, it copies itself to the Windows system directory with the WINMINE.EXE name and with the CHAINSAW.EXE name in the root directory of the current drive. The latter file then has a "hidden" attribute. The worm then registers itself in the system registry auto-run key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Mines = path\WINMINE.EXE

where "path" is the Windows system directory name. The worm then exits and runs infection routines being run upon the next Windows startup.

Upon the next Windows startup, the worm is automatically executed by Windows by an auto-run key in the system registry. The worm then registers itself as a hidden application and runs its spreading routine. That routine enumerates shared drives on the local networks, gets the Windows directory on a drive (if there is one), copies itself there with the CHAINSAW.EXE name (if the drive is mapped for full access) and registers itself in there by writing the "Run=" instruction to the [windows] section to the WIN.INI file on the remote drive. Upon the next Windows restart, the worm copy will be activated and complete the infection.

Upon starting, the worm sends a notifying message to the "alt.horror" conference. The message has the following fields:

From: "Leatherface"
Subject: CHAINSAWED
Newsgroups: alt.horror
Message body:

WHO WILL SURVIVE
AND WHAT WILL BE LEFT OF THEM?

The worm also tries to send its copies to remote machines. To do that, it obtains randomly selected IP addresses in an endless loop and tries to connect them. In the case of success, the worm tries to connect a "Backdoor" Trojan program on the remote machine (if the machine is infected by a backdoor). In case the connection succeeds, the worm sends its copy to the remote machine and forces the Backdoor to execute it there. The list of "supported" Backdoors appears as follows: Sub7, NetBus, NetBios. It is obvious the worm has a very low chance to spread itself in such a way.

Depending on the system date, the worm also sends a "Denial-of-service" packet to randomly selected IP address. This packet is prepared so that it may cause a remote Win9x machine crash (because of a bug in Win9x libraries). The worm intends to do this on 31st of the month: however, because of a bug, the worm compares that value with the "year" field, and as a result, bombs randomly selected machines only if the system date is set to the year 0031.

The worm also disables the "ZoneAlarm" Internet protection utility.

Depending on its random counter, the worm spawns a Trojan program that erases data on the hard drive by writing the text there:

"THE FILM WHICH YOU ARE ABOUT TO SEE IS AN ACCOUNT OF THE TRAGEDY WHICH BEFELL A GROUP OF FIVE YOUTHS. IN PARTICULAR SALLY HARDESTY AND HER INVALID BROTHER FRANKLIN. IT IS ALL THE MORE TRAGIC IN THAT THEY WERE YOUNG. BUT, HAD THEY LIVED VERY, VERY LONG LIVES, THEY COULD NOT HAVE EXPECTED NOR WOULD THEY HAVE WISHED TO SEE AS MUCH OF THE MAD AND MACABRE AS THEY WERE TO SEE THAT DAY. FOR THEM AN IDYLLIC SUMMER AFTERNOON DRIVE BECAME A NIGHTMARE. THE EVENTS OF THAT DAY WERE TO LEAD TO THE DISCOVERY OF ONE OF THE MOST BIZARRE CRIMES IN THE ANNALS OF AMERICAN HISTORY, THE TEXAS CHAIN SAW MASSACRE..."