Email-Worm.VBS.Tossed
| Alert Level : | Medium |
| Discovered: | Feb 06 2002 |
| Tag: | E-mail Worms |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
This worm spreads in e-mail messages. The worm itself is a DOS EXE file about 30K in length. When run, it installs itself to the Windows directory with the TYPEDEF.EXE name and registers itself in a WIN.INI file in the auto-run section. To hide its activity, the worm then displays a fake message and exits:
PKSFX Self Extraction Utility Version 2.50 03-01-1999
Copr. 1989-1999 PKWARE Inc. All Rights Reserved. Shareware Version
PKZIP Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745
Error in SFX - Unable to extract !!
While installing, the worm tries four "hardcoded" variants of the Windows directory name: C:\WINDOWS, C:\WIN95, C:\WIN98, C:\WINNT, and fails to install itself when Windows is installed in the directory with different name.
Upo the next Windows start-up, the worm copy is activated as a TYPEDEF.EXE file from the Windows directory. The worm runs a counter that is stored in the TYPEDEF.INI file and is incremented on each TYPEDEF.EXE file start (i.e., on each Windows start-up). Depending on that counter (once per three runs), the worm creates a TYPEDEF.VBS file and writes a VisualBasicScript program to there that sends the worm copy attached to e-mail messages.
That program opens MS Outlook, reads e-mail addresses from the AddressBook and sends messages to all of them. The message subject is: "Check this out". The message text and attached file name are randomly selected from eight variants:
It seems internet explorer 5 has some kinda bug which leaves some secuirity holes and allows somebody to write files onto your system. I downloaded this fix. I am sending it as an attatchment.
Attach: IE5FIX.EXEI found something to help get rid of those irritating ads that pop up when you go to some sites. I am sending it as an attatchment.
Attach: NOADS.EXEHere are some images you might like. You really need to check them out.
Attach: IMAGES.EXEI am sending some of the coolest pictures known to man. You might want to check them out.
Attach: COOLPICS.EXEPlease take a look at these documents. I am sending them compressed in a self extractor.
Attach: DOCS.EXEI am sending you the setup of the latest shareware version of PKZip. It gives excellent compression ratios. You might want to install it.
Attach: PKSETUP.EXEI downloaded a patch to some bug in Internet Explorer. I am sending it as an attatchment.
Attach: PATCH.EXEI downloaded a screen saver with cool effects. I am sending you its installation. Do try it out
Attach: SCRNSAVE.EXE
Also depending on the counter, the worm displays the text:
------ --
- -- - --
-- ---- ---- ---- ---- --
-- -- -- -- -- -- -- -----
-- -- -- ---- ---- ------ -- --
-- -- -- -- -- -- -- --
---- ---- ---- ---- ----- --- --
----- --- --
-- -- -- --
--- --- -- --- --
--- -- -- -- -----
--- ----- -- ----- -- --
-- -- -- -- -- -- -- -- --
----- --- -- --- --- -- --- --
!!! and scrambled eggs !!!
I-WORM.TSSE
Coded by [Offset]
The worm also contains the text strings:
The Tossed Salad and Scrambled Eggs Worm = I-Worm.TSSE. Coded by [Offset]
0
Removal Email-Worm.VBS.Tossed instructions:
0
Need help? Live computer support via remote at SupportSpace |
