|
Details:
This malware has both virus and worm capabilities. As a virus it infects the local system and infects all .SCR and .EXE files. As a worm, it propagates via email using MAPI or Messaging Application Programming Interface.
File Infection
This virus infects .EXE and .SCR files.
It uses per-process residency to become memory resident. To achieve this, it patches the TranslateMessage API function of Windows Explorer.
It then creates a .DAT file, naming this file based on the computer name of the infected machine. It saves and records the exact date of infection in this .DAT file. It also searches for .WAB, .DBX, and .MBX files for email addresses and stores the addresses in the .DAT file.
It also adds the folowing registry entry so that it is executed at every Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
<Virus file name> = "<Virus Path and file name>.EXE"
This virus is capable of searching for all local drives, mapped network drives, and shared directories that allow full access. It then searches for the occurrence of WinNT, Windows, Win95, Win98 directories to infect .EXE and .SCR files contained in these directories. Before it infects other drives, it sleeps for 40 seconds to avoid detection.
Due to the virus’ polymorphic nature, infected files have increased file sizes of around 25 kilobytes.
Mailing Routine
This virus uses the SMTP-based email clients, MS Outlook, Outlook Express, and Netscape Navigator, to send infected files to email addresses in the users Windows and Outlook Express address books. It avoids sending its viral file to email addresses similar to any of its internal list 10 addresses. It obtains default email client settings from registry.
Due to its polymorphic nature, however, the email that it sends out has varying subject lines, message bodies, and attachment names.
Below is a sample email from this worm:
This virus also sends non-viral attachments such as .DOC, .TXT, and JavaScript (.JS) files. It randomly picks text strings from .DOC and .TXT files on the infected system and uses these text strings as its subjects and messages bodies.
Payloads
This virus compares the time stamp of its created .DAT file with the current system time on the infected machine. On Windows 9x machines, it executes its destructive payloads one month after its initial execution.
It destroys the primary hard disk drive controller, overwrites CMOS RAM, and erases flash memory, which contains BIOS data. It exploits a security vulnerability on Windows 9x systems to grant itself Ring-0 privileges. As a result, its destructive payloads do not execute on Windows NT and 2000 machines.
When its payloads are triggered, it displays a message box with the following text:
Another haughty bloodsucker…….
YOU THINK YOU ARE GOD ,
BUT YOU ARE ONLY A CHUNK OF SHIT
Other Details
This virus contains the following text strings:
ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler. by: The Judges Disemboweler. Written in Malmo (Sweden)
sentences you. ; sentences him to ;sentence you to ; ordered to prison; convict., judge ;circuit judge ; trial judge ;found guilty ; find him guilty ; affirmed judgment of conviction; verdict guilty plea; trialcourt ;trial chamber.sufficiency of proof. sufficiency of the evidence.proceedings. against the accused.habeas corpus.jugement.
It uses several anti-debugging techniques, including the use of SEH and the search of operating system specific API calls. It also checks for the presence of application level debuggers and system level debuggers. Revision History:
For additional information about this threat, see:
Overview
Solution
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
