Malware type: Worm

Aliases: Email-Worm.Win32.Winevar (Kaspersky), W32/Korvar (McAfee), W32.HLLW.Winevar (Symantec), Worm/Bride.C (Avira), W32/Winevar-A (Sophos),

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows

Encrypted: No

Description: 

This destructive memory-resident Internet worm runs on all Windows platforms. It uses its own SMTP or Simple Mail Transfer Protocol engine to propagate via email. It sends email messages with random subjects to addresses listed in .HTM files and .DBX (Outlook Express Mailbox) files on the infected system. It constructs its subject title in two ways.

The first subject format, which it uses once in every 3 email messages, appears in email with the following details:

Subject: AVAR (Association of Anti-Virus Asia Researcher)
Message Body: <Registered Owner> - <Registered Organization>
Attachments:
WIN<random numeric value>.GIF (120 bytes) MUSIC_2.CEO
WIN<random numeric value>.TXT (12.6 KB) MUSIC_1.HTM

The second subject format, which it uses twice out of every 3 email messages, appears in email with the following details:

Subject: <registered Organization>
Message Body: <Registered Owner> - <Registered Organization>
Attachments:
WIN<random numeric value>.GIF (120 bytes) MUSIC_2.CEO
WIN<random numeric value>.TXT (12.6 KB) MUSIC_1.HTM

*<Registered Owner> is the registered owner of the machine and <Registered Organization> is the organization of the owner.

However, at this time of writing, this worm has a bug that cannot completely decode the second email subject such that its first four generated characters are unintelligible. This is why most of the email it sends arrive with the subject format:

Subject: N`4_<Registered Organization>

This worm sends email using a known exploit that causes the attachment to automatically execute when the message is viewed or previewed on Internet Explorer-based email clients, such as Microsoft Outlook and Outlook Express. This exploit is known as Automatic Execution of Embedded MIME type.

It also uses a known vulnerability embedded inside the MUSIC_1.HTM attachment file of its email message which adds the following registry entries:

HKEY_CLASSES_ROOT\.ceo
(Default) = exefile

The registry entries instruct Windows to handle files with CEO extensions in the same way that it handles .EXE files. As a result, when the .CEO file attachment is opened on the infected system, its executable code is run. This vulnerability is known as Microsoft VM ActiveX Component Vulnerabilty and is detected by Trend Micro as JS_EXCEPTION.GEN.

The worm terminates certain monitoring programs and antivirus products and deletes all files in the local drives after execution once it finds the folder "ANTIVIRUS" on the infected system.

Information regarding the vulnerabilities used by this worm is available in the following Microsoft articles:

Incorrect MIME Header Can Cause IE to Execute E-mail Attachment
Patch Available for 'Microsoft VM ActiveX Component' Vulnerability

For additional information about this threat, see:
Solution
Technical Details

Description created: Nov. 24, 2002 3:07:39 PM GMT -0800
Description updated: Nov. 27, 2002 4:30:44 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.