W32/Zoek-D

#1 July 2nd, 2002, 02:30 PM

Name: W32/Zoek-D
Aliases: I-Worm.Zoek.d, W32/Tcasut
Type: Win32 worm
Date: 2 July 2002

Sophos has received several reports of this worm from the wild.

Note: This IDE file also includes updated detection for
Troj/BO-2000.

More information about W32/Zoek-D can be found at
http://www.sophos.com/virusinfo/analyses/w32zoekd.html

#2 July 2nd, 2002, 02:33 PM

W32/Zoek-D is an email worm. When the worm is run it will send a copy of itself to one entry from the Microsoft Outlook address book. The worm will black out the screen and display 'One moment please' in large yellow letters across the top. After a few seconds a large button will appear with the text 'Windows Restart?'. Clicking on this button will cause Windows to shutdown and restart.

The worm arrives in an email with the following charactistics:

Subject line: Maxima Screensaver!
Attached file: screenmaxima.scr

The body of the email will be blank.

The worm will copy itself to C:\Windows\Tcasuta.exe, drop another executable in C:\Windows\System\Tcasutb.exe and add the following registry entry so that tcasutb.exe is run each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\tcasutb.exe

Tcasutb.exe is a variant of Troj/BO-2000.

The worm will generate several files in C:\Windows containing configuration
information about the host computer and encoded copies of the worm. The following files are created:

accountboy.ini
attachready.ini
hoen.txt
ipinfo.txt
mailboy.ini
mailready.ini
passboy.ini
ratmailready.ini
secretsmailready.ini
tcasuta.txt

Some of these files may have the Hidden attribute set.

The worm will email some of this information (such as the IP address) to a remote email address.