W32/Cervivec-A

Name: W32/Cervivec-A
Type: Win32 worm
Date: 25 March 2002

At the time of writing Sophos has received just one report of
this worm from the wild.

Description:

W32/Cervivec-A is an email worm. It will arrive in an email with
the following characteristics:

Subject line - randomly chosen from:
Vtip
Witz
blague
Joke
Zart
Chiste

Message body - randomly chosen from:
Cau posilam ti cerviky tak se na to podivej (virus to neni)
Cau posielam ti cerviky tak sa na to pozri (virus to neni)
Hallo, Ich habe ein guter Witz-Wurm so sieh! (kein virus)
J'ai une bonne blague ca s'appelle verre de terre alors jette un
coup d'oeil (il n'y a pas de virus)
Hi, I have some cool joke - worms so have a look at it (no
virus)
Czesc, mam swietnz dowcip - robaka. Obejrzyj go sobie (to nie
jest wirus)
Hola te mando los gusanilloes. Pues mirarlos (no es un virus)

Attached file:
worms.zip

The zip file contains the worm executable. When run it will
display a message box with the text 'Press restart button to
close this application'. When the user clicks 'Ok' colourful
worm patterns are drawn all over the screen obliterating the
contents.

The worm is copied to <windows directory>\system32\ntkrnl.exe.

The registry value

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Kernel Loader

is set to run the worm from this location with the added
parameter '-LOADDRIVERS=TRUE'.

When Windows is restarted the worm will email itself to people
in the ICQ contact list.


Read the analysis at
http://www.sophos.com/virusinfo/analyses/w32cerviveca.html