Bat/Cup-A

Discussion in 'malware problems & news' started by FanJ, Jun 12, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: Bat/Cup-A
    Type: Batch file worm
    Date: 12 June 2002

    Description:

    Bat/Cup-A arrives in an email with the characteristics:

    Subject line: "WorldCup News!"
    Message text: "read me for more world cup news!"
    Attached file: WorldCup.BAT.

    When executed the worm will create, execute and on occasions
    delete the files worldcup_score.vbs, eyeball.reg, japan.vbs,
    england.vbs, ireland.vbs, uraguay.vbs and argentina.bat.

    Worldcup_score.vbs is the file that executes the mass mailing
    properties of the worm. An email with the above characteristics
    will be sent to all contacts in the user's Microsoft Outlook
    address book.

    Eyeball.reg creates the registry value:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\cqlyg

    so that a copy of the worm is run when Windows starts up.
    An attempt will be made to copy eyeball.reg over all REG files
    contained in folders in the user's path and the Windows, current
    and parent folders.

    Japan.vbs will attempt to start a copy of the worm called
    argentina.bat. An attempt will be made to copy japan.vbs over
    all VBS files contained in the folders of the users path and the
    Windows, current and parent folders.

    England.vbs will set the registry value

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\eifxi

    so that a copy of the worm is run when Windows starts up.

    Ireland.vbs attempts to create a shortcut in the root folder to
    a copy of the worm. The shortcut would be called pif.lnk.

    Uraguay.vbs attempts to create a shortcut to brazil.vbs which in
    turn will try to execute paraguay.vbs. Paraguay.vbs does not
    exist.

    The worm creates copies of itself using the names
    world_cup_.bat, germany.bat, china.bat, russia.bat, turkey.bat,
    denmark.bat, costarica.bat, wini.bat, spain.bat and italy.bat.
    These copies are most likely to be in the Windows folder.

    The following anti-virus related executables will be deleted:
    C:\progra~1\norton~1\*.exe
    C:\progra~1\kasper~1\avp32.exe
    C:\progra~1\trojan~1\tc.exe
    C:\progra\norton~1\s32integ.dll
    C:\progra\f-prot95\fpwm32.dll
    C:\progra\tbav\tbav.dat
    C:\progra \mcafee\scan.dat
    C:\progra\avpersonal\antivir.vdf
    C:\tbavw95\tbscan.sig

    Bat/Cup-A searches for a mIRC installation and creates the file
    script.ini if one is found. The script.ini file will attempt to
    forward a copy of the worm to anyone who joins an IRC channel
    the infected user is currently logged on to.

    The folder C:\ThisIsOnlyASimpleWorm will be created and will
    contain a single copy of the worm named WorldCup.bat.

    This worm contains many bugs and several of the above
    characteristics are intended functions of the worm and may not
    work correctly.


    Read the analysis at
    http://www.sophos.com/virusinfo/analyses/batcupa.html
     
Thread Status:
Not open for further replies.