Trend: FATSO Beats up on ASSIRAL

On March 7, Trend Micro declared a Medium Risk alert for WORM_FATSO.A. This non-destructive, memory-resident worm propagates via MSN messenger and eMule peer-to-peer file sharing application. It is capable of redirecting infected users to a certain Web site, whenever the user accesses Web sites associated with antivirus and security companies. It may also terminate certain running processes and prevent these processes from executing while this worm is resident in memory. This worm also opens a text file, which is a message allegedly addressed to the author of WORM_ASSIRAL.A, the self-proclaimed creator of anti-BROPIA worms. As a payload, WORM_ASSIRAL.A proclaimed that its author was "freeing the world from BROPIA". This worm was known to terminate BROPIA-related processes. WORM_FATSO.A now insults the author of WORM_ASSIRAL, accusing him/her of being a "noob" (a "newbie", or an inexperienced person, specifically a programmer) possibly due to the fact that WORM_ASSIRAL used SMTP, a relatively "old" and conventional means of propagating worms. This worm infects systems running Windows 95, 98, ME, NT, 2000, and XP.

This worm arrives on a system via MSN Messenger. Upon execution, it drops copies of itself in the system root folder, as well as several nonmalicious files. The worm then creates several registry entries that allow it to automatically execute its dropped files at every system startup.

To propagate via MSN messenger it sends an instant message to all online contacts of an affected user, containing a link to a certain Web site. When a user clicks on this link, a copy of this worm is downloaded into the system. To propagate via eMule it copies itself in the %Program Files%\Program Files\eMule\Incoming\ folder, the %Root%\My Shared folder and the <User Profile>\Shared folder of an affected system.

The worm also redirects affected users to a specific Web site when they attempt to access certain Web sites related to antivirus and security companies, and terminates processes. View the complete list of company Web sites and processes.

This worm attempts to terminate processes and delete files associated with the malware WORM_ASSIRAL.C, if the files are not running in memory. It drops and executes the text file "Message to n00b LARISSA.txt" on the 1st, 7th, 10th, 19th, 25th, 26th, or the 30th day of any month. This text message is allegedly ddressed to the creator of WORM_ASSIRAL.A.

If you would like to scan your computer for WORM_FATSO.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

WORM_FATSO..A is detected and cleaned by Trend Micro pattern file #2.476.00 and above.