W32/Blinkom-A

Discussion in 'malware problems & news' started by FanJ, Sep 19, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: W32/Blinkom-A
    Aliases: WORM_BLINKOM.A, Worm.P2P.Blinkom, W32/Blinkom,
    Win32/Blinkom.worm, Win32/Venzu.Worm, Win32.Venzu.A
    Type: Win32 worm
    Date: 19 September 2002


    At the time of writing Sophos has received just one report of
    this worm from the wild.

    Description
    W32/Blinkom-A is a worm which attempts to spread via SMTP, IRC channels, KaZaA peer-to-peer shared folders, ICQ shared folders and by copying itself to drive A:.

    Emails may arrive with messages in either English or Spanish and have one of the following sets of characteristics:

    Subject line: Los mejores chistes de Bin Laden
    Message text: A todos mis amigos. Los mejores chistes que me enviaron, stos son los mejores.
    Attached file: BinLadilla.pif

    Subject line: HISPASEC
    Message text: Esta es la prueba de que HISPASEC roba importantes bases de datos de muchas compa as, incluso hotmail. (los campos en blanco son algunos datos omitidos por razones de anonimato y seguridad).
    Attached file: Noticia45.Txt.pif

    Subject line: Base de datos. Carnivore.
    Message text: BO2K publica parte de la base de datos recopilada por Carnivore.
    Attached file: CarnivoreStory.Pif

    Subject line: VAN A VENDER HOTMAIL
    Message text: parece que los de microsoft no se la pudieron, prefirieron dedicarle tiempo al windows, amenazan con borrar las cuentas, pero se puede evitar siguiendo unos estatuts que ellos ponen a disposicin. leelos o no tendras mas cuenta. chao.
    Attached file: Estatutos.Pif

    Subject line: HISPASEC
    Message text: This is the probe that HISPASEC steals important databases of many companies (the fields in blank_target are some data omitted by security and anonimity reasons)
    Attached file: NewsHS.Txt.pif

    Subject line: Carnivore databases
    Message text: BO2K publish pieces of database gathered by Carnivore.
    Attached file: CarnivoreStory.Pif

    W32/Blinkom-A may drop copies of itself to the following folders and drives:

    C:\Windows\Blink 182.scr
    C:\Windows\RaZor.scr
    C:\Windows\Cloud Strife.scr
    C:\Windows\Kuasanagui.scr
    C:\Windows\\182.exe
    C:\Windows\HOKO.scr
    C:\Windows\ErGrone.scr
    C:\Windows\Jtag.scr
    C:\Windows\XpLOaD.scr
    C:\Windows\NERFIX.scr
    C:\Windows\NEMESIZZ.scr
    C:\Windows\Tom.scr
    C:\Windows\Marc.scr
    C:\Windows\Travis.scr
    C:\Windows\BOX CAR RACER.scr
    C:\Windows\Take Off Youre Pants And Youre Jacket.scr
    C:\Windows\Damm You!.scr
    C:\Windows\ENEMA.scr
    C:\Windows\DUDE RANCH.scr
    C:\Windows\Cheshire Cat.scr
    C:\Windows\Guitar.scr
    C:\Windows\Punk Power!.scr
    C:\Program Files\KaZaA\My Shared Folder\Blink 182.scr
    C:\Program Files\KaZaA\My Shared Folder\Box Car Racer.scr
    C:\Program Files\KaZaA\My Shared Folder\Blink 182 All Videos.exe
    C:\Program Files\KaZaA\My Shared Folder\KaZaA UpDate.exe
    C:\Program Files\KaZaA\My Shared Folder\Songs.scr
    C:\Program Files\KaZaA\My Shared Folder\Anna Kournikova.scr
    C:\Program Files\KaZaA\My Shared Folder\
    All The Small Things All Screen Video.scr
    C:\Program Files\KaZaA\My Shared Folder\My Screen Saver.scr
    C:\Program Files\KaZaA\My Shared Folder\Telephone Numbers The Video.scr
    C:\Program Files\KaZaA\My Shared Folder\Fun Screen.scr
    C:\Program Files\KaZaA\My Shared Folder\MeGa CiBer ScReeN SavEr.scr
    C:\Program Files\KaZaA\My Shared Folder\Osama The King.scr
    C:\Program Files\KaZaA\My Shared Folder\Marc Tom And Travis.scr
    C:\Program Files\ICQ\shared files\ICQ Power Edition.exe
    C:\Program Files\ICQ\shared files\ICQ SMS Plus.exe
    C:\Program Files\ICQ\shared files\ICQ Screen Saver.scr
    C:\Program Files\ICQ\shared files\ICQ Millenium Screen.scr
    C:\Program Files\ICQ\shared files\ICQ Fire Screen.scr
    C:\Program Files\ICQ\shared files\ICQ Ice Screen.scr
    C:\Program Files\ICQ\shared files\ICQ Natural Screen.scr
    A:\Nude Screen.scr
    A:\SeX ScReen Saver.scr
    A:\Playboy Screen Saver.scr
    A:\Shakira Screen Saver.scr

    The worm also attempts to disable certain firewall programs (ZoneAlarm, BlackIce, Tiny and Sygate), delete files related to anti-virus software, disable registry settings related to macro security within Microsoft Office and run itself on system restart by adding an entry to SYSTEM.INI.

    W32/Blinkom-A attempts to add the following entries to the registry:

    HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles\avpfolder
    = "Blink Folder"
    HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles\avpfolder\
    VEDataFilePath = "The Blink Path"
    HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles\avpfolder\
    VEIndexFilePath = "The Plink, the Blink, the Oink"
    HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles\avpfolder\MainDir
    = "Blink virus & the Batch company"
    HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles\avpfolder\Folder
    = "Plink it's the Blink guitarrist yeeeeeh!"
    HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Options\
    EnableMacroVirusProtection = "0"
    HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Options\
    EnableMacroVirusProtection = "0"
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    RegisteredOwner ="Blink"
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    RegisteredOwnerRegisteredOrganization = "The Blink company inc."



    More information about W32/Blinkom-A can be found at
    http://www.sophos.com/virusinfo/analyses/w32blinkoma.html
     
  2. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    wasnt there something similiar earlyr but i think it was a worm.

    think its the same programer.
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    TDS Primary List : Worm.P2P.Blinkom :D
     
  4. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    The Norton 9/19/02 virus list contains no hits for either "blinkom" or "venzu". Unless there are other aliases not listed in FanJ's post, NAV does not detect this worm. Thankfully, it isn't a big threat, if Sophos has received just one report of this worm from the wild. Hopefully, if it does grow as a threat, the various vendors will get detection. :) :)
     
  5. FanJ

    FanJ Guest

    Hi Randy,

    Here is the Symantec link:

    W32.Venzu.Worm

    http://securityresponse.symantec.com/avcenter/venc/data/w32.venzu.worm.html
    [hr]
    Discovered on: August 2, 2002
    Last Updated on: August 12, 2002 08:20:46 PM PDT

    W32.Venzu.Worm is a mass-mailing worm that is written in the Borland Delphi programming language and compressed with UPX. It uses SMTP to send itself to email addresses that it finds in the MSN Messenger Service list. The email message has the following characteristics,
    Subject: The subject can be one of the following:

    Los mejores chistes de Bin Laden
    HISPASEC
    Carnivore databases
    Base de datos. Carnivore.
    VAN A VENDER HOTMAIL

    Attachment: The attachment can be one of the following:
    BinLadilla.pif
    Noticia45.Txt.pif
    NewsHS.Txt.pif
    CarnivoreStory.Pif
    Estatutos.Pif

    W32.Venzu.Worm also tries to spread through KaZaA, ICQ, mIRC, and floppy disk.



    Type: Zoo Worm
    Infection Length: 176,640 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Macintosh, Unix, Linux


    Virus Definitions (Intelligent Updater) *
    August 5, 2002


    Virus Definitions (LiveUpdate™) **
    August 7, 2002


    When W32.Venzu.Worm runs, it does the following:

    It displays a message that has these characteristics:
    Title: Blink Worm By RaZor/GEDZAC
    Text: Hecho En Venezuela Barquisimento Estado Lara.

    The worm creates many copies of itself on the hard drive, the KaZaA shared folder, the ICQ shared folder, and on the floppy disk so that it can spread through the KaZaA peer-to-peer network, ICQ, and floppy disk. Here are some samples:

    Blink 182.scr
    C:\ThE MegA BlINk BaT.bat
    C:\Windows\Blink 182.scr
    C:\Windows\BOX CAR RACER.scr
    C:\Windows\%system%\182.exe
    C:\Program Files\KaZaA\My Shared Folder\Blink 182.scr
    C:\Program Files\KaZaA\My Shared Folder\KaZaA UpDate.exe
    C:\Program Files\KaZaA\My Shared Folder\All The Small Things All Screen Video.scr
    C:\Program Files\ICQ\shared files\ICQ Power Edition.exe
    C:\Program Files\ICQ\shared files\ICQ Ice Screen.scr
    A:\Nude Screen.scr

    The worm adds the values

    avpfolder Blink Folder
    VEDataFilePath The Blink Path
    VEIndexFilePath The Plink, the Blink, the Oink
    MainDir Blink virus & the Batch company
    Folder Plink it's the Blink guitarrist yeeeeeh!

    to the registry key

    HKEY_LOCAL_MACHINE\Software\KasperskyLab\SharedFiles

    It adds the value

    EnableMacroVirusProtection 0

    to the registry key

    HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Options

    This disables the macro virus protection option of Microsoft Office.

    It also adds the values

    RegisteredOwner Blink
    RegisteredOrganization The Blink company inc.

    to the registry key

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion

    The worm overwrites C:\archiv~1\perav\*.dat with copies of itself and deletes the following files if they exist:
    C:\Archiv~1\Pandas~1\Pandaa~1.0\*.dll
    C:\Archiv~1\McAfee\McAfee~1\*.dll
    C:\Archiv~1\Norton~1\NAVDX.EXE
    C:\Archiv~1\Norton~1\V325SCAN.dll
    C:\Archiv~1\Norton~1\NAVP.VXD

    It searches the registry to determine the locations of the working folders of some firewall products, such as ZoneAlarm, BlackIce, Tiny, and Sygate. It deletes all of the files in these folders.

    The worm creates two clean files:
    C:\Dammit.txt.
    C:\Wallpaper1.html

    It then changes the wallpaper to C:\Wallpaper1.html.

    NOTE: Symantec AntiVirus Products do not detect those two files. If the computer is infected with W32.Venzu.Worm, delete the files manually.

    The worm modifies C:\mIRC\Script.ini in an attempt to send a copy of itself through mIRC. The worm file name is Blink 182.scr.

    It overwrites the text of the C:\Program Files\Yahoo!\Messenger\ymsgr.ini file to create links on the Yahoo! Messenger/Tools/Inside Yahoo! menu.

    It overwrites the text of C:\Windows\Win.ini with the following line:

    Estas Infectado Por Blink!!

    It overwrites the text of C:\Windows\Winstart.bat with the following lines:

    CLS
    @ECHO Estas Infectado Por Blink!!
    pause

    It appends the following section to the C:\Autoexec.bat file:

    @attrib +h +r c:\blink.bat
    cls
    @ECHO ---------------------
    @ECHO [ Blink virus. ]
    @ECHO [ RaZor ]
    @ECHO [ Gedzac Labs 2002. ]
    @choice "" /c:12 /n /t:1,5
    @if errorlevel 1 goto fin
    :fin

    It inserts the following section into C:\Windows\System.ini so that the copy of the worm runs when you restart Windows:

    [boot]
    shell=Explorer.exe 182.exe

    The worm uses SMTP to send itself to email addresses that it finds in the MSN Messenger Service list. The email message is one of the following:

    Subject: Los mejores chistes de Bin Laden
    Message: A todos mis amigos. Los mejores chistes que me enviaron, stos son los mejores.
    Attachment: BinLadilla.pif

    Subject: HISPASEC
    Message:
    Esta es la prueba de que HISPASEC roba importantes bases de datos de muchas compaas, incluso hotmail. (los campos en blanco son algunos datos omitidos por razones de anonimato y seguridad).
    Attachment:Noticia45.Txt.pif

    Subject: HISPASEC
    Message: This is the probe that HISPASEC steals important databases of many companies (the fields in blank_target are some data omitted by security and anonimity reasons)
    Attachment:NewsHS.Txt.pif

    Subject: Carnivore databases
    Message: BO2K publish pieces of database gathered by Carnivore.
    Attachment:CarnivoreStory.pif

    Subject: Base de datos. Carnivore.
    Message: BO2K publica parte de la base de datos recopilada por Carnivore.
    Attachment:CarnivoreStory.pif

    Subject: VAN A VENDER HOTMAIL
    Message:
    parece que los de microsoft no se la pudieron, prefirieron dedicarle tiempo al windows,amenazan con borrar las cuentas, pero se puede evitar siguiendo unos estatuts que ellos ponen a disposicin. leelos o no tendras mas cuenta. chao.
    Attachment:Estatutos.pif

    The worm attempts to make some voice phone calls to Colombia, Spain, Puerto Rico, and Mexico. It also attempts to make a phone call to Academia (USA).




    NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

    Delete all files that are detected as W32.Venzu.Worm, and re-enable the security value that the worm disabled in the registry. For details on how to do this, read the following instructions.

    To scan for and delete the infected files:
    1. Obtain the most recent virus definitions.
    ...snip...

    2. Start your Symantec antivirus program, and make sure that it is configured to scan all files.
    Norton AntiVirus Consumer products: Read the document How to configure Norton AntiVirus to scan all files.
    Symantec Enterprise antivirus products: Read the document How to verify a Symantec Corporate antivirus product is set to scan All Files.
    3. Run a full system scan.
    4. If any files are detected as infected by as W32.Venzu.Worm, click Delete.

    To change the value in the registry:

    CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

    1. Click Start, and click Run. The Run dialog box appears.
    2. Type regedit and then click OK. The Registry Editor opens.
    3. Navigate to the key

    HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Options

    4. In the right pane, change the value of

    EnableMacroVirusProtection 0

    so that it is

    EnableMacroVirusProtection 1

    5. Exit the Registry Editor.
     
Thread Status:
Not open for further replies.