W32/Cazinat@mmW32 Worm

Discussion in 'malware problems & news' started by Paul Wilders, Oct 1, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Jul 1, 2001
    The Netherlands
    W32.Cazinat@mmW32, I-Worm.Cazinat

    Virus type:

    Internet worm

    Affected platforms:

    Windows 95/98/ME/NT/2000/XP in case there is a MSVBVM60.DLL installed in the system

    Infection signs:

    presence of Canapa.scr and Norton.exe files in C:\windows\system
    presence of Contact-e-mail.ini file in the temporary folder
    presence of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    Norton=Norton.exe entry in the system registry

    Virus description:

    Win32.HLLM.Canapa.58075 is a mass-mailing worm written in MS Visual Basic 6. It affects computers under Windows 95/98/ME/NT/2000/XP operating systems. The worm propagates via Internet sending itself to all e-mail addresses found in .htm files on drive C:\. It retrieves addresses and stores them in C:\windows\temp folder into Contact-e-mail file. Its subsequent propagation is based on e-mail addresses picked up by the worm in that file.
    The message infected with Win32.HLLM.Canapa.58075 is written in Italian and calls users to open a screen saver program devoted to hemp legalization:

    Subject: Screen Saver Canapa
    Mesage body:
    Buongiorno, il nostro Staff le ha allegato uno screen saver riguardante l' uso della canapa tra i giovani d' oggi. Questo contiene molte informazioni che e bene conoscere, soprattutto se non si fa uso di tale sostanza! Se e favorevole alla legalizzazione della canapa(non droga) faccia notizia espandendo quest' email ai suoi amici e colleghi.
    Staff di Servizio abbonati.
    Gentile abbonato, lo r ti regala un grazioso screen saver come da te richiesto. Se non vuoi ricevere piu i nostri screen saver inviaci una e-mail vuota.
    Per accedere direttamente al nostro sito clicca sul link che segue:
    http://link to web site
    Attachment: Canapa.scr

    If a user reads the message in Italian and clicks the false link the worm writer may feel satisfied. When run, the worm places to C:\Windows\System folder two of its copies - Canapa.scr and Norton.exe (87,771 bytes). To secure its automatic execution after the system start or restart it adds the value Norton Norton.exe to the registry entry
    After that the worm searches the local drive C:\ for the files with *.exe, *.com and *.scr extensions and corrupts them.

    For spreading via smtp.aruba.it server the worm has its own built-in SMTP engine and uses arbitrary addresses of @aruba.it domain as sender's addresses. The recipients` addresses are retrieved by the worm from *.htm files in [mailto] tag in local drive C:\.

    The worm includes a UPX-packed executable file written in Borland Delphi. It places this file into a temporary folder and runs it. This file displays on the screen a dialogue box with a message on some registration key updating and creates the following registry entry in the system registry:
    HKLM\Software\Electronic Arts\EA Games\Battlefield 1942\ergc
    in which it adds several figures. The program does not contain any malicious code.

    To summarize, in case of a system infection the worm performs the following undesirable for a user actions:

    mass-mails its infected copies
    places several files into the system
    makes changes to the system registry in order to secure its automatic execution after every system restart
    may corrupt files with .com, .exe and .scr extensions on drive С:\.
    It is worth noting that this worm written in Visual Basic requires a MSVBVM60.DLL system library and some other components providing for the program execution in Visual Basic. If those requiered components are not installed in the system the program will not run. This fact conditions the low-level spreading of the worm. It was supposedly written on August 29, 2002 and failed to mass spread during last month in Internet.
Thread Status:
Not open for further replies.