WORM_CULT.C

Discussion in 'malware problems & news' started by Randy_Bell, Apr 12, 2003.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    WORM_CULT.C is a memory-resident variant of WORM_CULT.A. It uses its own Simple Mail Transfer Protocol (SMTP) engine to propagate via email and uses Internet Relay Chat for its backdoor capabilities.

    Upon execution, it creates an IEXPLORER.EXE file in the Windows system directory, which is typically any of the following depending on the operating system:

    C:WindowsSystem - on Windows 95, 98, and ME
    C:WinNTSystem32 - on Windows NT and 2000
    C:WindowsSystem32 - on Windows XP

    It spoofs the email address in the "from:" field of the email it sends, using a list of 148 possible choices. The details of the email are as follows:

    From: <randomly generated using any of the following domains>

    Earthlink.net
    email.com
    hotmail.com
    msn.com
    Roadrunner.com
    yahoo.com

    Subject: Hi , I sent you an eCard from Blue-Mountain.com

    Message Body: To view your eCard, open the attachment
    If you have any comments or questions, please visit
    http://www.bluemountain.com/customer/index.pd

    Thanks for using BlueMountain.com.

    Attachment: BlueMountaineCard.pif

    The attachment is a copy of the worm. This malware also acts as a server program performing backdoor capabilities. Once resident, it attempts to connect to an Internet Relay Chat (IRC) server. Upon connection, it joins a particular chat room using a random nickname. Then it notifies a remote user that an infected system is ready to receive and process commands. An infected system sends the following information to a remote user:

    CPU speed, RAM size (total and free)
    Windows platform used and its build and version
    Internet connection type and IP address
    User name and domain

    As a server backdoor component, this malware also opens random ports where it listens at one-second intervals for commands from the remote user. It enables the malicious user to issue the following commands, which adversely compromise system security:

    Download updated copies of itself
    Download files and run them on the infected system
    Propagate via IRC and email
    Launch a DoS attack against a certain IP address

    If you would like to scan your computer for WORM_CULT.C or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

    WORM_CULT.C is detected and cleaned by Trend Micro pattern file #510 and above.
     
Thread Status:
Not open for further replies.