TrendMicro: WORM_ASSIRAL.A

Discussion in 'malware problems & news' started by Randy_Bell, Feb 25, 2005.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    WORM_ASSIRAL.A is a memory-resident worm that arrives as an email attachment. It propagates by sending copies of itself via email to addresses found in Microsoft Outlook, and by dropping a copy of itself in the root folder of all network and fixed drives connected to affected machines. It is currently spreading in-the-wild, and infecting computers running Windows 98, ME, NT, 2000, and XP.

    Upon execution, it drops the following files in the following locations:

    * %System%\MS_LARISSA.EXE
    * %Windows%\SPOOLMGR.EXE
    * %Windows%\LOVE_LETTER.TXT.EXE
    * C:\Windows\WINVBS_32.VBS (the worm's mass-mailing component)
    * C:\Windows\system32\REG_32.VBS (the worm's payload component)
    * C:\LARISSA_ANTI_BROPIA.HTML (non-malicious file)
    * C:\MESSAGE.TXT (non-malicious file)

    The file LARISSA_ANTI_BROPIA.HTML displays text on affected machines' Internet browsers. The file MESSAGE.TXT contains the following strings:

    Greetz from LARISSA.B!
    I will survive, In this moment in time.
    You computer will crash,
    So, you will be mine.
    I never crash,
    I never fail.
    So, in this moment in time,
    I will survive...
    - LARISSA AUTHOR - 5-15-05

    The worm's component file, WINVBS_32.VBS, is used to propagate the email. It sends copies of itself to addresses in Microsoft Outlook, with the following details:

    Subject: Re: LOV YA !
    Message Body: Kindly read and reply to my LOVE LETTER in the attachments :)
    Attachment: LOVE_LETTER.TXT.exe

    This worm may also propagate through the network by dropping a copy of itself in the root folder of all network and fixed drives connected to affected machines. Certain processes that are associated with antivirus and monitoring applications are terminated by the worm, as well as certain processes associated with variants of WORM_BROPIA. View the list of terminated processes.

    If you would like to scan your computer for WORM_ASSIRAL.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

    WORM_ASSIRAL.A is detected and cleaned by Trend Micro pattern file #2.427.01 and above.
     
Thread Status:
Not open for further replies.