W32/Cazinat@mmW32 Worm

W32.Cazinat@mmW32, I-Worm.Cazinat

Virus type:

Internet worm

Affected platforms:

Windows 95/98/ME/NT/2000/XP in case there is a MSVBVM60.DLL installed in the system

Infection signs:

presence of Canapa.scr and Norton.exe files in C:\windows\system
presence of Contact-e-mail.ini file in the temporary folder
presence of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Norton=Norton.exe entry in the system registry

Virus description:

Win32.HLLM.Canapa.58075 is a mass-mailing worm written in MS Visual Basic 6. It affects computers under Windows 95/98/ME/NT/2000/XP operating systems. The worm propagates via Internet sending itself to all e-mail addresses found in .htm files on drive C:\. It retrieves addresses and stores them in C:\windows\temp folder into Contact-e-mail file. Its subsequent propagation is based on e-mail addresses picked up by the worm in that file.
The message infected with Win32.HLLM.Canapa.58075 is written in Italian and calls users to open a screen saver program devoted to hemp legalization:

Subject: Screen Saver Canapa
Mesage body:
Buongiorno, il nostro Staff le ha allegato uno screen saver riguardante l' uso della canapa tra i giovani d' oggi. Questo contiene molte informazioni che e bene conoscere, soprattutto se non si fa uso di tale sostanza! Se e favorevole alla legalizzazione della canapa(non droga) faccia notizia espandendo quest' email ai suoi amici e colleghi.
Staff di Servizio abbonati.
Gentile abbonato, lo r ti regala un grazioso screen saver come da te richiesto. Se non vuoi ricevere piu i nostri screen saver inviaci una e-mail vuota.
Per accedere direttamente al nostro sito clicca sul link che segue:
http://link to web site
Attachment: Canapa.scr


If a user reads the message in Italian and clicks the false link the worm writer may feel satisfied. When run, the worm places to C:\Windows\System folder two of its copies - Canapa.scr and Norton.exe (87,771 bytes). To secure its automatic execution after the system start or restart it adds the value Norton Norton.exe to the registry entry
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
After that the worm searches the local drive C:\ for the files with *.exe, *.com and *.scr extensions and corrupts them.

For spreading via smtp.aruba.it server the worm has its own built-in SMTP engine and uses arbitrary addresses of @aruba.it domain as sender's addresses. The recipients` addresses are retrieved by the worm from *.htm files in [mailto] tag in local drive C:\.

The worm includes a UPX-packed executable file written in Borland Delphi. It places this file into a temporary folder and runs it. This file displays on the screen a dialogue box with a message on some registration key updating and creates the following registry entry in the system registry:
HKLM\Software\Electronic Arts\EA Games\Battlefield 1942\ergc
in which it adds several figures. The program does not contain any malicious code.

To summarize, in case of a system infection the worm performs the following undesirable for a user actions:

mass-mails its infected copies
places several files into the system
makes changes to the system registry in order to secure its automatic execution after every system restart
may corrupt files with .com, .exe and .scr extensions on drive С:\.
It is worth noting that this worm written in Visual Basic requires a MSVBVM60.DLL system library and some other components providing for the program execution in Visual Basic. If those requiered components are not installed in the system the program will not run. This fact conditions the low-level spreading of the worm. It was supposedly written on August 29, 2002 and failed to mass spread during last month in Internet.