Detection added	Jul 09 2005 05:19 GMT
Description added	Feb 16 2006
Behavior	Net-Worm

Technical details

This network worm infects computers running Windows. The worm itself is a Windows PE EXE file 32804 bytes in size, written in Visual C++ and packed using UPack. The unpacked file is approximately 274KB in size.

The worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim machine.

The worm contains a backdoor which listens for commands via IRC channels.

Installation

Once launched, the worm copies itself to the Windows system directory as m0use.exe:

%System%\m0use.exe

The worm then registers itself in the system registry, ensuring that it will be launched each time Windows is rebooted on the victim machine:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
 "Userinterface Report3r"="M0USE.exe"

The worm also modifies the following system registry record:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 "Shell"="Explorer.exe M0USE.exe"

It also modifies the entries listed below in order to block the Shared Access service:

[HKLM\System\CurrentControlSet\Services\SharedAccess]
[HKLM\System\ControlSet001\Services\SharedAccess]
 "Start"="4"

Propagation via email

The worm harvests email addresses from the MS Windows address books and from files with the following extensions:

adb
asp
cgi
dbx
htm
html
jsp
php
pl
sht
tbb
wab
xml

It does not harvest addresses which contain the following strings:

.edu
.gov
.mil
abuse
accoun
acketst
admin
anyone
arin.
avp
berkeley
borlan
bsd
bugs
ca
certific
contact
example
feste
fido
foo.
fsf.
gnu
gold-certs
google
gov.
help
hotmail
iana
ibm.com
icrosof
icrosoft
ietf
info
inpris
isc.o
isi.e
kernel
linux
listserv
math
me
mit.e
mozilla
msn.
mydomai
no
nobody
nodomai
noone
not
nothing
ntivi
page
panda
pgp
postmaster
privacy
rating
rfc-ed
ripe.
root
ruslis
samples
secur
sendmail
service
site
soft
somebody
someone
sopho
spm
submit
support
syma
tanford.e
the.bat
unix
usenet
utgers.ed
webmaster
www
you
your

The worm establishes a direct connection to the recipient's SMTP server in order to send infected messages.

Infected messages

Sender (includes one of the names listed below):

• adam
• alex
• andrew
• anna
• bill
• bob
• bob
• brenda
• brent
• brian
• claudia
• dan
• dave
• david
• debby
• frank
• fred
• george
• helen
• jack
• james
• jane
• jerry
• jim
• jimmy
• joe
• john
• jose
• josh
• julie
• kevin
• leo
• linda
• maria
• mary
• matt
• michael
• mike
• paul
• peter
• ray
• robert
• sales
• sam
• sandra
• serg
• smith
• stan
• steve
• ted
• tom

Message subject (chosen from the list below):

• <random symbols>
• *DETECTED* Online User Violation
• Email Account Suspension
• Important Notification
• Members Support
• Notice of account limitation
• Security measures
• Warning Message: Your services near to be closed.
• You have successfully updated your password
• Your Account is Suspended
• Your Account is Suspended For Security Reasons
• Your new account password is approved
• Your password has been successfully updated
• Your password has been updated

Message body:

Infected messages have a blank message body.

Attachment name (chosen from the list below):

• <random symbols>
• accepted-password
• account-details
• account-info
• account-password
• account-report
• approved-password
• document
• email-details
• email-password
• important-details
• new-password
• password
• readme
• updated-password

The attachment may have one of the extensions listed below:

• bat
• cmd
• exe
• pif
• scr

The attachment may also be a zip file, which contains a copy of the worm with a double extension. In such cases, the first extension will be one of the extensions listed below:

• doc
• htm
• txt

The second may be one of the extensions listed below:

• exe
• pif
• scr

Remote adminstration

The worm opens a random TCP port on the victim machine in order to connect with the name.turkintikamtugayi.com IRC server to receive commands. This means a remote malicious user will have full access to the victim machine, making it possible to access information, download, launch and delete files.

Other

The worm modifies the %System%\drivers\etc\hosts file by appending the text shown below. This makes it impossible to access the sites listed below from the victim machine.

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com