Email-Worm.Win32.Mari.a (Kaspersky Lab)
is also known as:
I-Worm.Mari.a (Kaspersky Lab),
W32/Mari@MM (McAfee), W32.Mari@mm (Symantec), Win32.HLLW.Mari.45056 (Doctor Web), W32/Marijuana (Sophos), Win32/Mari.E@mm (RAV), WORM_MARI.D (Trend Micro), Worm/Mari.A (H+BEDV), Win32:Marijuana (ALWIL), I-Worm/Mari (Grisoft), Win32.Mari.E@mm (SOFTWIN), W32/Mari.A (Panda), Win32/Mari.D (Eset)
This is an Internet worm that spreading via e-mails being attached as an EXE
file. The
worm itself is a Win32 executable file about 12Kb in length, written in
VisualBasic. To spread, the worm connects to MS Outlook, obtains the e-mail
addresses
from the address book, then sends messages to these addresses. The infected
messages contain the following:
Subject: Hi!
Body: check this out!!!
Attach: system32.exe
The worm also installs itself to the system. It copies itself to \Windows
and
to \WinNT directory with SYSTEM32.EXE name. The worm copies itself to the
directory on the current drive, and fails to spread further if it is run not
on the C: drive (in the instance when the temporary directory where the worm
copy is saved from
an infected message is not on the C: drive). The worm also fails to infect the
system in case Windows is installed in a directory with another name.
The worm registers itself in the auto-run key in the system registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
SYSTEM32 = C:\Windows\SYSTEM32.exe
or
SYSTEM32 = C:\Winnt\SYSTEM32.exe
The 'a' version of the worm also modifies the WIN.INI file with auto-run keys
under Win9x/ME:
[windows]
load="C:\WINDOWS\SYSTEM32.exe
open="C:\WINDOWS\SYSTEM32.exe"
[winnt]
load="C:\Winnt\SYSTEM32.exe
open="C:\WINDOWS\SYSTEM32.exe"
The worm then stays in the Windows memory as a hidden (service) process and
creates
the "marijuana" icon in-tray:
Upon a mouse click on the icon, the worm displays the
message:
IMPORTANT: PLEASE READ
I think i speak for every pot smoker in North America when i say: *Legalize
Marijuana*...I mean if people with AIDS, Cancer and other deaises can use it
then why cant the rest of us (pot smokers) use it?, I dont think that's very
fair (Do you?). If it's legal to grow and use in places like: Australia (for
personal use) then why not in North America? If doctors are useing it as a
treatment for illness then it must not be *THAT* harmful (So why can't other
people use it?). I really do think the federal goverment should consider
legalization of marijuana. Well that's really all i have to say on the
matter, but i do hope somebody, somewhere listens to what i have to say and
does not just regard this as just another *virus* because it's more then
that, it's a message, a message for freedom, the freedom to smoke up and
have
the chose to do so *WITHOUT* fear of punishment from the law and the
goverment. Thank you for your time.
At 4:20 and 16:20, the worm displays the message box:
The worm also modifies the following registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion
RegisteredOrganization = Stoner's Pot Palace.
RegisteredOwner = Im A Pot Head!
HKCU\Software\Microsoft\Internet Explorer\Main
HKCU\Software\Microsoft\Internet Explorer\Main
Start Page = http://my.marijuana.com
Window Title = Marijuana Explorer (LEGALIZE IT!!!)
