Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Cervivec.A@mm

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload Screen effect
Detection files published 21 Mar 2002 03:00:00
Description created 22 Mar 2002 08:19:00
Description updated 22 Mar 2002 08:52:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Cervivec.A@mm

Spreading

The subjects and body texts change - they are created in different languages, and chosen depending on the country suffix in the recipient email address. If this suffix is outside the set of defined langages the worm supports, it will select to use english.

Czech, sent to .cz addresses:

S: Vtip

B:

Cervici
Cau posilam ti cerviky tak se na to podivej (virus to neni)

Slovak, sent to .sk addresses:

S: Vtip

B:

Cervici
Cau posielam ti cerviky tak sa na to pozri (virus to neni)

German, sent to .de,.ch,.li and .lu addresses:

S: Witz

B:

Hallo, Ich habe ein guter Witz-Wurm so sieh! (kein
virus)


French, sent to .fr,.gn,.gf,.pf,.sn,.mr,.ml,.ne,.cf,.cd,.mg,.ad and .mq addresses:

S: blague
B:
J'ai une bonne blague ca s'appelle verre de terre alors jette un coup d'oeil (il n'y a pas de virus)

Russian, sent to .ru,.lt,.lv,.ee,.md,.am,.by,.ua,.kz,.tj,.kg,.tm,.uz,.az and .ge addresses:

The russian text is in chyrillic, and difficult to read on non-chyrillic character sets.

English, sent to email addresses that do not fit in the other language suffix groups:

S: Joke

B:

Hi, I have some cool joke - worms so have a look at it(no virus)

Polish, sent to .pl addresses:

S: Zart

B:

Czesc, mam swietnz dowcip - robaka. Obejrzyj go sobie (to nie jest wirus)

Spanish, sent to .es,.gq,.gt,.sv,.ar,.bz,.bo,.cl,.co,.cr,.cu,.do,.ec,.hn,.mx,.ni,.pa,.py,.pe,.pr,.uy and .ve addresses:

S: Chiste

B:

Hola te mando los gusanilloes. Pues mirarlos (no es un virus)

When the worm is first executed, it will show a small messagebox which says "Press restart button to close this application".

(Image not available)


After this message box is closed, it will start to display a screen effect - coloured lines are drawn across the screen in a random "worm-like" manner (see below).

The worm is now also copied to the Windows System32 directory, under the name NTKRNL.EXE.

A pointer to this file will be inserted into the Registry:


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"Kernel Loader" = NTKRNL.EXE -LOADDRIVERS=TRUE

When the worm is executed via the registry like this, it will not display the screen effect. Instead it will search the ICQ contact list for email addresses to send itself to, and save this to the file NTOSKRNL.DAT.

Payload Details

A screen effect is shown as the worm is run:


(Image not available)

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:15