Weekly Review – The worm that goes against

Who would have thought malware authors can become cultural as well. It seems some are not all into profit and fame. This week we present a


JavaScript that infects possibly clean websites. It creates 2 invisible iframes
(height 0) in the main page and detects which browser the victim is using.
After this it loads different malware spreading pages inside the iframes in an
attempt to infect the user.

infected computers are marked with a cookie.



This is
worm written in Delphi and seems to originate in Romania. It uses common
Peer-2-Peer software to spread (StrongDC, ApexDC, DCPlusPlus and oDC).


executed, the worm creates a file named System32.F2.sys which it fills with a
huge list of movie, software, crack and keygen names. After this, it checks for
the existence of the above mentioned DC clients and will attempt to open the
DCPlusPlus.xml file, usually found in the same folder of the application. This
folder contains the clients configuration directives and the list of shared
folders it can spread files from.

It will add
the entry C:Program
FilesCommon FilesSystem Internals 32bits and create the folder.


it, the worm will create directories of every entry found in
 System32.F2.sys. In those directories it will
place copies of itself, with double extentions, for example:
some_new_movie.avi.exe or some_new_movie.sub.exe. This way the worm will create
over 1000 folders, in each one at least one copy of itself. Next time the
infected user start his DC client, it will hash and share the whole folder,
allowing the worm to spread.


It also
creates the registry entry: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunTuneUp
which points to the file: C:Program FilesCommon FilesSystem Internals
32bitsTuneUp.exe  which will ensure the
worm is executed on every system start.


It searches
and deletes every file on the disk that contains one of the following sequences
of characters: Adrian
Minune, Adi De La Valcea, Adi De Vito, Alex de la Orastie, Ali Zaidi, Ady
Pustiu, Babi Minune, Corina, Bocsa Copilul de Aur, Costel Biju, Ciofu, Cristi
Dules, Cristian Rizescu, Dan Bursuc, danezu, Denisa, De Marco, Dj. Bengos, DJ
Sebi, Don Genove, Elvis de la Bistrita, Florin Cristea, Florin Minune, Florin
Mitroi, Florin Peste, Florin Salam, Fratii de Aur, Laura Vass, Liviu Pustiu,
Liviu Guta, Jean de la Craiova, K-meleon, Kristiyana, Ionut Cercel, Marius de
la Focsani, Mihaela Minune, Mihai Priescu, Mihaita Piticu, Minodora, Mr.Juve,
Nea Kalu, Nek, Nicolae Guta, Nicoleta Guta, Octavian Francezul, Pedro Petrica,
Cercel, Printesa de Aur, Roxana Printesa Ardealului, Rudy de la Valcea, Sandu
Ciorba, Sorinel Pustiul, Sorinel Pustiu, Susanu, Suzana, Vali Vijelie, Violeta
Constantin, Zaku.


It connects
to serveral websites hosting media files (usually .mp3) and will attempt to
download some of them in the folder C:Program
FilesCommon FilesSystem Internals 32bitsres
. Here are a
couple of example domains:






The worm
may also overwrite the hosts file with one of its own, that will redirect any
acces to various music, warez or pornographic web-sites to the localhost
(making them inaccesible).

Information in this article is
available courtesy of BitDefender virus researchers: Lutas Andrei Vlad