WORM_ARGEN.A

Malware type: Worm

Aliases: Email-Worm.Win32.Kitro.d (Kaspersky), W32/Duni.worm.c (McAfee), W32.Kitro.A.Worm (Symantec), Worm/Kitro.D (Avira), W32/Kitro-D (Sophos),

In the wild: No

Destructive: Yes

Language: English

Platform: Windows

Encrypted: No

Overall risk rating:

Description: 
This destructive worm drops a Visual Basic Script (VBScript) file, which Trend Micro antivirus detects as VBS_ARGEN.A. This VBScript file sends WORM_ARGEN.A to all email addresses in the infected users Microsoft Outlook address book.

This worm deletes all non-hidden files found in the root directory of Drive C:\ and drops several copies of itself.

For additional information about this threat, see:

Description created: Jul. 5, 2002 9:19:38 AM GMT -0800
Description updated: Jul. 5, 2002 10:25:19 AM GMT -0800


TECHNICAL DETAILS


Initial samples received on: Jul 5, 2002

Related toVBS_ARGEN.A

Payload 1: Deletes Files in the root directory of Drive C:\

Trigger condition 1: Upon execution

Payload 2: Spams email

Trigger condition 1: Upon execution

Details:
Upon execution, this UPX-packed, memory-resident worm deletes all files in the root directory of Drive C:\ that are not hidden.

It then drops BanderaNegra.VBS in the root directory of Drive C:\. This Visual Basic Script is the mass-mailing component of the worm and is detected by Trend Micro as VBS_ARGEN.A.

Then it obtains the Kazaa File-Sharing Utility default download DIRECTORY from this registry key:

HKEY_CURRENT_USER\Software\KaZaA\Transfer\DlDir0

If the registry does not exist, it deletes the contents of the files in the root directory of the infected system�s Drive C:\. Then it copies itself to the empty files and then appends an .EXE extension to the original filenames. (E.g. It deletes the contents of a CALC.EXE file and then copies itself to the file appending a .EXE extension to the CALC.EXE filename so that it is named CALC.EXE.EXE.)

Otherwise, it deletes the contents of all files in the folder that the registry refers to and then copies itself to each empty file appending a .EXE extension to the original filename.

It then drops several copies of itself as the following:

  • C:\AVP40Crack.exe
  • C:\AVP-SpanishPatch.exe
  • C:\CopyPSXgamesV12.exe
  • C:\CounterStrikeMoreServers.exe
  • C:\GameCube-FreeEmulator.exe
  • C:\GamesPSX2Emulator.exe
  • C:\Jedi2-FullCrack.exe
  • C:\MessengerSkins29.exe
  • C:\MP3EncoderDecoder58.exe
  • C:\PandaAllCracks.exe
  • C:\PSX2-Emulator.exe
  • C:\PSXEmulator_Full.exe
  • C:\ResidentEvil-Crack.exe
  • C:\Sexo-Asiatico-FullVideo.exe
  • C:\SexoenlaCalle-Video.ex
  • C:\W98ToXpActualization.exe
  • C:\ WindowsXP-Serials.exe
  • C:\X-Box_Emulator.exe
  • %Windows%\Cristo_Nos_Ense�a.Doc.pif
  • %Windows%\EnLosAndes.pif
  • %Windows%\Facturas556.XLS.pif
  • %Windows%\List.txt.by.Microsoft.com
  • %Windows%\Listado.txt.by.Microsoft.com
  • %Windows%\PostalDeAmistad.pif
  • %Windows%\ReparacionDeMessenger.DOC.pif
  • %Windows%\TestDeAmoryAmistad.DOC.pif
  • %Windows%\YaNoPuedoSerYoMismo.DOC.pif

*Where %Windows% refers to the Windows directory, which is usually C:\WINNT or C:\Windows.

This worm then creates the following registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
KAZAACuF = �9�

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
PAV.EXE = �%Number%�

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
Zonavirus = �0�

HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\
SharedFiles\Folder = "%Number%"

*Where %Number% is a random number.

It also adds the following registry entry so that it executes at every Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
Bnexe = %Filename%

*Where %Filename% is any of the dropped worm copies.

It then executes its VBScript component, which uses Microsoft Outlook to send copies of this worm to all email addresses in the infected user�s Microsoft Outlook address book. The email sent by this worm can have any of following details:

Subject: Te han enviado una postal.
Message Body: Postales NetWork (c)1999-2002.
Attachment: PostalDeAmistad.pif

Subject: Leelo y reenvialo a quienes aprecias.
Message Body: Si lo que expone este documento es lo que sientes, envialo a tus amigos, algun sue o se hara realidad.
Attachment: Cristo_Nos_Ense�a.doc.pif

Subject: Listado de falsas alarmas.
Message Body: Te envio la lista de falsas alarmas, para que no hagas caso a las mentiras, chao que estes bien.
Attachment: Listado.txt.by.Microsoft.com

Subject: This is a last hoax list.
Message Body: I send the list of false alarms, so that you do not make case to the lies bye.
Attachment: List.txt.by.Microsoft.com

Subject: Para los amigos
Message Body: Aqui adjunto las Facturas que nos ha pedido, ruego que nos envie lo que dentro del documento se especifica, Saludos.
Attachment: Facturas556.XLS.pif

Subject: Fw: Enviame tu foto.
Message Body: bueno, aqui esta mi foto cuando estuve viviendo en los andes, disfruta el paisaje.
Attachment: EnLosAndes.pif

Subject: Es posible que nos roben la identidad.
Message Body: lee el documento y veras que puede ser verdad, luego enviaselo a tus amigos para que no les suceda eso.
Attachment: YaNoPuedoSerYoMismo.DOC.pif

Subject: Messenger vulnerable
Message Body: si, ahora nos pueden espiar la cuenta, te envio el documento donde dice que es lo que se debe hacer para arreglarlo, arreglalo lo antes posible.
Attachment: ReparacionDeMessenger.DOC.pif

Subject: 77:Test de amor.
Message Body: Hace el test de amor, calcula el puntaje y reenvialo a tus amigos, pero recuerda hacerlo con Copia Oculta para que no sepan nuestras direcciones.
Attachment: TestDeAmoryAmistad.DOC.pif


SOLUTION


Minimum scan engine version needed: 5.200

Pattern file needed: 1.308.00

Pattern release date: Jul 5, 2002


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:
Removing Autostart Entries from the Registry

Removing autostart entries from registry prevents the malware from executing during startup. This is also an effective malware process termination procedure.

  1. Open Registry Editor. Click Start>Run, type REGEDIT then hit the enter key.
  2. In the left panel, double click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Bnexe
  4. In the same pane, delete the other entries:
    KAZAACuF
    PAV.EXE
    Zonavirus
  5. Restart your system to terminate the worm from memory.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_ARGEN.A. To do this Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.

Click the link for additional Windows ME/XP Cleaning Instructions.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.