WORM_ASSIRAL.B

Malware type: Worm

Aliases: VBS.Assiral.B, W32/Laris.worm, W32/Small-DH, Win32/Assira.A.worm

In the wild: Yes

Destructive: Yes

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This memory-resident worm propagates via email messages. It sends a copy of itself to email addresses found in files with extension names starting with HT.

It can also propagate via network shares by dropping a copy of itself in the root directory of all network and fixed drives.

This worm can terminate certain processes that are associated with antivirus and security applications. It may also delete .DLL files found in different folders under C:\.

Upon execution, it drops a copy of itself on the affected system, as well as its Visual Basic scrtipt (VBS) component, which is detected by Trend Micro as VBS_ASSIRAL.A.

For additional information about this threat, see:

Description created: Feb. 24, 2005 8:22:45 PM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 41,984 Bytes (compressed);
76,288 Bytes (uncompressed)

Initial samples received on: Feb 24, 2005

Compression type: Aspack

Related toVBS_ASSIRAL.A

Payload 1: Deletes .DLL files

Payload 2: Terminated antivirus and security processes

Details:

Arrival and Installation

This worm arrives on a system as an attachment to an email message or may be dropped into the root folder of a drive.

Upon execution, it drops a copy of itself on an affected system, as follows:

  • %System%\MS_LARISSA.exe
  • %System%\WinProx32.exe
  • %Windows%\ISASS.exe
  • %Windows%\WinBoot.exe

(Note: %System% is the Windows system directory which is usually C:\Windows\system in Windows 95, 98 and ME, C:\Windows\system32 in Windows XP and C:\WINNT\system32 in Windows NT and 2000. %Windows% is the Windows directory which is usually C:\Windows in Windows 95, 98, ME and XP and C:\WINNT in Windows NT and 2000.)

It also drops its payload component in the Windows system folder as the file REG_32.VBS. This dropped file is detected by Trend Micro as VBS_ASSIRAL.A.

It also drops the text file, C:\(-L4r1$$4-)(-W4z-)(-H3r3-).txt, which contains the following strings:

1f u h4v r3z34v3d d1z m3zz4g3 d3n ur c0mput3r h4z b33n inf3ct3d
by d4 L4r1$$4 v1ruz! D1z 1z d4 s3c0nd v3rz10n 0f w0rm :-) !!!!
-------------------------------------------------------------
Gr33tz by - L4r1$$4 4uth0r -- 2/19/05

Autostart Technique

It creates the following registry entries to enable its dropped files to run automaticcally at each Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
MS LARISSA = "%System%\MS_LARISSA.exe"
-=%20(L4r1$$4)%20=-(4nt1)-=%20(V1ru$)=-%20 = "%Windows%\ISASS.exe"
Windows Boot Log = "%Windows%\WinBoot.exe"
Windows Proxy Server = "%System%\WinProx32.exe"

Network Propagation

This worm propagates through network shares by dropping a copy of itself in the root directory of all network and fixed drives as the file MS_LARISSA.EXE.

Email Propagation

This worm may also propagate via email messages by sending a copy of itself to all email addresses contained in files with extension names that start with HT.

The email that it sends out has the following details:

Subject: (any of the following)
� Check my Pic out....
� IM SEXY!!!
� IMPORTANT!!
� LETTER
� LOVE YOU!!!!
� Microsoft Update: MS_LARISSA
� My Profile
� MY SEXY PIC!!!
� PLZ READ
� PLZ READ!
� PORNO
� PRIVATE MSG!!
� Re: I LOVE YOU
� Re: LOV YA!!
� READ_ME
� SECRET_MSG!!!
� Windows Update: LARISSA
� Windows Update: MSKERNEL32.dll
� Your DOCUMENTS

Message Body: (any of the following)
� Please download the latest Microsoft Update: MS_LARISSA.
� The message is in the attachments.
� CHECK MY PIC OUT
� Check out MY SEXY PIC
� Private message: located in attachments
� XXX FILEZ IN ATTACHMENTS
� Check my profile out
� The DOCUMENTS you requested are in the attachments.
� LMAO CHECK THIS OUT.
� README located in the attachments.
� Plz read the attached msg.
� Free Porn passwords
� The latest update is in the attachments: LARISSA
� IM SO SEXY CHECK MY PIC OUT
� Windows Update: MSKERNEL32.dll is located in the attachments
� PLZ READ
� My letter is in the attachments :-)
� The secret msg is in the attachments
� Please read and reply to my LOVE LETTER in the attachments!

Attachment: (any of the following)
� DOCUMENTS.exe
� Encrypted_MSG.exe
� I_LOVE_U.exe
� LARISSA.exe
� LETTER.exe
� LOL.exe
� LOVE.exe
� MESSAGE.exe
� MS_LARISSA.exe
� My_Profile.exe
� MY_SXY_PIC.exe
� PATCH.exe
� PORN.exe
� PRIVATE_MSG.exe
� READ.exe
� README.exe
� SEXY.exe
� Sexy_PIC.exe
� XXX.exe
� YOUR_DOCS.exe

Process Termination

This worm can also terminate the following processes, which are mostly associated with antivirus and security applications:

  • alogserv.exe
  • APVXDWIN.EXE
  • ATUPDATER.EXE
  • AUPDATE.EXE
  • AUTODOWN.EXE
  • AUTOTRACE.EXE
  • AUTOUPDATE.EXE
  • Avconsol.exe
  • AVENGINE.EXE
  • AVPUPD.EXE
  • Avsynmgr.exe
  • AVWUPD32.EXE
  • AVXQUAR.EXE
  • bawindo.exe
  • blackd.exe
  • ccApp.exe
  • ccEvtMgr.exe
  • ccProxy.exe
  • ccPxySvc.exe
  • CFIAUDIT.EXE
  • DefWatch.exe
  • DRWEBUPW.EXE
  • ESCANH95.EXE
  • ESCANHNT.EXE
  • FIREWALL.EXE
  • FrameworkService.exe
  • ICSSUPPNT.EXE
  • ICSUPP95.EXE
  • LUALL.EXE
  • LUCOMS~1.EXE
  • mcagent.exe
  • mcshield.exe
  • MCUPDATE.EXE
  • mcvsescn.exe
  • mcvsrte.exe
  • mcvsshld.exe
  • navapsvc.exe
  • navapw32.exe
  • NISUM.EXE
  • nopdb.exe
  • NPROTECT.EXE
  • NUPGRADE.EXE
  • OUTPOST.EXE
  • PavFires.exe
  • pavProxy.exe
  • pavsrv50.exe
  • Rtvscan.exe
  • RuLaunch.exe
  • SAVScan.exe
  • SHSTAT.EXE
  • SNDSrvc.exe
  • SpySweeper.exe
  • symlcsvc.exe
  • UPDATE.EXE
  • UpdaterUI.exe
  • Vshwin32.exe
  • VsStat.exe
  • VsTskMgr.exe

File Deletion

This worm has a destructive payload of deleting .DLL files from the following folders:

  • C:\
  • C:\Windows
  • C:\Windows\System
  • C:\Windows\System32
  • C:\Windows\System32\dllcache

Analysis By: Michael Stephen Tonido

Revision History:

First pattern file version: 2.444.00
First pattern file release date: Feb 25, 2005

SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 2.444.00

Pattern release date: Feb 25, 2005


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Note: Refer also to the Clean Solution for VBS_ASSIRAL.A.

Identifying the Malware Program

To remove this malware, first identify the malware program.

  1. Scan your system with your Trend Micro antivirus product.
  2. NOTE all files detected as WORM_ASSIRAL.B.

Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micro�s online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    � On Windows 95, 98, and ME, press
    CTRL%20ALT%20DELETE
    � On Windows NT, 2000, and XP, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the malware file(s) detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    -=%20(L4r1$$4)%20=-(4nt1)-=%20(V1ru$)=-%20 = "%Windows%\ISASS.exe"
    MS LARISSA = "%System%\MS_LARISSA.exe"
    Windows Boot Log = "%Windows%\WinBoot.exe"
    Windows Proxy Server = "%System%\WinProx32.exe"

  4. (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP. %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.)
  5. Close Registry Editor.

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure sets.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_ASSIRAL.B. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.