WORM_FRANRIV.A

Malware type: Worm

Aliases: P2P-Worm.Win32.Franvir (Kaspersky), W32/Franriv.worm (McAfee), W32.HLLW.Franriv (Symantec), Worm/Franvir.A (Avira),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This worm is a proof-of-concept program, which demonstrates how a game construction kit, such as the popular Game Maker, can be used maliciously. The program supports registry and file manipulation and even the execution of any program. Due to bugs in its code, however, the worm program may not run properly.

It propagates via the popular peer-to-peer file sharing network Kazaa and requires that the folder C:\Windows exists before it executes. As a result, it may not run on Windows NT and 2000, since the folder is not found on typical installations of these platforms.

Note, however, that this worm can execute smoothly on Windows 95, 98, ME, NT, 2000, and XP machines that have the folder C:\Windows.

This worm displays either of the following messages, depending on the outcome of its intended routines:

Erreur Rntime

W.66.France Virus

Note that TrendLabs does not consider or detect game construction programs per se, as malicious. But due to certain features, it may be utilized maliciously.

For additional information about this threat, see:

Description created: Aug. 8, 2003 5:12:34 PM GMT -0800
Description updated: Aug. 8, 2003 5:42:42 PM GMT -0800


TECHNICAL DETAILS


Size of malware: 1,274,037 Bytes

Initial samples received on: Aug 8, 2003

Payload 1: Displays Message

Details:

Exploit

This worm is a proof-of-concept malicious program. It demonstrates how a game construction kit program, such as Game Maker, can be utilized maliciously.

A game construction kit is good enough to create 2D computer games which can run in Windows platforms. It supports functions (or scripts) that can execute when an event is triggered. Some of its functions allow a malicious game programmer to do the following:

  • Manipulate the system registry and files and folders in the affected system.
  • Execute any program in the system.

It gives the malicious programmer the option to compile and produce Win32 executable (.EXE) files.

TrendLabs would like to emphasize that it does not consider and detect the game construction program per se as a malicious program. However, with its features and capabilities, it can be used maliciously.

Arrival and Installation

This worm arrives as a file downloaded via Kazaa.

When executed, this worm checks for the presence of the folder C:\Windows. It then attempts to drop a copy of itself into the folder as microsoftscanreg.exe.

If it successfully drops the copy, this worm plays a MIDI audio tune and then displays the following message:

Erreur Rntime

It displays this message if it encounters an error:

W.66.France Virus

This worm adds the following registry entry so that it executes every time Windows starts:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Microsoft Scanreg = "C:\Windows\microsoftscanreg.exe"

Kazaa Propagation

This worm creates the following subfolder in the C:\Windows:

    \scanregfile\kazaa\My Shared Folder

It then drops copies of itself using the following file names into the newly created folder:

  • Age Of Mythology FR CRACK.exe
  • Alcatraz Fr Crack.exe
  • Allopass %20 audiotel Keygen 2003.exe
  • Arx Fatalis FR CRACK.exe
  • Battlefield 1942 FR Crack.exe
  • Clone CD 5 keygen.exe
  • Delphi 5 fr crack keygen.exe
  • Delphi 6 fr crack keygen.exe
  • Delphi 7 fr crack keygen.exe
  • Dreamweaver MX keygen %20 crack by orran.exe
  • Fire-Works MX keygen %20 crack by orran.exe
  • Flash MX keygen %20 crack by orran.exe
  • Madden NFL 2003 FR CRACK.exe
  • Mafia Fr Nocd.exe
  • Medieval Total War Fr Crack.exe
  • Mega-Serial Microsoft Macromedia Borland Photoshop.exe
  • Nero FR 5.6 keygen %20 crack.exe
  • No One Lives Forever 2 FR CRACK.exe
  • Office XP fr Activation crack keygen.exe
  • Photoshop FR 7 keygen %20 crack by orran.exe
  • Sim City 4 FR Crack by zorio.exe
  • Unreal 2003 Fr Nocd.exe
  • Visual Basic fr 6.00 crack keygen.exe
  • Visual fr c%20%20 crack keygen.exe
  • Visual.net fr Activation keygen crack.exe
  • Winace fr 4 keygen crack.exe
  • Windows XP Activation fr home Pro keygen 2003.exe
  • Windows XP fr home et pro SP1 crack.exe
  • Winrar fr 3.X keygen.exe
  • Winzip fr 8.X keygen crack.exe

It shares the created folder in Kazaa, making the dropped copies available for download by Kazaa users. It does this by creating or modifying the following registry entry as such:

HKEY_CURRENT_USER\Software\Kazaa\LocalContent
DownloadDir = "C:\Windows\scanregfile\kazaa\My Shared Folder"

Note that the described registry entry is also reflected under the key HKEY_USERS\.DEFAULT.

Other Details

The worm contains bugs that may hinder it from running accordingly.




Analysis by: Rex Plantado


SOLUTION


Minimum scan engine version needed: 6.150

Pattern file needed: 601

Pattern release date: Aug 8, 2003


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Terminating the Malware Program

This procedure terminates the running malware process from memory.

  1. Open Windows Task Manager.
    On Windows 9x/ME systems, press
    CTRL%20ALT%20DELETE
    On Windows NT/2000/XP systems, press
    CTRL%20SHIFT%20ESC, and click the Processes tab.
  2. In the list of running programs, locate the process:
    microsoftscanreg.exe
  3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

  1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Microsoft Scanreg = "C:\Windows\microsoftscanreg.exe"
  4. Close Registry Editor.

Disabling Kazaa Shared Folders

Disable the Kazaa shared folders to prevent this worm from propagating.

  1. Open your Kazaa application.
  2. On the menu bar, go to the Tools>Options.
  3. Disable shared Kazaa folders under the Traffic tab.

NOTE: This procedure may change depending on the latest Kazaa updates. Refer to Kazaa documentation for applicable instructions.

Deleting a Malware Folder

  1. Right-click Start then click Search� or Find� depending on your version of Windows.
  2. In the Named input box, type:
    scanregfile
  3. In the Look In drop-down list, select the drive which contains Windows, then press Enter.
  4. Once located, select the folder then press Delete.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_FRANRIV.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.