Installation and Autostart Technique
Upon execution, this memory-resident worm displays a graphical window of an animated progress bar:
Simultaneously, it drops a copy of itself as iLLeGaL.exe in the Windows system folder and then creates this autorun registry entry to enable its automatic execution every Windows startup:
"iLLeGaL" = %System%\Mplayer.exe
(%System% refers to the Windows system directory, usually C:\Windows\System or C:\WinNT\System32.)
Aside from the autorun entry, the worm also adds this registry entry, which automatically increments whenever it is executed:
HKEY_LOCAL_MACHINE "iLLeGal" = 1
This worm then drops the file, MPLAYER.EXE (13,824 Bytes) in the Windows system folder, and sets it with hidden, read-only, and system attributes. Then, it executes the file and installs it in memory. This file contains the mass-mailing routine of the worm.
Note: The dropped MPLAYER.EXE file is entirely different from the legitimate Windows file, which is also named MPLAYER.EXE. The legitimate file is found in the Windows folder and is not hidden like the dropped worm file. File size and attributes should be properly checked when deleting this file.
It also drops these non-malicious files in the Windows System folder:
- SMTP.OCX (25,737 Bytes)
- MMAILS.DLL (varies in size)
SMTP.OCX is an advanced Active-X Control library file and is used by this malware for its mailing routine. The worm uses the MMAILS.DLL file to store all the email addresses of its target recipients. It gathers email addresses by looking for the string, "mailto:", on HTM and HTML files on the infected system.
After dropping the above-mentioned files, it displays another message box:
Then, it displays another graphical window:
This worm spreads by mass-mailing copies of itself to email addresses which it retrieves from HTM and HTML files in the infected machine. It uses its own SMTP engine or Microsoft Outlook (using MAPI or Messaging Application Programming Interface) to carry out its mailing routine.
It sends out an email message:
Note: The message body contains initial text strings that resembles a forwarded email message from a Yahoo user.
At approximately 15 minutes after this worm has executed, it overwrites all files in all folders of writable drives with the following text strings:
1-No PeaCe WithOut WaR
>> TT TT >>> 11>>>OoO>>9\Om
>> TiiT >>> YX >>OOo>>11\Om
>> OXBYL -> Haw >> ()()9.9.12MP
2- Made By ZaCker
It also displays a message box containing these text strings:
�No Peace Without war,i hate war but im forced to love it,Hidden Power's gonna b there wherever u r�
This worm is also designed to delete all files in the drives D, E, F, and G if the value of this registry entry equals 5:
The worm, however, fails to execute this malicious intent.
This worm is written in Visual Basic, a high-level programming language, and is compressed using the UPX compression utility.