Arrival and Installation
This destructive, memory-resident worm usually arrives as a PE Compact compressed file. Upon execution, it drops the following files in the default Windows folder and then deletes the original file that was executed:
This worm modifies the Windows configuration file, WIN.INI, to mark its execution. It creates an [msappfont] section and adds lines that begin with "value=," "fonts=," and "styles=" under this section, where it places corresponding values based on the ASCII equivalent of the current �day� / �month� plus 30.
For instance, if the system date is December 30, it adds the following lines:
To ensure its automatic execution every system startup, this worm creates the following autorun registry entries:
(Note: %Windows% is the Windows directory, which is usually C:\Windows or C:\WINNT.)
It also modifies the [windows] section of the WIN.INI file as follows:
run = %Filename%
(Note: %Filename% is the is the path and file name of the running malware file.)
Like its predecessors, this variant propagates through shared C drives with full access in the same domain. It registers itself as a service and repetitively scans for machines connected to the network. It then uses SMB (Server Message Block Protocol) to access shared drives. It utilizes a known exploit that enables attackers to access shared drives, as discussed in a Security Bulletin from Microsoft.
This destructive worm checks if the current date is between December 24 and December 31 or if the year is higher than 2002. It also checks its WIN.INI execution markers if at least two days have passed since its last execution. When these conditions hold, this worm proceeds to carry out the following routines:
- It creates the file, C:\Msdos.sys, which overwrites the original Msdos.sys.
- It modifies the critical configuration file, C:\Autoexec.bat, so that it contains the execution command for MSLICENF.COM. This file contains code designed to infect the boot sector of the infected system.
- It creates C:\Boot.ini, which contains bootloader settings.
- It also creates C:\Bootsect.dos, which contains an infected boot sector image.
- It uses a C:\Boot.exe to restart the infected system.
When the system is restarted using the dropped file, BOOT.EXE, and under the conditions described above, the following correspondingly take place:
- If the current operating system is Windows 95 or 98, the infected system executes MSLICENF.COM as indicated by the modified AUTOEXEC.BAT in DOS mode.
- If the system runs on Windows ME, this worm enables the real DOS mode by patching C:\IO.Sys, C:\Command.Com, and C:\Windows\System\Regenv32.exe.
When this worm executes BOOT.EXE, it also carries out the following destructive routines:
- It overwrites the boot sector of the infected system.
- It destroys the CMOS.
- It deletes files from the hard drive.
It also displays a message with the following text strings upon system restart:
Illegal Microsoft Windows license detected!
You are in violation of the Digital Millennium Copyright Act!
Your unauthorized license has been revoked.
For more information, please call us at:
If you are outside the USA, please look up the correct contact information
on our website, at:
Business Software Alliance
Promoting a safe & legal online world.
Only one instance of this worm runs in memory at any given time. When executed as MQBKUP.EXE, this worm creates a mutex named "mqbkup61616". It creates a mutex named "mstask35263" when run as MSTASK.EXE.