Upon execution, this worm spawns several copies of itself in memory. Each process then creates six threads, each thread performing a distinct function, which is one of the following:
Dropping/Creating of files
Fixed and Remote drive enumeration
The worm first decodes its data in the memory. This includes the mail headers, subjects, bogus email address, and others. It then creates a copy of the worm in the Windows system directory as KRN132.EXE with the hidden attribute.
On Windows NT/2000 systems, the worm creates a system service and registers it as a service control dispatcher. In this way the service control manager always calls the worm service upon Windows startup.
Antivirus Termination Routine:
It then proceeds to checking the process list and terminates all Antivirus processes that match any of the following patterns:
For each process, the worm sleeps for 100ms. Thereafter, it creates a registry entry as follows so that it executes upon system startup:
Windows\CurrentVersion\Run Krn132 = %systemdir%\Krn132.exe
%systemdir% refers to the infected user�s Windows System directory. Usual values are C:\Windows\System and C:\Winnt\System32
Dropping/Creating of files:
The worm generates a random name via �GetTempFileNameA� and appends it in to the temp path. It then extracts and drops the Win32 file infector in the Windows System directory as WQK.EXE with the hidden attribute. This virus component is executed as a separate process. It creates a registry entry so that it automatically executes:
Windows\CurrentVersion\Run wqk = %systemdir%\wqk.exe
The worm is capable of spreading via shared drives/folders with read/write access. To accomplish this, it enumerates all the shared resources of an infected system. For each entry, it copies itself to files with randomly generated filenames.
It notes all JPG, MPEG, MPG, HTML, CPP, XLS, BMP, DOC, HTM, and TXT files that it finds on an infected system. When it finds a folder with read/write access, it drops a file as any of its noted filenames plus an .EXE extension producing files with double extensions. It performs this action in an interval of 8 hours. It also creates another service as �KernelSvc.�
Fixed and Remote drive enumeration:
The worm contains a code that scans all mapped drives from �a� to �z� but because of a bug in its code, it fails to generate the correct next drive. Since drive �a:� is neither a fixed nor a remote drive, this action fails.
For each drive the worm sleeps for 10 seconds.
To propagate copies of itself, it sends an email containing its executable program. It takes its recipients from the entries of the default Windows Address Book (WAB). It retrieves the filename of the WAB file from the following registry entry:
WAB\WAB4Wab File Name = �<pathname of WAB file>�
It then constructs the HTML mail, which contains the base64 encoded worm copy. It randomly generates the filename of the attachment. It connects to port 25 of any of the following predetermined mail servers:
It then sends SMTP commands to create and send an email.
The email it sends may contain any of the following, but may also be blank:
How are you?
Can you help me?
We want peace
Where will you go?
Look at the pretty
Some advice on your shortcoming
Free XXX Pictures
A free hot porn site
Why don't you reply to me?
How about have dinner with me together?
Never kiss a stranger
I'm sorry to do so,but it's helpless to say sorry.
I want a good job,I must support my parents.
Now you have seen my technical capabilities.
How much my year-salary now? NO more than $5,500.
What do you think of this fact?
Don't call my names,I have no hostility.
Can you help me?
Attachment: <Random filename with .EXE extension, size of the file is 57,345 bytes>
On the system date, 13 of any odd month (January, March, May, July, September, November), the worm attempts to execute its destructive payload. For all fixed and remote drives, it overwrites all the files with zeros. This worm routine has a bug in generating the drives, however and therefore fails to perform the task. The size of the original file does not vary.
For each drive the worm sleeps for 30 minutes.
The worm exploits a vulnerability that enables an executable attachment even in MS Outlook preview pane. More information about this vulnerability is available at Micorosoft Security Bulletin and a security update is available at:Microsoft�s Security Update.