I-Worm.Cholera
--------------------------------------------------------------------------------
This is a worm virus that spreads via the Internet and
local networks. It arrives as a file by the name "SETUP.EXE" attached
to an email message with the message subject "Ok..." and the message
body contains just a "smiley":
:-)
The attached file itself is a Microsoft C++ executable
file about 40Kb of length. The most part of the file's code is occupied by C++
run-time libraries and data, and just about 7Kb of code is "pure"
worm code.
The worm got its name because of the text string in its
code:
CH0LERA -
Bacterium BioCoded by GriYo / 29A
This string, as well as other worm's data, are encrypted
in the worm's body.
Installing into the system
When the worm is executed for the first time (being run
from infected attachment), it gets its module name and installs itself to the
Windows directory with the RPCSRV.EXE name. To force Windows to run this file
on next reboot the worm writes additional "Run=" instruction to the
WIN.INI file in the Windows directory (under Win9x), or modifies corresponding
key in the system registry (under WinNT)..
To locate the Windows directory the worm does not call
corresponding Windows functions, but scans all available local drives, looks
for subdirectory names: \WINDOWS, \WIN95, \WIN98, \WIN, \WINNT, then looks for
WIN.INI file in directory. If such file is located, the worm installs itself
into the directory.
As a result the worm may create several of its copies on
the same computer, and affect all Windows installations on it. In case a
multiboot loader is installed, and there are several different Windows version
installed, this trick allows the virus to activate on any Windows copy startup.
To hide its activity the worm displays the fake message:
Cannot Open File. It Dosent
Appear to be a Valid Archive
If you Downloaded this file, please try Downloading it again.
Further spreading
On the next Windows startup the worm copy is activated by
the Run command in the WIN.INI file. It takes control, registers itself in
Windows memory as hidden application (invisible service) that also allows the
worm to stay active whenever a user logs off. The worm then runs two more
routines in addition to the installation one. The first of these new routines
spreads the worm through the local network, the second one sends infected email
messages. The installation routine is also active, and the worm is able to
infect new Windows copy, if it appears on the computer. All the routines are
run as main process threads, so they do their work in parallel.
The first of new routines spreads the worm copy through
the network. It enumerates all network drives, scans them for Windows
directories, copies the worm's RPCSRV.EXE file to there and registers it in the
WIN.INI file in the same remote directory. As a result on next rebooting the
worm on remote computer will be activated and spread itself further.
The second routine sends infected messages to the
Internet addresses. To send its copy the worm uses the SMTP protocol and sends
itself by direct connection, as a result the worm spreading does not depend on
the type of Email application that is used in the system.
Once per six seconds this routine enumerates all active
program windows and looks for Internet applications: Outlook, Cuteftp, Internet
Explo, Telnet, Mirc. If any of such applications is active, it means that the
computer is connected to the Internet (this is necessary because of direct SMTP
connection used by worm).
The worm then gets SMTP server address and user's Email
address from system registry keys, builds a new message, attaches its copy with
SETUP.EXE name and sends it.
The Internet addresses to where the worm sends its copies
are collected from disk files in the Windows directory and subdirectories. The
worm scans all files there, searches for files with extensions: .HTM, .TXT,
.EML, .DBX, .MBX, .NCH, .IDX, then scans these files and gets
email-address-like strings from there. On each sending the worm sends itself
not more than to ten addresses.