Home / malware Win32.Cervivec.A@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Cervivec.A@mm is also known as N/A.
Explanation :
This virus spreads via e-mail by sending itself to the user's contacts in the ICQ contact list (ICQ is a popular instant messenger). It was written in Borland Delphi and the executable was compressed using the UPX executable packer.
It arrives as an attachment (worms.zip) to an e-mail message with the Subject/Body fields selected from the following choices:
Subject: Chiste
Body: Hola te mando los gusanilloes. Pues mirarlos (no es un virus)
Subject: Zart
Body: Czesc, mam swietnz dowcip - robaka. Obejrzyj go sobie (to nie jest wirus)
Subject: Joke
Body: Hi, I have some cool joke - worms so have a look at it (no virus)
Subject: £æÉëP
Body: "ÅòüàÉ, ß ïàîÜ àƒÉ¥ ÄÅòëìè¥îPÜ £ÉæéëP üÅìäà éàÅüÜëP (ÖÉì îà üòÅæƒ)
Subject: blague
Body: J'ai une bonne blague ca s'appelle verre de terre alors jette un coup d'oeil (il n'y a pas de virus)
Subject: Witz
Body: Hallo, Ich habe ein guter Witz-Wurm so sieh! (kein virus)
Subject: Vtip or Cervici
Body: Cau posielam ti cerviky tak sa na to pozri (virus to neni)
Subject: Vtip or Cervici
Body: Cau posilam ti cerviky tak se na to podivej (virus to neni)
When run, the attached executable file copies itself to the Windows System32 folder (as ntkrnl.exe and worms.exe) and also creates a ZIP archive (worms.zip) in the same folder containing the dropped worms.exe copy of the virus.
The ntkrnl.exe executable will be registered to run at each Windows start-up by creating the value described above in the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRun
At Windows start-up, the virus will be run with the ?LOADDRIVERS=TRUEcommand-line argument, which determines "silent" execution (no message box or payload).
The worms.exe file is used to generate the worms.zip archive that will be attached to the e-mail messages created by the virus. These messages will be sent to the e-mail addresses of the user's contacts which are found by scanning the ICQ database (.dat and .idx files in the ICQ installation folder and subfolders: 2001b, 2001a, 2000b, 2000a). These addresses, together with the associated e-mail messages, will be put down in a temporary file named ntoskrnl.dat.
Before activating its payload, the virus displays the following message box and waits for the user to click "OK":
The payload is non-destructive - just a cute animation of colourful lines crawling on the Windows desktop (to get rid of them, just restart Windows):Last update 21 November 2011
