Home / malwarePDF  

Win32.Aliz.B@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Aliz.B@mm is also known as none.

Explanation :

This is a version of Win32.Aliz.A@mm with very few changes. The code of the virus is identical with the first variant, changes appear to be only in the values of imported functions (irrelevant values because the system will modify them according to requested functions) and a modified marker value. These changes were made probably in the attempt to fool anti-virus products to not detect the virus.

This is an internet worm virus who spreads trough e-mail using the Outlook Express address book and settings.
The worm is compressed with an anti tracing algorithm.

It comes in the following format:

Subject:
A random phrase composed by the following words:

Fw:, Fw: Re:, Cool, Nice, Hot, some, Funny, weird, funky, great, Interesting, many, website, site, pics, urls, pictures, stuff, mp3, shit, music, info, to check, for you, i found, tosee here - check it...!!.!.:-).?!.hehe ;-).

These are some samples of generated subjects:


Fw: Funny mp3s for you hehe ;-)
Hot stuff i found !
Fw: Re: many urls ?!
Fw: info to see ?!
many site for you
great urls i found


Body:

Peace



Attachment:
Whatever.exe

In normal conditions the attachment is automatically executed in the moment of clicking on e-mail so if the conditions are optimal the virus can spread very fast, using the MIME exploit allowing the virus to be executed just by reading or previewing the file. Information and a patch for this exploit can be found at :
Microsoft Security Bulletin (MS01-020).

The virus searches for Outlook Express Address book and it look for e-mail addresses. If it contains any e-mail addresses it will try to read the account 00000001 from the Internet account manager registry key, and it takes all the info needed for sending mails through user SMTP account. If the account 00000001 is empty then it fails.

After taking all the info needed it will send itself to all the e-mail addresses found. The worm does not install itself on the user hard drive, it will just send the infected e-mails and stop.

After decryption it contains the following text:


[iworm.alizee by mar00n!ikx2oo1:::..while typing this text i realize this text got added onmany av.description sites, because thissilly worm could be easily a.hype. i wonder which av claims '[companyname] stopped highrisk.worm before it could escape!' r shit likethat. heh, or they.boycot my virus because of this text. well, it is easy enough.for the poor av's to add this worm; since it was only released.as source in coderz#2... btw, loveletter*2 power in pure win32asm.and only a 4kexe file. heh, vbs iddies, phear win32asm. :).thx to: bumblebee!29a, asmodeus!ikx. greets to: starzer0!ikx,.t-2000!ir,ultras!mtx & sweet gigabyte....btw,burgemeestervan sneek: ik zoek og een baantje]

Note:
The virus spreads even if the user doesn't use Outlook Express anymore. If the user has contacts in Outlook Express Address Book and uses other e-mail clients the virus will spread anyway because it will have e-mail addresses in the old address book.

Last update 21 November 2011

 

TOP