Home / malware Win32.Vivael.A@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Vivael.A@mm is also known as Win32/Vivael, W32/Colevo@MM.
Explanation :
The virus is a mass-mailer, written in Delphi and compressed with ASPack 2.12. Upon execution, the virus creates some new registry keys and modifies some old keys.
New keys created:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun1234]
“system=c:windows emp.exe”
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
“system=c:windowssystem.exe”
[HKLMSoftwareMicrosoftWindowsRunSevices]
“system=c:windowscommands.com”
Additionally, the virus changes file extension associations for the following:
[HKLMSoftwareCLASSESexefile]
[HKLMSoftwareCLASSEScomfile]
[HKLMSoftwareCLASSESaffile]
[HKLMSoftwareCLASSESpiffile]
[HKLMSoftwareCLASSEShtafile]
This means that for every file opened with the extension *.exe, *.com, *.bat, *.pif, *.hta the virus is executed. Additionally, the virus will add the NeverShowExt key under [HKLMSoftwareCLASSESexefile]. This hiddens the extension for files that have the .exe extension.
The virus also modifies the following files (the modifications are shown for each file in particular):
C:Windowssystem.ini
[boot]
Shell=explorer.exe temp.exe
C:windowswin.ini
[windows]
load=archivo.exe
run=archivo.exe
####Viva el EVO, y jamas erradicaran la Coca Cola!!! mentira colla maldito!! (PYN Pablo_Hack@hotmail.com)####
C:windowswinstart.bat
c:windowsshell.exe
C:windowswininit.ini
Null=c:windowssystem.exe
This also ensures the virus will be active as soon as the system boots up.
Additionally, the virus will begin copying itself over and over again within windows directory and its subdirectories in the following way: it will create in the current directory several copies with names taken from the current directory’s subdirectories.
Example:
If we have the following directory structure:
oobefile.htm
oobefile2.htm
otherfile.cab
otherxfile.gif
under a current directory, then the virus will copy itself with the following names in this directory:
oobefile.htm.exe
oobefile2.htm.exe
otherfile.cab.exe
otherxfile.gif.exe
The algorithm is: take the directory name, append the file name and then add the extension .exe. However, with the virus being 188K in size, this will result in a rapid free space decrease (hundreds of megabytes, maybe even gigabytes). This, coupled with the virus hiding the extension for .exe files will mean that the user will most probably accidentally launch the virus, thinking it was a web page or other non-harmful file.
The virus will open the default browser with these addresses:
Http://jeremybigwood.net
http://news.bbc.co.uk
http://commondreams.org
http://www-ni.laprensa.com.ni
http://www.soc.uu.se
http://www.chilevile.cl
http://members.lycos.fr
http://www.movimientos.org
The complete addresses are links to image files (jpg, gif) and therefore are not dangerous or viral.
The virus will spread using email addresses taken from the MSN Messenger contact list.
E-mail format:
Subject: El adelanto de matrix ta gueno‼
Body: Pablo_Hack
Oye te U paso el programa para entrar a cuentas del messenger, y facilingo te lo paso a voz nomas, prometeme que no se lo pasas a nadie, ya?Respondeme que tal te parecio. chau‼
Attachment: hotmailpass.exe
The virus contains much typo’s and mistakes, making infections less dangerous on non-spanish windows versions and suggesting that the virus was written without much care.Last update 21 November 2011