Win32.Auric.A@mm

( I-Worm.Magold.a (Kaspersky), WORM_AURIC.A (Trend Micro), )

SYMPTOMS:

Fake DirectX error:

All windows become red:

Many empty text files on Desktop, called raVeNNNN (NNNN is a number)

Unrequested web-page opened to www.offspring.com

Text appended to current window title:
"=:-) OFFSPRING is co0L =:-) PUNK\'S NOT DEAD =:-)"

Antivirus/firewall processes terminated

Delay on opening executable files

TECHNICAL DESCRIPTION:

The worm sends itself by mail to all addresses in the Windows Address Book, as well as e-mail addresses parsed from *.ht* files from
victim's hard drive.

Message details:


From: EROTIKA.LAP.HU
Subject: Maya Gold-os kepernyokimelo!
Attachment: "Maya Gold.scr"
Body:

Tisztelt cim!
Az EROTIKA.LAP.HU nezettsegenek novelese erdekeben egy kis izelitot
kivan adni kinalatabol az Internet felhasznaloknak!
FIGYELEM: A 'Maya Gold.scr' nevu csatolt allomany egy kepernyovedo.
Mint a neve is mutatja Maya Gold pornoszinesznorol tartalmaz kulonbozo
kepeket.
Az allomanyt ajanlott elobb a lemezre menteni, majd utana futtatni.

Amennyiben valami problemaja, kerdese van, irjon a kovetkezo cimre:
erotika@lap.hu

Udvozlettel: EROTIKA.LAP.HU


After sending messages to all recipients, the worm sends another mail that contains information about victim's computer, to the virus coder:


From: EROTIKA.LAP.HU
To: rave-punk@freemail.hu
Subject: Maya Gold-os kepernyokimelo!
Body:

Szevasz haver!
Ez tokre bejott! Nesze a cucc:

Nev:

Winver:

Felkesz:

Megoszt:


PUNKS NOT DEAD

The recipients e-mail addresses are stored in: %SystemDir%\ravec.txt

A fake error is displayed first time the worm is run, and after sending the mails, the worm creates many empty desktop files named raVe????, the color of windows is changed to red, and default associations for the ".exe", ".com", ".bat", ".scr", ".pif" are replaced targetting the worm executable - that is, when you start an executable, Windows will start the virus instead. From time to time, the following text is appended to current window title:
"=:-) OFFSPRING is co0L =:-) PUNK\'S NOT DEAD =:-)"

The worm copies itself to "C:\%WINDIR%\raVe\Maya Gold.scr "C:\%WINDIR%\Maya Gold.scr" and to "C:\%WINDIR%\raVe.exe" and creates the registry keys so as to be run at startup:
Key: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
Subkey: "raVe"
Value: "C:\%WINDIR%\raVe.exe"
Key: "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices"
Subkey: "raVe"
Value:\"C:\%WINDIR%\raVe.exe"
Additional registry entries are created to keep track of virus activity:
Key:\"HKEY_LOCAL_MACHINE\Software\raVe"
Subkeys:

Processes that contain the following strings are terminated: "AV", "NORT", "AFEE", "VIR", "ANTI".

The following extensions are associated to the virus executable:
".exe", ".scr", ".com", ".bat", ".pif".

A copy of the worm is put in the following Peer-To-Peer programs' directories:
LimeWire, Gnucleus, Shareaza, BearShare, Edonkey2000, Morpheus,
Grokster, ICQ/Shared Files, Kazaa.

Mirc and Pirch are also infected by replacing script.ini or events.ini if exist, with new ones, so that every time a user joins a channel, the victim will send him/her the virus by DCC.

If network mapped drives are found, the worm copies itself to them and creates autorun.inf files that would run it.

The worm attempts to update itself by FTP from ftp.fw.hu.

Removal instructions:

First download the removal archive and and run extfix.reg to remove executable file association with the worm file, *or* mannually edit the keys:
Key: HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
Value:
Replace with: %1 %*
Key: HKEY_CLASSES_ROOT\exefile\shell\open\command
Value:
Replace with: %1 %*

Then use our removal tool. It does the following:

* Kills the worm processes
* Deletes the worm files that would run at startup
* Corrects the executable file associations
* Restores the windows colors to normal
* Deletes the empty RAVE???? text files from desktop
* Deletes the HKEY_LOCAL_MACHINE\Software\raVe keys
* Deletes the %SystemDir%\ravec.txt file
* If all fixed drives are scanned, all the worm files, autorun.inf from mapped drives and infected IRC scripts are deleted

ANALYZED BY:

Mihai Neagu BitDefender Virus Researcher