This threat is deemed Low-Profiled due to media attention at http://www.theregister.co.uk/content/56/32662.html
McAfee users are proactively protected from this threat when scanning with the 4252 DAT files, compressed executables, and the 4.2.40 scan engine. 4.1.60 engine users are also protected under the same scenario, but also require program heuristics. The detection name varies with DAT file version and engine, and will be along the lines of W32/Generic or New Worm.
The virus is detected as W32/Generic.worm!irc This worm attempts to spread via Microsoft Outlook, and Internet Relay Chat. The worm also terminates security software, contains a Denial of Service attack payload, a web page overwriting payload, and disables the registry editor and task manager. The virus may be received in an email message as follows:
: (one of the following)
- Your Account Infomation.
- Your Account is on hold.
- Your Account has been suspended.
- Account Infomation.
- Account Invoice.
- Email Account Infomation.
- This quaters invoice.
- Account Billing Information.
- YOUR ACCOUNT REF:
- ORDER CONFIRMATION:
- Account,is on hold.
- Please can you check that your account information is up to date.
Your details are attached to this email.
- Please can you confirm that your account information is correct.
Your current details are attached to this email.
- Please find attached this quaters invoice for your Internet Account.
- Please find your details attached. Thank you.
Details are attached to this email.
- Regards, Billing Team.
Regards, Support Team.
: (one of the following)
- Account Invoice.Doc.exe
- Your Account.Doc.exe
- Account Details.Doc.exe
- Your Account Info.Doc.exe
- Account Information.Doc.exe
- Billing Information.Doc.exe
- Account Update.Doc.exe
- Account Status.Doc.exe
- Your Account Status.exe
When the attachment is run (manually accessed with the mouse or keyboard), the virus attempts to copy itself to the PROGRA~1
(Program Files) directory as ACCOUNT_DETAILS.DOC.exe. This failed during testing. A registry key is created to load this, non-existent, file:
Run "Windows Task Manager" = c:\progra~1\ACCOUNT_DETAILS.DOC.exe
A file named WIN32.SORT-IT-OUT-BLAIR.TXT
is created on the root directory of the C: drive. This file contains the following text:
- Infected by the WIN32.SORT-IT-OUT-BLAIR Virus!
The virus contains a payload to overwrite the following files with this text:
The mIRC script is overwritten with instructions to send the virus to users who join the same channel as the infected user. The following message is sent along with the virus:
Hey, Do you want to take part of the iRC chain mail world record? If so all you have to do is load up the program add your irc nick and press submit! Just rename the file from .irc to .exe and your ready to go!
The following registry keys are created to disable the registry editor and task manager:
Policies\System "DisableRegistryTools" = 1
Policies\System "DisableTaskMgr" = 1
On the 11th of the month, an ICMP denial of service attack is launched on the domain www.number-10.gov.uk