Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Exir.D

Introduction

Win32/Exir.D is a typical instant messenger worm with the size of 160256 bytes. The worm is written in Microsoft Visual Basic and is runtime packed. It drops a backdoor component and allows the attacker to control the compromised system.


Installation and Autostart Techniques

Upon execution, the worm checks for presence of the file "nvsc32.exe" to prevent multiple installations of the backdoor component. If nvsc32.exe is not present in the system the worm drops the backdoor as "exe.exe" onto the compromised system and executes this file. The file dropped is detected by NOD32 as "Win32/Wootbot.NHV".

Note: %System% denotes Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.

Upon execution of this backdoor, it copies itself to the %System% folder as "nvsc32.exe" and adds the following registry keys to the registry to ensure automatic startup of the backdoor component:

[HKLM\System\CurrentControlSet\Services]
"NvCplScan" = "%System%\nvsc32.exe"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplScan" = "%System%\nvsc32.exe"

[HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"NvCplScan" = "%System%\nvsc32.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplScan" = "%System%\nvsc32.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"NvCplScan" = "%System%\nvsc32.exe"


Messenger Spreading

Win32/Exir.D tries to send a randomly selected message to all online MSN Messenger contacts:

LOOK! http://members.home.nl/{ REMOVED }/handcuffs.pif :-O
wtf.... http://members.home.nl/{ REMOVED }/handcuffs.pif :D
OMFG! http://members.home.nl/{ REMOVED }/handcuffs.pif :P
LMFAO! http://members.home.nl/{ REMOVED }/handcuffs.pif
rofl! http://members.home.nl/{ REMOVED }/handcuffs.pif

Note: The link in this message downloads the worm. A picture named "pic.jpg" is displayed in the default image viewer and then deleted.

Analyst's Note:

1. Microsoft now blocks MSN Messenger messages which contain ".pif", ".scr" etc. As a result, messages that contain attachments with these extensions
will not be received.
2. The name of the worm author seems to be "Toni".

History: Analysis and Write-up by: Michael St. Neitzel

© 1992-2005 Eset All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.