Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Cervivec.A

Win32/Cervivec.A is a worm written in Delphi compressed by the utility UPX.  It spreads as an email file attachment.  Name of the file in the attachment is worms.zip.  The worm chooses text into the body of the message from the following options:

Subject: Cervici
Body: Cau posilam ti cerviky tak se na to podivej (virus to neni)

Subject: Vtip
Body: Cau posielam ti cerviky tak sa na to pozri (virus to neni)

Subject: Witz
Body: Hallo, Ich habe ein guter Witz-Wurm so sieh! (kein virus)

Subject: Blague
Body: J'ai une bonne blague ca s'appelle verre de terre alors jette un coup d'oeil (il n'y a pas de virus)

Subject: Joke
Body: Hi, I have some cool joke - worms so have a look at it (no virus)

Subject: Zart
Body: Czesc, mam swietnz dowcip - robaka. Obejrzyj go sobie (to nie jest wirus)

Subject: Chiste
Body: Hola te mando los gusanilloes. Pues mirarlos (no es un virus)

As the file in the attachment is compressed it is not directly executable.  That means the user himself has to unpack the file and run the resulting file worms.exe.  The size of the file is 228872 bytes, after unpacking with help of the utility UPX it is increased to 636936 bytes.  The author of the worm tries to persuade the addressee to do so by means of texts in the message body.
After the file worms.exe is run the following window is displayed on the screen:

After clicking the "OK" button a lot of little “worms” appears on the screen. It looks as follows:

Then the worm copies itself as file ntkrnl.exe into the subdirectory SYSTEM in the directory in which the operating system Windows is installed. In the system registry it creates in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run the key Kernel Loader with value C:\WINDOWS\system32\ntkrnl.exe -LOADDRIVERS=TRUE.  By doing this the worm ensures that it will be activated again after the operating system is restarted.  After a restart the worm is activated and finds out whether ICQ is installed.  If ICQ is installed the worm collects email addresses from the list of ICQ contacts.  Then it tries to send the message with its compressed copy to them.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.