Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Korvar.A

I-Worm.Winevar, WORM_WINEVAR.A, Worm/Bride.C, W32.HLLW.Winevar

Win32/Korvar.A is a worm spreading as an email file attachment.  In addition to that it infects the attacked system with the virus FunLove.4070.

Win32/Korvar.A utilizes an incorrect MIME Header vulnerability in Microsoft Internet Explorer 5.01 and Microsoft Internet Explorer 5.5 allowing the executable file to run automatically without the user double-clicking on the attachment.  The vulnerability description is available at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-020.asp.  A patch which secures against this vulnerability known from March 2001 is available for download at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-027.asp.  Another vulnerability utilized by the worm is a Microsoft VM ActiveX Component Vulnerability.  This vulnerability enables performing practically any action on the target computer. You may find the vulnerability description and related corrective action at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-075.asp.  Since this vulnerability utilizes bunch of known worms for their spreading it is very important to have the patch downloaded and installed.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation.

After its activation the Win32/Korvar.A tries deactivating processes having specific strings in their names.  This results in deactivation of many anti-virus programs or debuggers.  It creates the WIN????.pif file in the directory %windir%/System.  The worm uses random chosen characters instead of "?" so the name of the file can be e.g. WIN91E0.pif.  Then it registers this file in keys
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices.  This assures the activation of the worm after the system is restarted.

The worm sends its copies to the addresses acquired from files having extensions .htm or .dbx.

After the system is restarted the worm displays following message window:

After clicking on "OK" button the worm erases all files from the disk where it was activated.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.