Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Sinala.A

I-Worm.Alanis, W32/Alanis-A

Win32/Sinala.A is a worm spreading as an attachment of e-mail message using P2P systems for sharing files (Grokster, KaZaA, Morpheus, Edonkey, ICQ). The worm has a length of 22528 bytes, and it is compressed by UPX utility. Decompressed it has a length of 122 Kb. It works in Windows 95 or newer versions of Windows operating system. It is written in Visual Basic.

Win32/Sinala.A arrives with the message having subject randomly chosen from following words.

axebahia
hectlavo
trancebaile
teckno

The text in the body of the message is always the same.

hay te envio el video que me pediste ta buenazo este es el video verdad espero que sea de tu
agrado espero que te guste a mi me gsuto :p el grupo esta buenazo muy buen video Baile paso a
paso aprendera a bailar rapido Nuevos pasos viva la musica espero que te guste los nuevos pasos

There is a copy of the worm attached to the e-mail message. The worm is activated after the file is run, and following window is displayed.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The inscription %system% represents the subdirectory System or System32 in the directory %windir%.

After it is run Win32/Sinala.A copies itself into the directory %windir% using names molani.scr and Cleanmgr.mcg. It modifies here also the file system.ini adding the line shell=Explorer.exe C:\WINDOWS\Cleanmgr.mcg into the section [boot]. This assures an automatic start of the worm after restarting Windows 95/98/Me. The worm creates its copies named kerneldll32.api, mope.scr, freesoft.avi.scr and Cleanmgr.mcg in the directory %system%. The worm is trying to create its copies named axebah.exe, BadboysII.scr, piratas.scr and ring.exe also on the floppy disk inserted into drive A:. The worm creates files alanis.html, avril.html, pamelaXXX.html, evan.html and nemo.html in the root directory of C:. They all have the same length of 673 bytes. At the same time the file tazmania.txt having length of 1026 bytes is created in the root directory of C:. It contains following text.

demionklaz@hotmail.com
,   .-'"'=;_  ,
|\.'-~`-.`-`;/|
\.` '.'~-.` './
(\`,__=-'__,'/)
_.-'-.( d\_/b ).-'-._
/'.-'   ' .---. '   '-.`\
/'  .' (=    (_)    =) '.  `\
/'  .',  `-.__.-.__.-'  ,'.  `\
(     .'.   V       V  ; '.     )
(    |::  `-,__.-.__,-'  ::|    )
|   /|`:.               .:'|\   |
|  / | `:.              :' |`\  |
| |  (  :.             .:  )  | |
| |   ( `:.            :' )   | |
| |    \ :.           .: /    | |
| |     \`:.         .:'/     | |
) (      `\`:.     .:'/'      ) (
(  `)_     ) `:._.:' (     _(`  )
\  ' _)  .'           `.  (_ `  /
\  '_) /   .'"```"'.   \ (_`  /
`'"`  \  (         )  /  `"'`
___        `.`.       .'.'        ___
.`   ``""" '''--`_)     (_'--'''"""``   `.
(_(_(___...--'" '`         `'"'--...___)_)_)
[DemionKlaz]..................[DK]

Win32/Sinal.A assures the activation of its copy after restarting the operating system creating an item w32alanis in the system registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, and setting its value to %system%/mope.scr. It modifies also the system registry HKEY_LOCAL_MACHINE\Software\CLASSES in the way not allowing to run the files with mcg extension.

Win32/Sinal.A acquires the addresses for its spreading from the directory of the mail client Microsoft Outlook. In the point-to-point net it assures its spreading checking the availability of following directories.

C:\Program Files\WinMX\My Shared Folder\
C:\archiv~1\WinMX\My Shared Folder\
C:\Program Files\KaZaA\My Shared Folder\
C:\ARCHIV~1\KaZaA\My Shared Folder\
C:\Program Files\Grokster\My Grokster\
C:\ARCHIV~1\Grokster\My Grokster\
C:\Program Files\Morpheus\My Shared Folder\
C:\archiv~1\Morpheus\My Shared Folder\
C:\Program Files\ICQ\shared files\
C:\archiv~1\ICQ\shared files\
C:\Program Files\Edonkey2000\incoming\
C:\archiv~1\Edonkey2000\incoming\
C:\Program Files\KaZaA Lite\My Shared Folder\
C:\Program Files\KaZaA Lite\My Shared Folder\

If such a directory exists, the worm creates here its copies named as follows.

alanis morri.mcg
avril lavig.mcg
picsXXX.mcg
piratas.mcg
termi.mcg
destino2.mcg
seaevil.mcg
prin.mcg
paMXX.mcg
evange.mcg
saint.mcg
ova4.mcg
ova13.mcg
ponw.mcg
metalica.mcg

NOD32 detected the worm Win32/Sinal.A using extended heuristics without upgrading. The detection using Win32/Sinal.A sample is added from the version 1.554.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.