Summary

This is a worm with file infecting capabilities.

Standalone file size : 68303 bytes.

When it first executes on a machine it installs itself and creates registry entries to make sure it is run from bootup. It also installs a number of files:

File system changes:
%WINDIR%\uninstall\rundl132.exe
%WINDIR%\Logo_1.exe
%WINDIR%\RichDll.dll
%root%\_desktop.ini
Infects executable files.
May leave temporary BAT files in various locations and with semi-random names.

The files rundl132.exe and Logo_1.exe are identical and contain the main worm, while the DLL file RichDll.dll is a backdoor/downloader trojan. _desktop.ini is a text file that contains the date of infection.

File infection procedure:
The virus looks for files to infect in two possible ways; first by enumerating mapped drives from C: to Z and searching for executable files in these, and also by connecting to network shares it gets access to and searching these. If an eligible file is found, the virus makes a temporary copy of this using the original file name but with an extra ".exe" extension, and proceeds to infect this by prepending its own code. It then deletes the original file and renames the temporary copy (now infected) back to the original name. Sometimes, if for some reason it cannot remove the original file, the virus circumvents this problem by making a temporary looping batch file that will delete the original file and install the infected file once the file becomes deletable - f.ex. if the application in question is closed. 

The virus will not infect files that are over 16MB in size or files residing under the following folders:

system
system32
windows
Documents and Settings
System Volume Information
Recycled
winnt
Program Files
Windows NT
WindowsUpdate
Windows Media Player
Outlook Express
Internet Explorer
ComPlus Applications
NetMeeting
Common Files
Messenger
InstallShield Installation Information
Microsoft Frontpage
Movie Maker
MSN Gaming Zone

Registry changes:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run load=%WINDIR%\uninstall\rundl132.exe
HKLM\Software\Soft\DownloadWWW auto = 1

Network activity: 
The worm pings the local subnet to establish whether machines are available, using the string "Hello,World!" as request data.  It then attempts to log on to found machines using the WNetAddConnection API, with the following combinations for username/passwords:

administrator/no password
administrator/default password
default user/default password
no user/no password

If it finds machines that it can connect to, it will attempt to copy itself over as a standalone file to the remote ADMIN$ share, using the file name it is currently running under (be it rundl132.exe or logo_1.exe). If it has been granted administrator rights on the remote machine it then proceeds to set the remote file up as a sceduled task on the remote machine using NetScheduleJobAdd.

If it is unable to connect to the ADMIN$ share, or if it is running under Win9x/ME, it finds visible shares on the machine using Windows Networking and attempts to connect to these using the following credentials:

default user/default password
default user/no password

If connection is successful, it attempts to infect files remotely using the file infection procedure described above. This procedure also happens once the worm is done pinging the 255 lowest IP's on the local network, it then starts enumerating network resources looking for shares and files to infect in the same manner.

Spreading description

The worm enumerates local and remote mapped drives and infects executables it finds, as well as copying itself over to remote shares as standalone files. The file infection is done by prepending the virus code to the original program; infected files thus grow by 68303 bytes.
 

Threat description

The worm installs a backdoor component andalso tries to download more files from a chinese site. This site was down at the time of writing, but it has been determined that files downloaded numbered up to 11 different password stealing trojans related to various online games like World of Warcraft and Lineage. Theft of game accounts is big business and involves the theft and resale of virtual items and virtual money for real money.

Several security processes are terminated by the worm

Removal

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.