Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.Runouce.a
Email-Worm.Win32.Runouce.a
| Detected | Jun 08 2002 20:00 GMT |
| Released | Jun 09 2002 20:00 GMT |
| Published | Jun 13 2002 13:22 GMT |
Technical Details
Runouce is a worm virus spreading via the Internet as an attachment to infected emails. Runouce also copies itself to shared network resources.The Runouce worm is a Windows PE EXE file about 10KB in length and written in Assembly language.
Infected messages have the following properties:
To run from infected messages the worm exploits the IFRAME security breach.
Installation
The worm copies itself to the Windows System directory under the name "Runouce.exe" and then registers this file in the following registry auto-run key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Runonce = %System%\Runouce.exe%System% = the Windows System directory name.
When the Runouce is launched it creates a 'mutex' named "ChineseHacker" to avoid running multiple instances.
Spreading
The worm creates .EML files containing its copy in all available directories,
and network resources, excluding the Windows directory. The name of the .EML
files is the name of the victim's computer. For example, if the computer name
is COMPUTER, the worm creates COMPUTER.EML files in that computer's directories.
Runouce searches for victim email addresses in WAB databases and files with .ADC and R.DB extensions on all available drives except the Windows directory, and sends infected messages to these addresses. To send infected messages, the worm directly accesses the SMTP server "btamail.net.cn".
Other
The Runouce worm searches for files with .EXE and .SCR extensions on all fixed and remote drives, except the Windows directory, and modifies their file access time data.
Runouce also closes programs with some Chinese titles (probably Chinese anti-virus programs).
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- I-Worm.
Runouce. a (Kaspersky Lab) - I-Worm.
Runouce (Kaspersky Lab)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.