English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsEmail-Worm.Win32.Borzella

Email-Worm.Win32.Borzella

Detected Mar 18 2002 20:00 GMT
Released Mar 18 2002 20:00 GMT
Published Mar 22 2002 12:16 GMT

Technical Details

I-Worm.Borzella is a worm virus spreading via the Internet in an infected file attached to e-mails.

The worm itself is a Windows PE EXE file about 50Kb in length and written in Microsoft Visual C++.

The infected messages have Subject/Body/Attachment names that are randomly selected from three variants each.

Infected messages contain:

Subject:
Storielle..
Leggete urgentemente questa e-mail!! (se avete tempo da perdere)
Divertimento assicurato..

Body:
Ciao, guarda l'allegato... ti potrebbe interessare.
Ciao, devi assolutamente vedere il file che ti ho allegato.
Ciao, dai un'occhiata all'allegato e ti farai due risate ;-)

Attach:
bar.exe
pippo.exe
porkis.exe

Messages displayed by the Borzella virus:

On September 6 Borzella will put forth the following message:

The worm activates only when a user clicks on the attached file. Once this is done the worm then installs itself into the system, runs a spreading routine and delivers its payload.

Installing

While installing the worm copies itself into the Windows directory with the dllmgr.exe name and registers that file in the system registry auto-run key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run Dll Manager = %WinDir%\dllmgr.exe

The worm then displays the following messages:

Quiz Cosa dice un vettore ad un altro?

Risposta ...Scusa, hai un momento?...

Barzelletta
Sai chi e il fratello di Giorgio Armani?

Risposta
...Emporio!

Quiz
Ti trovi al volante della tua auto e circoli ad una velocitÁ costante.
Alla tua sinistra c'e un precipizio.
Alla tua destra un camion dei pompieri che viaggia esattamente alla tua stessa velocitÁ.
Davanti a te cavalca un maiale visibilmente piu grande della tua macchina.
Dietro di te ti segue un elicottero che vola raso terra.
Gli ultimi due, anch'essi alla tua stessa velocitÁ.
Che fai per fermarti?

Risposta
...scendi dalla giostra,imbecille!!!

Cavolata finale
Gesu ai discepoli: 'In veritÁ, in veritÁ vi dico: y=x^2-4x+7'.
I discepoli commentano un po' fra di loro, poi Pietro si avvicina mestamente a Gesu, dicendogli:

'Maestro, perdonaci, ma non comprendiamo il tuo insegnamento...'

On September 6th the worm also displays the message:

Accadde il 6 settembre
Attenzione signori!!!
Oggi non e' mica un giorno fesso come gli altri: spegnete il computer e uscite,godetevi la vita,abbracciate e baciate la persona a voi piu' cara.
Viva l'amore.
;-)

Spreading

To send infected messages the worm uses a direct connection to the SMTP server. To get victim email addresses the worm opens and scans the Windows Address Book (WAB).



Print
Bookmark and Share
Share
Viruses and worms
Email-Worm

Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).

In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.

Email-Worms use a range of methods to send infected emails. The most common are:

  • using a direct connection to a SMTP server using the email directory built into the worm’s code
  • using MS Outlook services
  • using Windows MAPI functions.

Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:

  • the address book in MS Outlook
  • a WAB address database
  • .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
  • emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)

Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.


Aliases

Email-Worm.Win32.Borzella (Kaspersky Lab) is also known as:

  • Email-Worm.Borzella (Kaspersky Lab)
  • I-Worm.Borzella (Kaspersky Lab)
  • Virus: W32/Porkis@MM (McAfee)
  • W32/Porkis-A (Sophos)
  • Worm.Borzella (ClamAV)
  • W32/Test (Panda)
  • W32/Porkis.A@mm (FPROT)
  • Worm:Win32/Storiel.A@mm (MS(OneCare))
  • Win32.HLLM.Porkis.49664 (DrWeb)
  • Win32/Borzella.A worm (Nod32)
  • Win32.Borzella.A@mm (BitDef7)
  • I-Worm.Borzella.A (VirusBuster)
  • Win32:Borzella [Wrm] (AVAST)
  • Email-Worm.Win32.Borzella (Ikarus)
  • I-Worm/Storiel.A (AVG)
  • WORM/Borzella (AVIRA)
  • W32.Storiel@mm (NAV)
  • W32/Porkis.A@mm (Norman)
  • W32/Porkis@MM (NAI)
  • WORM_PORKIS.A (PCCIL)
  • Worm.Borzella (Rising)
  • WORM_PORKIS.A (TrendMicro)

© 1997-2010 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search