Classification

Category :

Malware

Type :

-

Aliases :

Nymph, Roach, Roach.b, W32/Roach, I-Worm.Roach.b

Summary

Nymph is a mass-mailer with backdoor capabilities created by ASM/iKX group. It is one of the first worms that uses search engine of a webserver to find victim's email addresses. The worm is disguised as 'E-fortune cookie generator'. This worm is a variant of W32/Roach worm and it has a few serious bugs that don't allow it to work even for a short while on an infected system. The worm itself is a Windows PE EXE file about 29kb long. The code of the worm is encrypted with a simple XOR encryption loop.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

When started the worm first gets API addresses of certain functions from KERNEL32.DLL, WSOCK32.DLL, WININET.DLL, USER32.DLL, MPR.DLL, ADVAPI32.DLL, IMAGEHLP.DLL, SETUPAPI.DLL. Many of the functions are not used in this worm version, but might be added in the future. The the worm would get the ability to spread in Windows networks, infect files, intercept EXE file starting, use miltiple IRC servers and so on.

First the worm checks from what file is started. If the file name ends with 'okie' (cookie.exe), the worm generates a random number and shows a messagebox with a text that corresponds to this number (see cookie texts below). This is done to disguise worm installation to a system. If the worm is started from a file which name ends in 'om32' (dccom32.exe), the worm sets a flag that it is already installed and doesn't show any messageboxes.

The worm then gets to \Windows\System\ directory and drops a short ZIP archive from inside its body as EGGCASE.ATT. This archive has only FILE_ID.DIZ file with the following text:

FortuneCookie 32 - Version 1.0
* FREEWARE *
DESCRIPTION:
============
FortuneCookie 32 is a Windows 32 version of the classical
fortune cookies you can get at some restaurants. It's very
simple double clicking on the cookie.exe file will bring up a
fortune cookie.
This program is freeware so feel free to send out a word of
wisdom to your friends!

If the worm fails to drop this archive to \Windows\System\ directory, it tries to drop it into temporary folder. After that the worm looks for EGGCASE*.ATT files and immediately finds a dropped EGGCASE.ATT file. The worm then copies its file as DCCOM32.EXE into Temp and \Windows\System\ folders and creates a startup key with the name 'dcomdriver' for one of dropped files in the default Run keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\]

Then the worm adds its file as COOKIE.EXE to the ZIP archive (eggcase.att) that it previously dropped. The worm does not use any ZIPping utility, it just adds its file 'as is' to the end of the archive, corrects and adds necessary data to make an archive valid. This archive will be used by the worm as an attachment to infected messages.

After that the worm waits for some time and then verifies Internet connection state. If there's no connection, the worm waits and tries again. If a valid connection is found, the worm creates additional 2 threads and puts its main thread into infinite wait loop. The first thread is the worm spreading thread, the second thread is a backdoor thread that uses IRC.

When thread 1 is started it waits for some time, checks Internet connection state and if a valid connection is found, it creates 3 sockets, resolves host name for 'pop.hotpop.com', 'diemen.nl.eu.undernet.org' (IRC server, there's one more server name in the worm's body, but it's never used) and 'wwp.icq.com' (ICQ Personal Communication Center) servers. The worm then reads settings from Microsoft Internet Account Manager or if it is not available from Outlook OMI Account Manager. It gets information about a default account and tries to connect to user's SMTP server. If the server is not available, the worm tries to use 'mail.hotmail.com' server. If user's SMTP server is accessible, the worm still changes it to 'smtp.hotpop.com' and then changes user's email address to 'fearandwonder@hotpop.com'. These changes are in effect only when the worm is active, as it doesn't modify these settings in the Registry.

Then the worm gets Windows registered user name from the Registry. If there's no user name there, the worm generates a random number and selects the name corresponding to this number from its internal table:

dark
evil
lost
cool
kewl
fool
hack
dead
head
bozz

This name will be used in 'From:' field of an infected email that the worm sends itself out. Then the worm generates 3 more random numbers and fills a search form that will be used to search for email addresses on a webserver. The form looks like that:

POST /scripts/srch.dll HTTP/1.1
User-Agent: Mozilla/4.73 (Windows 95; U) Opera 4.02
[en]
Host: wwp.icq.com
Accept: text/html, image/png, image/jpeg, image/gif,
image/x-xbitmap, image/vnd.wap.wbmp;level=0, */*
Accept-Language: en
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0
Referer: http://www.icq.com/whitepages/search.html
Connection: Keep-Alive
Content- application/x-www-form-urlencoded
Content-length: 212
FirstName=&LastName;=&NickName;=&Email;=&AgeRange;=0-0&Gender;=0⟪=12
&City;=&State;=&Country;=0&Occupation;=0&Dept;=&Company;=&PastInfo;=0
&PastInfoText;=&Interest;=0&InterestText;=&SubInterest;=&Group;=0
&GroupText;=&SEND;=Search

Finally the worm connects to a webserver and sends the form there. When it gets a reply it looks for email address and then sends an infected email to that address. The worm uses Microsoft anonymous SMTP server to send emails. The worm randomly composes sender's name from 2 tables and adds '@hotmail.com' in the end. The first table is shown above, the second table is:

trooper
travler
nemonic
_maniac
_master
_avatar
_jesuzz
riddler
_satan_
lucifer

The subject line if an infected email is 'Subject: Fw:' followed by one of the randomly selected cookie texts (see table below). The recepient info is 'To: <removed>'. The worm uses EGGCASE.ATT archive (with FILE_ID.DIZ and its file COOKIE.EXE) as an attachment. The attachment name is FORTUNE.ZIP and it is sent MIME-encoded. The worm also sends the second attachment - a body of itself as SETUP.EXE file hoping that a user will run at least one of the attachments. The message body is in HTML format, it looks like that (black text on bright blue background):

SMACK!!!
You have been hit
This is the funny-attachment war! You have just been hit and by
the rule book you can't hit this person back. To be in the game
you need to send this message to five of your friends, try to
find some small and funny attachment to send along. If you don't
have time use the one you got hit by, go ahead hit someone!

In the end of the infected email there is '--nymph--' text.

When thread 2 is started, it generates a nick from 'nymph' plus random 4-digit number ('nymph1234' for example), connects to 'diemen.nl.eu.undernet.org' IRC server and sets invisible mode for a user with the generated nick. Then the worm joins #nymph channel and sends a private message:

[I-Worm-Nymph v.1.1] by Asm/iKX

Then the worm enters the loop that handles incoming IRC messages. The worm responds to 'PING', 'JOIN', 'INVI', 'PRIV' and '319' messages. The worm can join a channel when instructed by join and invitation commands and enters a private chat session on PRIV command. In the private channel session the worm has backdoor capabilities. It responds to 3 messages: 'msgx' - quit, 'msgi' - get information about worm version and 'msgu' - upload and run a file. When 'msgu' message is received, the worm creates an additional thread that allows to download and run a specified file on an infected computer. The file is downloaded with a random name into Temp folder and is activated by the worm.

The worm has the following cookie texts:

it is predictable, but I wouldn't like to predict it myself. - C. Lawson
100,000 lemmings can't be wrong.
A friend in need is a pain in the ass.
A man is as old as he feels. But never as important.
A man is as old as the woman he feels.
Always be sincere - Even when you don't mean it.
Always tell her she's pretty, especially when she isn't.
Anyone who can see through a woman is missing a lot.
Avoid life - It'll kill you in the end.
Do to the other fellow as he would do unto you. But for God's
 sake do it first!
Experience, the name given by men to their mistakes.
Get stoned - Drink liquid cement.
Happiness can't buy money.
If a woman wants to learn to drive, don't stand in her way.
Join the army, travel the world, meet interesting people and shoot them.
Just because you're paranoid it doesn't mean they aren't out to get you.
Life is a sexually transmitted disease.
Love Thy Neighbour - But don't get caught.
Money can't buy friends but it can buy a better class of enemy.
 - Spike Milligan.
Never put off till tomorrow what you can avoid altogether.
Racial prejudice is a pigment of the imagination
Smoking - think of it as evolution in action.
Sudden prayers make God jump.
When faced with two evils I like to do the one I've never tried
 before. - Mae West
Live fast, Die young, Leave a good looking corpse.
A Wise Man can see more from the bottom of a well than a Fool
 can see from the top of a mountain.
Walk softly but carry a big stick.
TO DO IS TO BE - Socrates%TO BE IS TO DO - Sartre%DO BE DO BE DO - Sinatra
It is better to keep your mouth closed and let people think
you
 are a fool than to open it and remove all doubt. - Samual
 Clemmens
What you can not avoid, Welcome.
If you can't tie good knots... tie many.
Anything free is worth what you pay for it.
Two wrongs do not make a right; it usually takes three or more.

The worm also has the following text strings that are never displayed:

[I-Worm.Nymph@MM v.1.1] by Asmodeus iKX
creech, creech... we will infest.
Info - this is a stripped version of W32/Roach,
it will pave way for its larger cousin.
Greets : Lifewire/iKX, BillyBel/iKX, StarZero/iKX
SimpelSimon, Ultras, Vecna, T-2000, and the rest
of the ikx family