Classification

Category :

Malware

Type :

Worm

Aliases :

Finaldo, I-Worm.Finaldo.b, Final Doom, FinalDoom, Finaldo.b

Summary

Finaldo is a mass-mailer, virus and network worm. It is a very fast infector, it infects EXE, OCX and SCR files. It also infects ASP, HTM and HTML files with a small script code that opens a specific EML file. Due to numerus bugs the worm fails to work correctly and often causes crashes or even makes a system unusable after infection.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Finaldo worm's dropper that is received by email is polymorphic. When the dropper runs, it drops and activates the FINALDOOM.DLL file that is the main virus-worm code. This code is only compressed with UPX and is not polymorphic. The file has hidden attributes and is usually located in \Windows\Temp\ or in \Temp\ folder.

After that the worm creates an EXE file which is its dropper and also creates FINALDOOM.EML file that is a pre-formatted multipartite mime message. The worm then mime-encodes the dropped EXE file into the EML file and deletes the EXE file. The FINALDOOM.EML file is then ready to be sent out.

When spreading Finaldo reads emails from MAPI-compatible email browsers and 'replies' to existing emails by sending itself (EML file with encoded worm's body) to sender's email addresses. The worm deletes sent message from outgoing message folder. It should be noted that email spreading routine might not work due to bugs in Finaldo's code.

The worm uses the 'i-frame' trick and the attachment that has the name '.EXE' can be automatically activated by Outlook, IE 5.0 or 5.01 that do not have latest security patches. This vulnerability is fixed and a patch for it is available on Microsoft site:

https://www.microsoft.com/windows/ie/downloads/critical/q323759ie/default.asp

Shortly after activation Finaldo runs its spreading routine. It enumerates network resources and starts to look for *.OCX, *.EXE and *.SCR files and infect them. It also infects files on all local hard drives. The infection is appending and polymorphic. Infection size is variable. Infected files might crash immediately when run or shortly after being run. The worm doesn't infect NTOSKRNL.EXE file and files with _winzip_ sections (WinZip self-extracting archives).

Finaldo also looks for *.ASP, *.HTM and *.HTML files and appends a small javascript code to the end of these files. This code is almost the same as Nimda worm uses to infect such type of files. But this routine doesn't seem to work. The worm should also drop its EML files to remote and local systems (like Nimda does), but this functionality fails too.

The worm also uses stealth techniques to hide its files from being shown in Windows Explorer even if 'Show All Files' option is enabled.

The virus-worm has the following text strings inside:

Coded_by_CJH
Finaldoom is coming! Don't worry... It's no harm to your system !
It's only a demo version
Made in china