Isras worm appeared in the beginning of July 2003. The worm spreads in email with different, subjects, bodies and attachments. The worm also spreads via Kazaa file sharing network.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The worm's file is a Windows PE executable 147kb long written in Visual Basic. The worm's file is not compressed. The worm contains 2 embedded files in its body.
When the worm's file is run by a user, it installs itself to system. It copies itself several times and drops a few files:
%winsysdir%\ossmtp.dll - the SMTP library used to spread the worm %winsysdir%\vUser.exe %winsysdir%\vShell.exe - copy of the worm's file %winsysdir%\Win32.exe - copy of the worm's file %tempdir%\faq.exe - copy of the worm's file used for spreading %tempdir%\fun.exe %tempdir%\support.exe - copy of the worm's file used for spreading %tempdir%\toolbar.exe - copy of the worm's file used for spreading %tempdir%\update.exe - copy of the worm's file used for spreading %tempdir%\wizard.exe - copy of the worm's file used for spreading %tempdir%\q322593.exe - copy of the worm's file used for spreading
where %tempdir% represents a temporary folder and %winsysdir% represents Windows System directory.
The worm modifies the default text file startup key:
[HKEY_CLASSES_ROOT\txtfile\shell\open\command] @ = "%winsysdir%\vshell.exe %1"
Also the worm creates a startup key for one of its files:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Win32" = ""%winsysdir%\win32.exe"
This modification makes the worm's file run during every Windows session.
The worm spreads in email messages with different subjects, bodies and attachments. The worm gets victims' email addresses from Windows Address Book and sends itself to all found addresses. The worm sends the following messages:
From:
update@microsoft.com
Subject:
Windows Update
Body:
Your file is attached to message. For more information go to Windows Update http://windowsupdate.microsoft.com
Attachment:
update.exe
OR
From:
update@microsoft.com
Subject:
PS1
Body:
Your file is attached to message. For more information go to Windows Update http://windowsupdate.microsoft.com
Attachment:
q322593.exe
OR
From:
help@google.com
Subject:
Update Your ToolBar
Body:
Your file is attached to message. For more information go to Google home page http://www.google.com
Attachment:
toolbar.exe
OR
From:
help@google.com
Subject:
Auto Search Wizard
Body:
Your file is attached to message. For more information go to Google home page http://www.google.com
Attachment:
wizard.exe
OR
From:
copyright@yahoo-inc.com
Subject:
Yahoo FAQ
Body:
Your file is attached to message. For more information go to Yahoo home page http://www.yahoo.com
Attachment:
faq.exe
OR
From:
copyright@yahoo-inc.com
Subject:
Support For Search
Body:
Your file is attached to message. For more information go to Yahoo home page http://www.yahoo.com
Attachment:
support.exe
The worm does not use any tricks to make its attachment start automatically on recipients' systems.
The worm tries to locate Kazaa P2P (peer-to-peer) file sharing client and copy itself there with one of the following names:
XP Keys.exe OfficeXP Keys.exe NAV_2003 Crack.exe Doom_3 Crack.exe GTA Vice City Crack.exe
If a Kazaa user downloads and runs any of these files, his computer becomes infected with the worm.
The worm tries to disable Symantec's security and anti-virus software by modifying the special Registry key and by unregistering certain software components.
Also the worm searches local hard disks for *.URL files and replaces links in them with one the following:
https://www.ynet.co.il/ http://www.tapuz.co.il/ http://www.nana.co.il/ http://www.msn.co.il/ http://www.walla.co.il/