Classification

Category :

Malware

Type :

-

Aliases :

Silver, IWorm_Silver, I-Worm.Silver

Summary

Silver is a dangerous worm spreading through the Internet and IRC channels, as well as infecting files on a local network. The worm itself is a Windows application written in Delphi. It is about 90Kb long (the worm also may be compressed by a PE EXE compression tool, so the actual file size can be less than original).

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm tries two different methods to send infected emails from infected computers. First of all, it looks for Eudora emailer installed in a system. If it is present, the worm scans Eudora outgoing email database (OUT.MBX file), gets email addresses from there and sends infected emails with the attached worm's copy to these addresses. The worm's messages look like this:

Subject: concerning last week ...
Text:

Please review the enclosed and get back with me ASAP.

 Double click the Icon to open it.
Attach:
c:\silver.exe

Then the worm tries to access an installed email system not depending on the brand. The worm uses MAPI functions to do this: it connects to the installed email system, gets messages from there, reads email addresses and uses them to send its copies. In this case the messages look like this:

Subject: Re: now this is a nice pic :-)
Text:

Thought you might be interested in seeing her
Attach:
naked.jpg.exe

To affect IRC clients the worm looks for C:\MIRC, C:\MIRC32, C:\PIRCH98 directories and overwrites IRC scripts in there with a program that sends a copy of the worm to each user who enters an infected IRC channel.

The mIRC script has also additional features. When a user sends a message to IRC channel that contains a word 'silverrat', the worm replies to that user with 'I have the Silver Rat virus' message (so the worm reports about infected computers). If the 'pyrealrat' text is found in a channel, the script opens the C: drive on affected machine as file server (that gives access to all data on the C: drive to a hacker).

To infect remote computers on the network, the worm scans all drives from C: to Z: and looks for WINDOWS directory. If there is one, the worm copies itself there and registers itself in Windows. The worm adds its execution string to auto-run section in WIN.INI file, or to Registry depending on Windows version (Win9x or WinNT). This means that the worm is able to infect remote computers in case their drives are shared for reading/writing.

To install itself into the system, the worm copies itself to directories with these names:

to Windows dir:
SILVER.EXE, SILVER.VXD, NAKED.JPG.EXE, NAKED.JPG.SCR
to C: drive root dir:
SILVER.EXE

The worm then registers itself in auto-run fields in the system registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKU\Software\Microsoft\Windows\CurrentVersion\Run

All these fields contain the instruction:

 "Silver Rat" = WinDir\silver.exe

where "WinDir" is the name of the Windows directory.

As a result the worm copy is executed four times on each Windows startup. Furthermore, the worm affects more registry keys to run itself more times (and to send more infected emails as a result).

Windows applications are linked with filename extensions by special records in the system registry. These records point to application that is run to process files with specified extension. When a file is opened, Windows gets its extension and then refers to system registry to get the name of application that processes files of that type.

The worm uses that Windows feature and modifies more than 100 such registry keys - it replaces original reference to applications with a reference to its own copy (SILVER.VXD). The worm does that for three different keys per application:

\shell\open\command
\shell\edit\command
\Shell\play\command

The patched registry keys looks like follows:

HKCR\AIFFFILE\shell\open\command = "C:\WINDOWS\silver.vxd 33157 "%1" %"
HKCR\AIFFFILE\shell\play\command = "C:\WINDOWS\silver.vxd 53157 "%1" %"
HKCR\ASFFILE\shell\open\command = "C:\WINDOWS\silver.vxd 379157 "%1" %"

where digits in the line are IDs to run the host file (see below).

The list of affected applications (registry keys that link filename extension with application) is rather large:

accesshtmlfileiqyfile regedit
 fonfile
accessthmltemplate
IVFfile regfile
 GatewayFile
AIFFFILEjpegfileSHCmdFile htafile
AllaireTemplate

 JSFile
SoundRec
icsfile
anifile ldap

tgafile
 mhtmlfile
artfile mailto
txtfile
 MMS
aspfile mic

 VBSFile
 MMST
AudioCD MIDFile wab_auto_file
 MMSU
aufile
money
 Winamp.File

 NSM
AVIFile MOVFile WinRAR

MSBD
Briefcase

 MPEGFILEWinRAR.ZIPmotiffile
cdafile MPlayer WinZip

Msi.Package
Chat

mscfile wrifile
 Msi.Patch
CSSfile msee

WSFFile
 ofc.Document
curfile msgfile x-internet-signup

 ofx.Document
Drive
 MSProgramGroupxbmfile
 pjpegfile
DrWatsonLog
 Net2PhoneApp
xmlfile
 PNM
Excel.Workspace

 NetscapeMarkupxnkfile
 qwb.Document
ftp

 news

xslfile
 rtsp
giffile nntp

m3ufile
 scpfile
helpfileNotes.Link

ASFFile
 scriptletfile
hlpfile ossfile ASXFile
 SSM
htfile
outlook BeHostFileThemeFile
htmlfilePBrush
ChannelFile

 TIFImage.Document
http

pcxfile chm.file
ttffile
https
 pngfile CMCDWangImage.Document
icofile powerpointhtmlfile
Connection Manager Profile
Whiteboard
icquser ramfile eybfile
 WIFImage.Document
inifile RealMedia Filefndfile
 WSHFile

The worm stores original keys in the another registry key:

HKLM\Software\Silver Rat

This key contains the list of all keys that were replaced as it was shown above. This list is used by the worm to run original application: the worm gets application name and command line from that "backup" list, and spawns it.

Such method of affecting system registry is very dangerous. In the case that the worm copy is removed from the system, Windows cannot pass files to applications that are listed above. As a result, Windows stays mostly nonfunctional after that. In a case that a file from affected list is opened, it reports an error message that the associated SILVER.VXD cannot be found.

The worm pays special attention to system backup files and gets rid of them to prevent restoring the registry files from backup. The worm corrupts (overwrites first 5K of each file with trash data) and deletes the files to do this:

USER.DA0 and SYSTEM.DA0 in Windows directory
SYSTEM.1ST in root directory of C: drive

The worm has a payload routine that is run in a case of "uninstalling". The worm creates the "uninstall" key in system registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Silver Rat
 DisplayName

 = "Silver Rat Virus"
 UninstallString = "c:\silver.exe /uninstall"

As a result, the worm record is visible in ControlPanel/AddRemovePrograms window as "Silver Rat Virus". If the "Remove" button is pressed, the worm displays the message box:

Blood
"I have to return some videos" - American Psycho

and fills the header line in the Recycle Bin window with garbage.

The worm looks for active anti-virus applications and terminates them by their names:

AVP Monitor
Norton AntiVirus Auto-Protect
Norton AntiVirus v5.0
VShieldWin_Class
NAI_VS_STAT
McAfee VirusScan Scheduler
ZoneAlarm
WRQ NAMApp Class

It also looks for anti-virus files (databases) and deletes them:

*.AVC (AVP)
*.DAT (NAI)
BAVAP.VXD, NAVKRNLN.VXD (NAV)

The worm also tries to affect VBS files but fails because of a bug.