Imsolk
Imsolk
Type Multiple vector worm
Creator iraq_resistance
Date Discovered 2010.08.20
Place of Origin
Source Language
Platform MS Windows
File Type(s) .exe, .scr
Infection Length 44,032 bytes
Reported Costs

Imsolk is a worm that replicates over multiple vectors, incliding email. It was a curiosity for its time, as email worms were so close to completely dying out, like the boot sector virus. It was very virulent, infecting several major companies as well as NASA.

Behavior

Imsolk may arrive in an email with a sendere line that is always forged to appear as moc.oohay|ecnatsiser_qari#moc.oohay|ecnatsiser_qari The subject is "Here you have". The message body is "Hello! This is The Document I told you about,you can find it Here. Please check it and reply as soon as possible." The attachment is a screensaver file with an Adobe PDF icon.

When Imsolk is executed, it drops the file SendEmail.dll into the system directory and the following files into the windows directory:

  • svchost.exe
  • ff.exe
  • gc.exe
  • ie.exe
  • im.exe
  • op.exe
  • pspv.exe
  • rd.exe
  • tryme1.exe

Imsolk adds "Explorer.exe C:\WINDOWS\svchost.exe" as a value to the Local Machine logon shell registry key so it starts when the user logs on. It creates 386 new registry subkeys under the image file execution key and adds the value of "Debugger = svchost.exe" to them, which ensures the worm will run whenever an image file is opened.

The worm disables several security programs and settings. It changes the value of three registry keys to "0", these are the Local Machine User Account Control, Prompt On Secure Desktop and Enable Virtualization registry keys. The worm deletes two Local Machine windows security service registry keys and two automatic update service registry keys. It deletes any files in the drives C: and D: under the directory \Program Files\USB Disk Security. The worm also deletes 46 services, all related to security products. It also ends the processes CPE17AntiAutoruna.exe, outlook.exe and Usbguard.exe.

The worm sends itself to all addresses in the Windows Addressbook and the Yahoo! Instant Messanger addressbook. Imsolk spreads across mapped drives, placing the files open.exe and autorun.inf in their root directory. It also spreads to other computers in the workgroup by copying itself to several directories as N73.Image12.03.2009.JPG.scr on that system. These directories include:

  • \c\
  • \d\
  • \E\
  • \F\
  • \G\
  • \H\
  • \music\
  • \New Folder\
  • \print\

Variants

Imsolk.B was discovered on the 9th of September 2010. The email may come with either the same sender as the original variant, or a random name with @yahoo.com. The subject line may also be the same as the previous version or it may be "Just for you". It has two possible message bodies:

Hello! This is The Document I told you about,you can find it Here.
  [http://]www.sharedocuments.com/library/PDF_Document21...
  Please check it and reply as soon as possible.
  Enjoy Your Time.
  Cheers,

Or:
This is The Free Dowload Sex Movies,you can find it Here.
  [http://]www.sharemovies.com/library/SEX21.025...

Rather than the whole worm coming in an attachment, this one sends a link to the victim and the victim downloads the rest. The executable is 290,816 bytes long. When executed, this variant drops only two files, csrss.exe in the Windows directory and updates.exe in the system directory. It ends the processes CPE17AntiAutoruna.exe, outlook.exe and Usbguard.exe. It also turns the system folder into a shared network folder.

Origin

Imsolk was created by an anti-US cracker going by the handle Iraq Resistance who was upset about the US invasion of Iraq and the planned burning of Qurans on September 11. He was linked to the group Brigades of Tariq ibn Ziyad, and was originally believed to have been based in Libya. The stated goal of this group was to "penetrate U.S. agencies belonging to the U.S. Army". Some kind of attack had likely been in the works since fall of 2008.

A journalist researching Iraq Resistance and his group however found his email timestamp to be from the time zone of the Middle East and East Africa (this includes Iraq). A video was posted to Youtube under the user name "iqziad", whose profile listed Spain as his home country, however, the one person who spoke to journalists in the group was not forthcoming about his or any group members' national origins. The IP address his emails came from was British, but he suggested he may have been using a proxy or a bot-infected computer.

Effects

Hundreds of thousands of systems worldwide were supposedly affected. Email servers at Disney, Proctor and Gamble, Wells Fargo, Comcast, AIG and NASA were brought down completely or atr least disrupted. A Kaspersky Lab expert later determined that it was not significant enough to warrant an increased threat level. The worm was described as being so primitive that the heuristics of some antivirus programs could detect it even before it was released.

While the worm may have infected a high number of systems, it did little damage by itself, as all it does is disable security. It probably would not even have been notable if it were not an email worm, a class of worm thought to have been near extinction. In fact, an observer noted that a zero-day attack against Adobe Reader was probably more newsworthy.

Sources

Paul Mangan. Symantec, W32.Imsolk.A@mm. 2010.08.20

Nino Fred Gutierrez. -, W32.Imsolk.B@mm. 2010.09.10.

Dan Goodin. The Register, Email worm wants to party like it's 1999 (almost). 2010.09.10

Roel. Securelist, Another look at VBMania. 2010.09.10

Robert McMillan. CSO Security and Risk, Me and Iraq Resistance -- a conversation with a worm author. 2010.09.23

-. IDG News Service, Cyber jihad group linked to 'Here you have' worm. 2010.09.10

-. Computer World, 'Here you have' e-mail worm spreads quickly. 2010.09.09

iqziad. Youtube, "Here You Have" Virus. 2010.09.12

iraq_resistance. Osoud.net مطلوب شباب للمشاركة في حملة الجهاد الالكتروني. (requires login) 2008.10.06

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License