Prophecy | |
---|---|
Type | Multiple vector worm |
Creator | |
Date Discovered | 15-NOV-2000 |
Place of Origin | Australia |
Source Language | |
Platform | Microsoft Windows |
File Types | .exe, .vbs |
Infection Length | 9,499 bytes |
Reported Costs |
Prophecy is a worm by GzR of NUKE. It comes from Australia and appeared in NUKE magazine in 2000. A lab worm, it was never released to the wild
Behavior
Prophecy can arrive through IRC or an email, attachment. The email will have a subject of "I Finally Found it!". The message body is "Maby the prophecy will come true for you." and the attachment is "prophecy.exe".
When executed, the worm copies itself to the Windows folder as "Prophecy.exe". It then looks for the file WINSTART.BAT, and if it doesn't find it, it creates it. It adds code to this file to ensure Prophecy.exe is run at every reboot. The worm overwrites the C:\MIRC\SCRIPT.INI file with instructions for the mIRC client to send the Prophecy.exe file to all accessed chat channels upon leaving. It will also leave the message "I am the keeper of the songs." in IRC. It then drops the files STARTUP1.VBS, STARTUP2.VBS, and STARTUP3.VBS in the start menu startup folder.
STARTUP1.VBS takes care of the email sending routine, which uses MAPI routines to send the worm to all contacts in the Windows Address Book (.WAB). It checks for the key and value combination in the registry: "HKLM\Software\Microsoft\Windows\CurrentVersion\prophecy = Microsoft Windows" and will not work if it finds it. Otherwise it performs the mailing routine and then creates the key itself. The STARTUP2.VBS file displays a message that is activated on the 1st, 10th, or 15th of any given month. The message is as follows:
The Prophecy message |
---|
It also adds PROPHECY.URL to the favorites folder, which points to http://www.avp.au/.
STARTUP3.VBS has a one in three chance of creating the files TURN.DLL and DOSSTART.BAT in the Windows folder. DOSSTART.BAT generates the file TURNING.COM in the Windows folder using the DOS DEBUG command, based on the code in TURN.DLL. DOSSTART.BAT then executes TURNING.COM, which overwrites the first 96 bytes of the file WIN.COM in the Windows folder. This will cause the inability to boot into Windows.
Name and Origin
Prophecy comes from Australia and was coded by GrZ and appeared in NUKE in 2000. "Prophecy" is the name of a song by alternative rock band Remy Zero. The worm contains a reference to the song in the SCRIPT.INI file. The message displayed by STARTUP2.VBS references the Nixons' song "Sister". It appears to be entirely a lab worm that was never released in the wild and only shared with antivirus researchers.
Other Facts
In our own research on the worm, we could only get it to function and replicate properly under Windows 9x.
Sources
VSAntivirus, Prophecy. Se propaga en el archivo ‘Prophecy.exe'. 09-AUG-2002.