|Type||Mass mailer worm|
|Place of Origin||Mechelen, Belgium|
|File Type(s)||.exe, .scr, .vbs|
|Infection Length||32,768 bytes|
Quizy arrives in an email with a subject line of "Merry Christmas!". The body of the message says, "You've probably received enough e-cards. Here's a nice Christmas screensaver instead :)" and it comes with an attachment named xmas.scr.
When executed, Quizy drops the xmas.scr screensaver file as well as startup.exe (the quiz) in the C root directory. It also copies mail.vbs, which performs the mailing, and jbells.rtx, a ringtone that plays "Jingle Bells" to the system folder. It adds the value "(Default) = C:\startup.exe" to the Local Machine registry key that will cause startup.exe to run when the system starts up.
Quizy overwrites RTX files (ringtones) in My Documents with "Jingle Bells". Quizy then prepends its infectious code to all files in the Windows, My Documents and MIRC folders.
A window opens explaining the infection and the quiz. Next, a DOS window opens, which displays the questions. Every time a question is answered correctly, the quiz goes on to the next question. It will stay on the same question until it is answered correctly.
Once all of the questions have been answered correctly, it displays a URL, www.geocities.com/quiz_map, pointing to a webpage with instructions on how to disinfect the computer. The site displays the map of a town. The user is expected to go to a physical location where a "package" is hidden in underbrush.
|The first 5 questions and their answers|
The worm mails itself to up to 666 of the contacts in the user's Address Book (if the user has that many or more than that).
To infect files, the worm checks the values of the Personal Shell Folders registry key (this usually points to the "My Documents" folder) and infects any .exe files found there. If mIRC is installed in C:\progra~1\mirc\mirc.exe, it will infect it (though the default mIRC installation is at C:\mirc\). If the system is any version of Windows, with the exception of Windows 9x or ME, it will infect any files it finds in the windows folder.
Quizy will probably avoid files that are already infected. It also avoids explorer.exe and soundman.exe. Quizy prepends its code to any .exe files it finds. Infected files can be identified with a "g" at offset 0x13h (the 20th place from the beginning of the file, in hexadecimal numbers). When an infected file is run, it extracts Quizy as origfile.exe and runs it. Origfile.exe is deleted after it is finished running.
The worm's creator intended the worm to be named "Quizy". However, many antivirus firms, and the CARO naming conventions have a policy against giving a virus or worm the name that the creator intended (this is one rule that the Virus Encyclopedia deliberately ignores, with the exception of when the intended name is already used, like with Nimda which the creator wanted to be named Concept), as it may boost the creator's ego. Most gave it a name similar to "Quiz", except for Symantec, which named it "Belzy", in reference to the "Jingle Bells" ringtone.
- AVG: Win32/Quis.A
- AVP: I-Worm.Qizy
- BitDefender: Win32.HLLP.Izuqy.A
- CA: Win32.Quis.A
- ClamAV: Worm.Quizy
- Kaspersky Labs: Email-Worm.Win32.Qizy
- McAfee: W32/Quis@MM
- Panda: W32/Quiz.A
- Sophos: W32/Qizy-A
- Symantec: W32.HLLP.Belzy@mm
- Trend Micro: PE_QUIS.A-O
Taras Malivanchuk, Matthew McCormack. CA, Win32.Quis.A (Japanese). 2004.01.05-08
McAfee Antivirus, W32/Quis@MM.
Heather Shannon. Symantec.com, "W32.HLLP.Belzy@mm".
Sophos Threat Analysis. "W32/Qizy-A"