|Place of Origin||Brno, Czech Republic|
|File Type(s)||.exe, zip*|
Universe arrives in an email with the following text:
Dear user F-Secure, Symantec and Microsoft, top leaders in IT technologies have discovered one very dangerous Internet worm called I-Worm.Universe in the wild. Author of this viral program is well known hacker from Europe under "Benny" nickname from 29A virus writting group. Universe is fast-spreading worm that already destroyed computer systems in FBI and Microsoft. It is heavilly encrypted and very complex. It consists from many independed parts called "modules", which are very variable - every second hour is producted one new module, that completelly changes behaviour of worm, including anti-detection tricks. You should check your system by our anti-virus attached to this mail. All reports please send to our mail address: firstname.lastname@example.org and/or email@example.com Have a nice day, F-Secure, Symantec and Microsoft, top leaders in IT technologies.
|The Universe wallpaper|
The attachement will have the name Uniclean.zip, which will actually be an .exe file. It will not run by being clicked in the GUI in Windows NT or 2000, but can run from the command prompt. Win9x cannot execute the files at all, in spite of the fact that the code appears to have been written for windows 98.
When executed, the worm installs itself to the Windows system folder as Msvbvm60.exe. The folder may contain a legitimate file by the name of Msvbvm60.dll. It adds itself to a registry key that will cause it to run every time the system is booted. The running copy is registered as a service process to avoid being shown on the windows task list.
Universe attempts to download a file from http://shadowvx.com/benny/viruses/mod.txt. The file contains a list of available plugins. The plugins are encrypted with an RSA algorithm and will have a name of Msvbvm60.dll.
- Mail- looks in the Temporary Internet files folder for .htm and .html files and tries to find email addresses contained in them. It sends a copy of the worm to the email addresses, but one contained inside the module itself. This way, if the worm is updated, the newest available version will be sent.
- Feedback- sends a message to firstname.lastname@example.org
- Payload- downloads the file "Universe.jpg" from Benny's website and registers it as a wallpaper option
- Mirc- if Mirc32.exe is installed, the worm creates a file named Script.ini and attempts to send itself over IRC
- RAR- attempts to infect .rar archives
Universe was coded in the Czech Republic by Benny of the 29A group. It appeared in issue 6 of the 29A magazine.
Peter Szor. Symantec, W98.Universe.Worm. 2002.04.15
Benny. 29A, Issue 6, I-Worm.Universe.