Winevar
Winevar
Type Email worm
Creator
Date Discovered 2002.11.23
Place of Origin Seoul, Korea
Source Language C++
Platform MS Windows
File Type(s) .exe, .pif
Infection Length 91,481 bytes
Reported Costs

Winevar also known as Korvar is a malicious worm that drops a copy of the Funlove virus. It is sometimes considered a variant of Bridex and is also believed to have originated in Korea.

Behavior

Winevar arrives in an email message. The sender line contains either the registered name of the computer it was sent from or simply "AntiVirus". The subject will be "Re: AVAR(Association of Anti-Virus Asia Reseachers)" or the registered organization of the previous computer. The message body will either be the registered name and organization of the computer it was sent from or this:

  AVAR(Association of Anti-Virus Asia Reseachers) - Report.
  Invariably, Anti-Virus Program is very foolish.

When Winevar is executed, it first attempts to disable some security products. It terminates any services with the following strings: view, debu, scan, mon, vir, iom, ice, anti, fir, prot, secu, dbg, vk, pcc and spy. It avoids any that have the strings: microsoft, ms, _np, r n, cicer, irmon, smtpsvc, moniker, office, program and explorewclass.

The worm registers itself as a service, adding its name to a configuration file under Windows 9x. Under all versions of Windows with a registry, it adds itself to the local machine run services key. It also adds itself to the current user and local machine run key. It installs itself to the windows system directory under a name beginning with Win followed by some random characters and a .pif extension. The worm then executes this file, creating a second instance of the worm running on the computer at the same time.

When the second instance of the worm is run, it waits 512 milliseconds, then displays a message box. It turns off any antivirus or firewall products, and checks every second for ones that have been turned on. If the payload has not been activated, it creates a mutex named "~~ Drone of StarCraft~~".

The worm tries to detect an Internet connection by downloading the page at symantec.com. If it does not find an Internet connection, it drops the Funlove virus and executes it. This file is placed in the system directory under the name "AAVAR.PIF". This variant of Funlove is slightly different from the original with some of the original text replaced with "~AAVAR 2002 in Seoul~".

If it does find a connection, it checks the registry for the owner and organization the computer is registered to. If there is none, it sets the owner to "AntiVirus" and the organization to "Trand Microsoft Inc.". It then copies itself to the desktop as Explorer.pif. It deletes all files in any folder with the strings "antivirus", "cillin", "nlab" and "vacc". These are common with antivirus programs, one of them common only in Asia.

Winevar looks for email addresses in any .htm or .dbx files. It avoids any addresses with "@microsoft" in them. It sends itself to these addresses and stores them in the registry key HKEY_CLASSES_ROOT\Software\Microsoft\DataFactory so it does not send itself to them twice. It uses its own SMTP engine to send itself. It uses the information found in the registered owner and organization to construct the sender line and message body for the emails it sends.

Variants

Winevar is a single worm with no variants. The worm itself is is sometimes considered a variant of the Bridex worm.

Other Facts

There was an Association of Anti-Virus Asia Reseachers, which held a conference in Seoul at the time the worm was released.

Sources

Peter Ferrie. Symantec.com, W32.HLLW.Winevar. 2007.02.13

F-Secure, Winevar

Mary Landesman. Antivirus About.com, WineVar Redefines Executables.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License