Wukill
Wukill
Type Email worm
Creator
Date Discovered 12-AUG-2003
Place of Origin China?
Source Language Visual Basic 6
Platform Microsoft Windows
File Types .exe
Infection Length 1,208,320 bytes
Reported Costs

Wukill, also known as Wullik or VBWorm2, is a large worm running on Windows. It is notable for its large size of over 1 whole megabyte. It has a few ingenious methods of hiding its presence to the user. Most variants appear to have been written for Chinese victims.

Behavior

Wukill arrives in an email with a subject line of "Hello!". The message body will contain unicode and Chinese text. The attachment will be named MShelp.EXE.

Downloading the attachemnt may cause a siginifcant decrease in the performance of the internet connection, the email client, and the computer. It may not execute properly without the presence of MSVBVM60.DLL, a Visual Basic runtime library.

When Wukill is run, it loads itself into memory and checks for the presence of itself in the Windows folder as "mstray.exe" and "mshelp.exe". If it does not find itself there, it will create a copy. It adds the values "RavTimeXP = [CURRENT FILE NAME].exe", "RavTimXP = [LAST USED FILE NAME].exe" to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run as well as "HideFileExt = 1" and "Hidden=0" to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advance, which will make the system show the full path, as opposed to hiding the file extensions. It also adds the value "fullpath = 1" to the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersionExplorer\CabinetState to ensure that the full path appears in the title bar of Windows Explorer and to prevent Windows Explorer from displaying file extensions and hide files.

If it finds the process csrss.exe, it will inject itself into it. The worm monitors the active Windows Explorer window, waiting for the user to open the folder containing a copy of the worm. When the user navigates to a folder with an active copy of the worm, it creates a new copy of itself in a random location, launches that copy and deletes itself. It also creates a hidden copy of itself in any folder the user navigates to. This may allow it to spread over network shares.

It then attempts to run WINFILE.EXE, the old Windows file manager from Windows 3.x that could still be found in Windows 9x versions. If Wukill is run on NT-based versions of Windows, it will display the error message "Warning This File Has Been Damaged!"

When the computer restarts, the worm runs itself and sends itself to every contact it finds in the Windows Address book.

Variants

The Wukill family contains a number of variants and there appears to be a lot of disagreement among researchers and antivirus detections about what is what. Some variants correct the issues stemming from the file size being so large.

The variant reporterd as the original by VSAntivirus has no subject line and a text body of:

This is a program for Ms-Dos from Microsoft,It
can help you to study Ms-dos.
Don't you want to see?

Wukill.B and F

These variants use an icon disguised as a folder. They also has a subject line of "MS#DOS####" (each "#" represents a Chinese character).

Rays

Rays, sometimes listed as Wullik.* (where "*" is some letter), is very similar to most versions of Wullik. It is 49,152 bytes long and not compressed or encrypted. Its icon looks like a folder icon. It will copy itself to the Windows Fonts folder as BYY.exe and creates an autorun key for it. IT also copies itself to the Windows Help folder as DBBXY.exe as well as the Windows temp folder as WUUR.exe.

Others

Variants named Ostra and Xgtray are very similar to the original. Some products may detect them as another "Rays" variant, while other call it Nethood (mostly McAfee) or Vinet (Panda).

Sources

Candid Wueest. Symantec Security Response, W32.Wullik@mm. 13-FEB-2007

Heather Shannon. W32.Wullik.B@mm. 13-FEB-2007

VSAntivirus, W32/Wukill.A. Datos adjuntos: "MShelp.EXE". 18-AUG-2003

搜狗百科, Worm.WuKill.a. 29-SEP-2005

VSantivirus, W32/Wukill.F. Se propaga por redes y disquetes. 02-AUG-2004

Информационнаяа Безопацность, Email-Worm.Win32.Rays.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License