Virus Detail

Description

Back to top

Method of Infection

When executed, Blackmal.E creates multiple copies of itself in various locations on an affected machine.

It creates copies of itself as:

• %Program Files%\INTERNET EXPLORER\Media Player.exe
• %Windows%\Volume\<Windows File>.exe - where <Windows File> is a filename selected from .exe files contained in the user's %Windows% directory. For example, if it finds a file named regedit.exe in the %Windows% directory, it copies itself as regedit .exe. Note: the worm also creates the 'volume' directory that this file is created in. This file is marked as 'hidden'.
• %System%\ Connection.exe
• %System%\ MOVIE009.PIF
• %System%\ movie_05.MP3_________________________________________________________.exe
• %System%\ Old_Password.baT
• %System%\ PaltlkRoom.wav_________________________________________________________.exe
• %System%\ REGEDITM.EXE
• %System%\ sound_223.mp3_________________________________________________________.exe
• %System%\ The_Members.PIF
• %System%\<Windows File>M.EXE
• %System%\ Video_live.mpg_________________________________________________________.exe
• %System%\ YAHOO.PIF

It also drops this file: %System%\OSSMTP.DLL, which is a legitimate SMTP COM library from OstroSoft. 

Note: '%System%' and '%Windows%' are variable locations. The worm determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.

Blackmal.E modifies the registry to ensure that the copy of itself created in the %Windows%\volume directory is executed each time Windows is started:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\(Default) = %Windows%\VOLUME\<Windows File >.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\<Windows File >.exe = %Windows%\VOLUME\<Windows File>.exe
HKLM\SOFTWARE\Microsoft\Active Setup\Security = %System%\<Windows File>M.EXE 

Back to top

Method of Distribution

Via Network Shares

Blackmal.E enumerates resources on the network and for every one it finds it attempts to copy itself using one of the following filenames:

Connection.exe   
MOVIE009.PIF
movie_05.MP3_________________________________________________________.exe
Old_Password.baT
PaltlkRoom.wav _________________________________________________________.exe
REGEDITM.EXE
sound_223.mp3_________________________________________________________.exe
The_Members.PIF
UNINSTM.EXE
Video_live.mpg_________________________________________________________.exe
YAHOO.PIF
 

Via E-mail

Blackmal.E sends itself via e-mail.  The e-mail have variable characteristics and the From address is spoofed using names and addresses that the worm carries with it. The e-mail may be in HTML format and include pornographic images.

Note: The worm will not attempt to spread via e-mail until the machine is restarted after the initial infection.
 
E-mail sent by the worm have the following characteristics:

Possible From names/addresses:

Thomas
<thomas_gay6@iopus.com>
vip
<sandra@oxygen.com >
Lola Ashton
<linda200@gmail.com>
Bad Love
<user377@worldsex.com>
<gustes@msn.com>
Sweet Women
<admin@newmovies.com>
Sara GL
<hot_woman2362@freevideos.net>
The Moon
<lost_love705@yahoo.com>
 Binnn MT
<King_sexy@hotmal.com>
 
Possible Subjects:

Beethoven's Symphony No
New Stories  Highway Blues

Possible Message Bodies:

see the attached 
how are you?see the file
video
enjoy
see the movie

Possible Attachment names:

<Subject Line>_DVD_Viedo.Zip.z
<Subject Line>_Audio_XP.GZ
<Subject Line>.Xp2002.TGZ
<Subject Line>_Zipped_File.Z
<Subject Line>.PIF
<Subject Line>.XP2002.Zip.scr
<Subject Line>.DvD_Xp.scr

where <Subject Line> is chosen from the possible subjects listed above (e.g. - Beethoven's Symphony No_DVD_Viedo.Zip.z or Beethoven's Symphony No.Xp2002.TGZ)

Please see below for examples of e-mail generated by the worm:

Back to top

Payload

Modifies System Settings via Registry

The worm deletes the following values from the following registry keys (should they exist):

Keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Values:
ccApp
defwatch
KasperskyAv
McAfeeVirusScanService
MCAgentExe
McRegWiz
MCUpdateExe
McVsRte
NAV Agent
NPROTECT
PCCClient.exe
pccguide.exe
PCCIOMON.exe
PCClient.exe
PccPfw
rtvscn95
ScriptBlocking
SSDPSRV
Taskmon
VirusScan Online
vptray
VSOCheckTask

Telnet Server

Blackmal.E also sets the Windows telnet server service to run at system start automatically.

Back to top

For additional information:

Users should note that due to bugs in  Blackmal.E's code it may cause affected systems to freeze.

The worm executable uses the RealPlayer icon.

The worm opens C:\Program Files\Windows Media Player\mplayer2.exe when executed to mask its prescence.

It drops a file to %System%\about_BlackWorm.C which reads:

my MS gay 
i got a bill to pay
n i wonder wut to say 
but ll i know is wut i know 
billy bo! aint got no mo 
shyt to do 
from this day
  
GoOd ByE MicroGates
Made by  MyLife

The worm makes also makes the following modifications to the registry and changes the Winzip registration information:

HKCU\Software\Nico Mak Computing\WinZip\Caution\NoBetaMessage = 1
HKCU\Software\Nico Mak Computing\WinZip\Winini\Name = BlackWorm
HKCU\Software\Nico Mak Computing\WinZip\Winini\SN = 2AD00ED6

Blackmal.E contacts a particular web site, presumably to notify its author of a new system compromise.

It also drops another file, %System%\Life.jpg (see below - this image has been modified due to its possibly offensive nature):

Analysis by Matthew McCormack  

Back to top