When the worm is executed, it queries a mutex to see whether another copy of itself is running. If another copy is already running, the worm exits. Otherwise, it creates a mutex and then creates the following files:
- %System%\Invictus.dll. This file is used to infect executable files on the system.
- %Windows%\<3 random characters>.exe. The Hidden attribute of this file is turned on, and the file is executed immediately after being created. This file is run-time compressed, and it orchestrates the entire worm execution flow by performing some actions itself and by calling functions in Invictus.dll.
NOTES:
- %Windows% is a variable. The worm locates the Windows folder (by default this is C:\Windows or C:\Winnt) and creates the file in that location.
- %System% is a variable. The worm locates the Windows System folder (by default this is C:\Windows\System or C:\Winnt\System32) and creates the file in that location.
Next, the worm modifies the System.ini file. The line
shell=Explorer.exe
is changed to
shell=Explorer.exe [3 random characters].exe
This causes the worm to run the next time that you restart the computer.
The worm then searches for files to infect by using undocumented TaskMan API functions. Infections may be both polymorphic and entry-point obscuring. The worm specifically infects Hh.exe, which is a standard Windows executable file.
The worm also enumerates Network Neighborhood to infect remote machines. The worm copies itself as a random three-letter name with the .exe extension to the remote Windows directory and Invictus.dll to the remote Windows System directory. To execute itself on the remote system, the worm modifies the remote System.ini file, as mentioned previously.
The worm gathers email addresses by searching the ICQ White Pages, which reside on an ICQ Web server. To send itself, the worm uses an educated guess at what is an appropriate email server. For example, if the email address is joeuser@domain.tld, the worm will use the email servers smtp.domain.tld or mail.domain.tld. When it sends the email message, the worm attaches the infected Hh.exe file as Binladen_brasil.exe. The worm does not require a particular email client to propagate.
The message body is blank and the subject will vary. The subject lines are all references to the current situation in Afghanistan and may be in different languages. The language of the subject line is chosen based on the language version of the operating system.
The worm attempts to save cached networking passwords to a local file using an undocumented Windows 95 function. This fails on other versions of Windows.
The worm creates a share on the local drive C drive. It shares drive C by modifying the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Network\LanMan
The worm also attempts to disable antivirus software in memory.
Depending on the length of time that has passed since it was first executed, the worm may display messages using randomly changing background and text colors that refer to the current activity in Afghanistan. Then a message box is displayed, and random rectangles on the screen are interchanged.
Finally, the worm sleeps for five minutes and repeats the infection process.
Norton AntiVirus already detects Invictus.dll as
W32.Invictus.dll. This file is crucial to the propagation of the worm, and the worm may not function properly without it.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
