W95.Fix2001

Printer Friendly Page

Discovered: September 14, 1999
Updated: February 13, 2007 11:49:31 AM
Also Known As: W32/Fix2001 [Sophos], I-Worm.Fix2001 [Kaspersky], W32/Fix.12288@M [McAfee], WORM_FIX2001.A [Trend], Win95.Fix2001.12288 [Computer
Type: Worm
Systems Affected: Windows


W95.Fix2001 is an Internet worm that secretly steals dial-up information (including the password from memory) and sends the information out via email. Users that have accidentally run this worm are advised to change their password on all dial-up connections immediately.

The worm arrives via email as a MIME-encoded attachment named Fix2001.exe. The subject of the email is

    "Internet problem year 2000". It is sent by a person named "Administrator".

Antivirus Protection Dates

  • Initial Rapid Release version September 16, 1999
  • Latest Rapid Release version August 08, 2016 revision 023
  • Initial Daily Certified version September 16, 1999
  • Latest Daily Certified version August 09, 2016 revision 001
  • Initial Weekly Certified release date September 16, 1999

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Peter Szor

Discovered: September 14, 1999
Updated: February 13, 2007 11:49:31 AM
Also Known As: W32/Fix2001 [Sophos], I-Worm.Fix2001 [Kaspersky], W32/Fix.12288@M [McAfee], WORM_FIX2001.A [Trend], Win95.Fix2001.12288 [Computer
Type: Worm
Systems Affected: Windows


The worm arrives through email as a MIME-encoded attachment named Fix2001.exe. The subject of the email is "Internet problem year 2000". It is sent by a person named "Administrator". The body of the message contains the following text:

    Estimado Cliente:

    Rogamos actualizar y/o verificar
    su Sistema Operativo para el correcto
    funcionamiento de Internet a partir del
    A_o 2000. Si Ud. es usuario de Windows
    95 / 98 puede hacerlo mediante el
    Software provisto por Microsoft (C)
    llamado-Fix2001- que se encuentra
    adjunto en este E-Mail o bien puede ser
    descargado del sitio WEB de Microsoft
    (C) HTTP://WWW.MICROSOFT.COM Si Ud. es
    usuario de otros Sistemas Operativos,
    por favor, no deje de consultar con sus
    respectivos soportes tecnicos.

    Muchas Gracias.

    Administrador.

Translated to English:
    Internet Customer:

    We will be glad if you verify your
    Operative System(s) before Year 2000 to
    avoid problems with your Internet
    Connections. If you are aWindows 95 / 98
    user, you can check your system using
    the Fix2001 application that is attached
    to this E-Mail or downloading it from
    Microsoft (C) WEB Site:
    HTTP://WWW.MICROSOFT.COM
    If you are using another Operative System,
    please don't wait until Year 2000, ask your
    OS Technical Support.

    Thanks.

    Administrator

When initially executed, the worm installs itself on the local machine's ..\windows\system directory with the same name. It adds the worm to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run

so that will execute each time Windows starts. When executed the first time, it displays the following message:
    Y2K Ready!!

    Your Internet Connection
    is already Y2K, you don't
    need to upgrade it.

The worm checks if a window callback function with the name "AMORE_TE_AMO" exists. This window callback function has been created by the worm in order to send itself to other locations in the background.

Instead of modifying system DLL files, the worm hooks APIs to itself in memory by patching the process address space. This way, it executes each time Internet activity occurs on the local machine.

When RNAAPP.EXE (Dial-up Networking) is not running, the worm starts it with the -l parameter. RNAAPP.EXE has an import to RASAPI32.DLL. The worm places a hook routine to the "DialEngineRequest" API in RASAPI32.DLL when RNAAPP.EXE is loaded. It puts a jump to its hook routine to the entry point of this API, and patches its short code right after the import address table of RASAPI32.DLL. Similarly, Fix2001 also hooks the "send" and "connect" APIs of WSOCK32.DLL, which is loaded by Internet applications such as Internet Explorer or Outlook Express. Once RNAAPP.EXE is patched, the worm hides it from the task list by registering it as a service process. The worm itself is registered as a service process and does not appear on the task list.

The hook routine on the "send" API looks for the "RCPT" field of the mail header during postings. The worm sends its message with the Fix2001.exe attachment to the very same place right after the original message.
Fix2001 is the first Windows 95 worm which is hooking DLLs of other processes "on the fly" in memory.

The payload of the worm is activated after the worm has already posted itself to another location and an active connection exists. Then the routine performs a checksum on the last detected email address. If a particular email address encounters a checksum match, the worm will delete C:\COMMAND.COM, and it will create another 16-bit COM program also named COMMAND.COM that is 137 bytes long. This file is a trojan horse that NAV detects as Trojan.Fixed.

The trojan horse executes the next time the computer is started. If the trojanized COMMAND.COM is executed, it destroys the hard disk data (overwrites it by using I/O port commands) whenever the hard disk is an IDE drive.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Peter Szor

Discovered: September 14, 1999
Updated: February 13, 2007 11:49:31 AM
Also Known As: W32/Fix2001 [Sophos], I-Worm.Fix2001 [Kaspersky], W32/Fix.12288@M [McAfee], WORM_FIX2001.A [Trend], Win95.Fix2001.12288 [Computer
Type: Worm
Systems Affected: Windows


Using Windows Explorer delete the following file:

C:\WINDOWS\SYSTEM\FIX2001.EXE

  1. Using regedit delete the following registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Fix2001"="FIX2001.EXE"


Writeup By: Peter Szor