W32.Recory@mm

Printer Friendly Page

Discovered: December 31, 2002
Updated: February 13, 2007 11:41:55 AM
Also Known As: I-Worm.Recory [KAV], WORM_RECORY.A [Trend]
Type: Worm
Systems Affected: Windows


W32.Recory@mm is a mass-mailing worm that is written in Visual Basic (VB). The VB run-time libraries must be installed on the computer for it to execute.
The worm uses Microsoft Outlook to email itself to all the contacts in the Windows Address Book. It also attempts to spread across a file-sharing network.

The email has a randomly chosen subject and attachment. The attachment will have an extension of .com, .exe or .pif.

Antivirus Protection Dates

  • Initial Rapid Release version January 02, 2003
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version January 02, 2003
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date January 04, 2003

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Robert X Wang

Discovered: December 31, 2002
Updated: February 13, 2007 11:41:55 AM
Also Known As: I-Worm.Recory [KAV], WORM_RECORY.A [Trend]
Type: Worm
Systems Affected: Windows


When W32.Recory@mm runs, it does, or attempts, to do the following:

  1. Copies itself as the following files:
    • %windir%\Autotest.com
    • %windir%\Startwin.com
    • %windir%\TaskBoot.com
    • %windir%\Winboot32.com
    • %windir%\Jdbgmgr.exe
    • %windir%\Compile32.pif
    • %windir%\Security.pif
    • %windir%\Uninstall32.pif
    • %windir%\Windows Startup.pif
    • %windir%\COMMAND\EBD\Winexec.bat
    • %windir%\Start Menu\Programs\Startup\SysTray.pif
    • %system%\Autoexec32.bat
    • %system%\Jdbgmgr.exe
    • %system%\Memory.com
    • %system%\RecoveryWorm32.scr
    • %tempdir%\Jdbgmgr.exe
    • \FixTool.exe

      NOTES:
      • %windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
      • %system% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
      • %tempdir% is a variable. The worm locates the Temporary folder and copies itself to that location. By default, this is C:\Windows\Temp (Windows 95/98/ME), C:\Documents and Settings\<username>\Local Settings\Temp (Windows 2000/XP).
  2. May also copy itself as one of the following file names, followed by a randomly chosen extension: .exe, .com, or .pif:
    • %system%\Killvirus
    • %system%\Killvir
    • %system%\Fixvir
    • %system%\Fixtool
    • %system%\Removal
    • %system%\Recovery
    • %system%\Virusfix
    • %system%\Virusremove
    • %system%\Cleaner
    • %system%\Cleanvir
    • %system%\Scan32
    • %system%\Scanvir
    • %system%\Cleanvirus
    • %system%\Removal32
    • %system%\Deletevir

      This particular file will be attached to the email when the worm performs its email routine.
  3. Adds the value

    Msdos32      %system%\Msdos32.pif

    to the registry key

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    This causes the worm to be executed every time you start Windows.
  4. Searches the computer for specific files. If the file %system%\RecoveryWorm32.scr is not found, the system date is January 16th, March 16th, May 16th, July 16th, September 16th, or November 16th, and the following files are found:
    • %system%\Msdos32.pif
    • %windir%\TaskBoot.com
    • %system%\Autoexec32.bat
    • %windir%\Autotest.com

      the worm displays this message:


  5. If any of the following folders exist:
    • C:\Kazaa\My Shared Folder
    • C:\My Downloads
    • C:\Program Files\Kazaa\My Shared Folder
    • C:\Programme\Kazaa\My Shared Folder
    • C:\Programmi\Kazaa\My Shared Folder
    • C:\Program Files\Kazaa Lite\My Shared Folder
    • C:\Programme\Kazaa Lite\My Shared Folder
    • C:\Programmi\Kazaa Lite\My Shared Folder
    • C:\Program Files\Bearshare\Shared
    • C:\Programme\Bearshare\Shared
    • C:\Programmi\Bearshare\Shared
    • C:\Program Files\Edonkey2000
    • C:\Programme\Edonkey2000
    • C:\Programmi\Edonkey2000
    • C:\Program Files\Morpheus\My Shared Folder
    • C:\Programme\Morpheus\My Shared Folder
    • C:\Programmi\Morpheus\My Shared Folder
    • C:\Program Files\Grokster\My Grokster
    • C:\Programme\Grokster\My Grokster
    • C:\Programmi\Grokster\My Grokster
    • C:\Program Files\ICQ\Shared Files
    • C:\Programme\ICQ\Shared Files
    • C:\Programmi\ICQ\Shared Files

      the worm will copy itself to that particular folder as these files:
      • Computer Virus Generator.pif
      • Dancing Girls ScreenSaver.scr
      • Erotic Poetry.pif
      • FixTool.exe
      • How to hack websites.pif
      • How to hack www.google.com
      • How to make a virus.pif
      • KaZaA Bug Fix.exe
      • KaZaA Download Booster.exe
      • Lord Of The Rings 2 Fast Downloader.pif
      • Microsoft Product Serial List.pif
      • Nature ScreenSaver.scr
      • NFS Car Builder.pif
      • Norton AntiVirus Quick Downloader - www.symantec.com
      • Readme.pif
      • Red Alert 2 Money Cheat.pif
      • The Sims patch.pif
      • Type-and-talk.pif
      • User Information.pif
      • Virtual Sex ScreenSaver.scr
      • WarCraft 2 - Advance Level Builder.com
      • Windows Logon Password Cracker.pif
  6. If the file Mirc.ini is found in one of these folders:
    • C:\Mirc
    • C:\Mirc32
    • C:\Program Files\Mirc
    • C:\Program Files\Mirc32
    • C:\Programme\Mirc
    • C:\Programme\Mirc32
    • C:\Programmi\Mirc
    • C:\Programmi\Mirc32

      the worm will copy itself as %windir%\Wideo1.mpg and overwrite the file Script.ini in that particular folder to spread itself through mIRC.

      NOTE: The file name is case sensitive.
  7. If the file Pirch32.exe is found in one of these folders:
    • C:\Pirch
    • C:\Pirch32
    • C:\Program Files\Pirch
    • C:\Program Files\Pirch32
    • C:\Programme\Pirch
    • C:\Programme\Pirch32
    • C:\Programmi\Pirch
    • C:\Programmi\Pirch32

      the worm will copy itself as %system%\Video1.mpg and overwrite the file Events.ini in that folder to spread itself through Pirch.

      NOTE: The file name is case sensitive.
  8. The worm creates the registry key

    HKEY_CURRENT_USER\Software\Zed/[rRlf]\Recovery\1.0

    and sets the (Default) value of this registry key to W32/Recovery family worm by Zed/[rRlf].


Email Routine Details

W32.Recory@mm uses Microsoft Outlook to email itself to all the contacts in the Windows Address Book.

The email message has the following characteristics:

Subject : The subject line is one of the following.
  • Computer virus alert
  • Important
  • Read this
  • Urgent
  • Serious alert
  • Attention users
  • Severs virus alert
  • Attention company personal
  • Urgent information
  • Latest news
  • Computer issue
  • Email virus alert
  • Computer virus information
  • Attention Employees
  • Computer virus removal tool
  • Computer virus fix tool
  • Help on Computer issue
  • Software alert
  • Damaged Software information
  • Latest News
  • Latest computer virus outbreak
  • Computer virus outbreak
  • Email security update
  • Security update
  • Software patch
  • From helpdesk support
  • Technical support
  • Software support
  • Microsoft support
  • Email support
  • Free support
  • Microsoft news
  • Important information
  • High-risk computer virus removal
  • Client support
  • High-threat computer virus fix
  • Computer virus removal
  • Urgent news

NOTE : The subject line may have the prefix Fwd: or Fw:

Message:

Hello readers,

I have just cleaned my computer from a highly damaging computer virus
Which is spreading rapidly through computer networks worldwide.

There is one way to check to see if your computer is infected with this
virus.

Click the "Start" menu at the bottom left of your screen.
Click the "Find" or "Search" button.
Click the "Files or folders..." option.
Then once the search application starts, type "Jdbgmgr.exe"

If you have found this file, right-click on it and click the "Properties"
tab.
If the Properties menu has a picture of a bear on it,
your computer is infected with this virus. (Note that the non-infected file
picture has a hammer and a screwdriver shown in it)
You may delete this file, but this is not the only file that the virus
infects,
To remove this virus, I have included a virus removal tool in the
attachments "<Attachment file name>"
that will scan all system files and remove any infectious code from them.
This virus removal tool is very easy to use. If you have any trouble with
this tool,
read the help menu that the removal tool supplies.

If your computer is infected with this virus, It is strongly recommended
that you send this removal tool to as many people
as you can to help remove the traces of this virus worldwide.

Attachment: The attachment is one of the following file names with a random extension: .exe, .com, or .pif:
  • Killvirus
  • Killvir
  • Fixvir
  • Fixtool
  • Removal
  • Recovery
  • Virusfix
  • Virusremove
  • Cleaner
  • Cleanvir
  • Scan32
  • Scanvir
  • Cleanvirus
  • Removal32
  • Deletevir

Importance : High

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Robert X Wang

Discovered: December 31, 2002
Updated: February 13, 2007 11:41:55 AM
Also Known As: I-Worm.Recory [KAV], WORM_RECORY.A [Trend]
Type: Worm
Systems Affected: Windows


These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

  1. Delete the value

    Msdos32

    from the registry key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  2. Restart the computer.
  3. Update the virus definitions,
  4. Run a full system scan and delete all the files detected as W32.Recory@mm.
For further details, read the following instructions.


Deleting the value from the registry

CAUTION : Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start, then click Run. (The Run dialog box appears.)
  2. Type regedit, then click OK. (The Registry Editor opens.)
  3. Navigate to the key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. In the right pane, delete the value

    Msdos32
  5. Exit the Registry Editor and restart the computer.

Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
  • Running LiveUpdate, which is the easiest way to obtain the virus definitions. These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate) line at the top of this writeup.
  • Downloading the definitions using the Intelligent Updater. The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater) line at the top of this writeup.

    The Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.


Scanning for and deleting the infected files
  1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
  2. Run a full system scan.
  3. If any files are detected as infected with W32.Recory@mm, click Delete.


Writeup By: Robert X Wang