W32/Cervivec.A@mm

Download VIRUSfighter NOW
W32/Cervivec.A@mm Destructivity: Spreading: Overall risk:
  
• Detected by virus detection files published: 3/22/2002 • Type: Worm
• Virus characteristics first published: 3/22/2002 • Spreading mechanism: Email
• Virus characteristics latest update: 12/17/2003 • Overall risk: Low
• Alias: • Payload: Screen effect
• Infection type: Microsoft Windows 95/98/98 SE/ME/NT 4/2000/XP/2003/Vista  

Virus type Spreading
mechanism 		Destructivity
and payload 		Additional
descriptions 		Detection
and removal
Email characteristics:
  • Subject: Several possible
  • Body: Several possible
  • Attachment: WORMS.EXE
The subjects and body texts change - they are created in different languages, and chosen depending on the country suffix in the recipient email address. If this suffix is outside the set of defined langages the worm supports, it will select to use english.


Czech, sent to .cz addresses:
S: Vtip
B:
Cervici
Cau posilam ti cerviky tak se na to podivej (virus to neni)

Slovak, sent to .sk addresses:
S: Vtip
B:
Cervici
Cau posielam ti cerviky tak sa na to pozri (virus to neni)

German, sent to .de,.ch,.li and .lu addresses:
S: Witz
B:
Hallo, Ich habe ein guter Witz-Wurm so sieh! (kein
virus)


French, sent to .fr,.gn,.gf,.pf,.sn,.mr,.ml,.ne,.cf,.cd,.mg,.ad and .mq addresses:
S: blague
B:
J'ai une bonne blague ca s'appelle verre de terre alors jette un coup d'oeil (il n'y a pas de virus)

Russian, sent to .ru,.lt,.lv,.ee,.md,.am,.by,.ua,.kz,.tj,.kg,.tm,.uz,.az and .ge addresses:
The russian text is in chyrillic, and difficult to read on non-chyrillic character sets.

English, sent to email addresses that do not fit in the other language suffix groups:
S: Joke
B:
Hi, I have some cool joke - worms so have a look at it(no virus)

Polish, sent to .pl addresses:
S: Zart
B:
Czesc, mam swietnz dowcip - robaka. Obejrzyj go sobie (to nie jest wirus)

Spanish, sent to .es,.gq,.gt,.sv,.ar,.bz,.bo,.cl,.co,.cr,.cu,.do,.ec,.hn,.mx,.ni,.pa,.py,.pe,.pr,.uy and .ve addresses:
S: Chiste
B:
Hola te mando los gusanilloes. Pues mirarlos (no es un virus)

When the worm is first executed, it will show a small messagebox which says "Press restart button to close this application".

W32/Cervivec


After this message box is closed, it will start to display a screen effect - coloured lines are drawn across the screen in a random "worm-like" manner (see below).

The worm is now also copied to the Windows System32 directory, under the name NTKRNL.EXE.
A pointer to this file will be inserted into the Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"Kernel Loader" = NTKRNL.EXE -LOADDRIVERS=TRUE

When the worm is executed via the registry like this, it will not display the screen effect. Instead it will search the ICQ contact list for email addresses to send itself to, and save this to the file NTOSKRNL.DAT.
# - A - B - C - D - E - F - G - H - I - J - K - L - M - N - O - P - Q - R - S - T - U - V - W - X - Y - Z
To protect and serve, VirusFighter