Antivirus Software

  1. Home
  2. Computing & Technology
  3. Antivirus Software

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | Encyclopedia Home
Also see: Hoax Encyclopedia | Repair Center | News Briefs | Glossary | Infected Attachments | Prevention Center

Related Links

F-Secure Description
Threat List
Prevalency Report

Invalid Worm
Aliases: I-Worm.Ivalid, Ivalid, I-Worm.Invalid.A, Invalid.Worm, W32.Qint@mm

According to reports from F-Secure, the Invalid worm exhibits the following characteristics:

Type: Worm
Systems Affected: Windows 32-bit systems
Payload: Encrypts all EXE files it can find in current directory and upper directories with a generated key. Payload delivered if no Internet connection can be found or if errors occur during the worm's operation.
ITW: Yes
Origin:
Description:Invalid is received as an email attachment named 'SSLPATCH.EXE'. The body of the email message reads: 


 From: "Microsoft Support" 
 Subject: Invalid SSL Certificate

 Hello,

 Microsoft Corporation announced that an invalid SSL certificate
 that web sites use is required to be installed on the user
 computer to use the https protocol. During the installation, the
 certificate causes a buffer overrun in Microsoft Internet
 Explorer and by that allows attackers to get access to your
 computer. The SSL protocol is used by many companies that
 require credit card or personal information so, there is a high
 possibility that you have this certificate installed.

 To avoid of being attacked by hackers, please download and
 install the attached patch. It is strongly recommended to
 install it because almost all users have this certificate
 installed without their knowledge.

 Have a nice day,
 Microsoft Corporation

According to F-Secure, Invalid is an Internet worm written in pure Assembly. The worm's file is a 12288 bytes long PE EXE file. The worm's file is not compressed.

When the worm's file is run it first checks for available Internet connection. If a connection is not found the worm starts to recursively look for '*.exe' files. If an EXE file is found, the worm gets external cetrificate from Windows crypto library, generates a new key. If key generation fails, the worm exits. Otherwise the worm encrypts a found file with a generated key. When the worm reaches root directory, the encryption process stops and the worm exits. There seems to be a bug in recursive scan routine, so it should encrypt files only in current directory and directories listed in PATH variable.

If Internet connection is found, the worm gets information about its own file, allocates 2 memory buffers, reads itself into the first memory buffer and then encodes itself with BASE64 encoding (encoding subroutine is inside the worm's file) into the second memory buffer. After that the worm gets the special folder location and looks for '*.ht*' (*.HTM, *.HTML, etc.) files there. When an appropriate file is found, the worm loads it into memory and starts looking for 'mailto:' strings inside the file. If this string is found the worm gets an e-mail address after it and sends itself to this address. Then the worm continues to search for 'mailto:' string in the same file and will send itself out if other e-mail addresses are found. If no more addresses are found, the worm looks for more HTML files.

How to prevent it: Avoid executing any of the above named attachments. Do not open attachments that are not expected - regardless of the source.

About.com Special Features

Browse All About.com

Antivirus Software

  1. Home
  2. Computing & Technology
  3. Antivirus Software