Skip navigation
Skip navigation
You are using an outdated browser. Please upgrade your browser.

Cambridge, UK, July 4, 2000 - Kaspersky Lab, an international anti-virus software development company, announces the discovery of a new Internet-worm 'Dilber.' It carries an extremely dangerous payload and, to perform its destructive activity, it has 5 different computer viruses encoded in its body. Among them are such deplorably known ones as 'Chernobyl,' 'Freelink,' and 'SK'. Each of them is activated depending on the current date.

Despite such an impressive destructive payload, this worm poses no real threat to computer users. Due to a minor bug, it is unable to proliferate; i.e. to spread itself via e-mail or local area network.

"We are very lucky that there was an error in the worm. It is difficult to imagine the consequences if it had the ability to spread. However, there is a chance that the mistake could be rectified and we might still see a fully functional version of the worm," said Eugene Kaspersky, Head of anti-virus research at Kaspersky Lab. "This worm is very dangerous, because it is compressed by ASPack packing utility. Only a few anti-viruses (including Kaspersky Lab AntiViral Toolkit Pro (AVP)) are able to search for viruses in files of this format".

Protection against the 'Dilber' worm has already been added to the upcoming daily update of AntiViral Toolkit Pro (AVP).

You can purchase AntiViral Toolkit Pro online via the Internet at the following address:

http://www.digitalriver.com/dr/v2/ec_Main.Entry?SP=10007&SID...



Technical Details

I-Worm.Dilber

This is an Internet worm related to the "I-Worm.Silver" worm and written by the same person. Just like "Silver," it is Windows executable written in Delphi; it accesses the Internet by using a VBS file helper and spreads to the local network.

Installation

When the worm gains control, it installs itself into the system. To do this, it copies itself to the Windows directory with the name SETUP_.EXE, and registers the first file in three auto-run keys in the system registry:


HKCUSoftwareMicrosoftWindowsCurrentVersionRun

HKLMSoftwareMicrosoftWindowsCurrentVersionRun

HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices


All these fields contain the instruction:

"Unchained Infection" = WinDirsetup_.exe

where "WinDir" is the name of Windows directory.


The worm also registers that file in the auto-run section in WIN.INI file:


[windows]

...

run=WinDirsetup_exe

...


In case the worm fails to install a SETUP_.EXE file into the Windows directory, it copies itself there with the DILBERTDANCE.JPG.EXE name.


The worm then stays in Windows as a background application (under Windows 95/98) or as a service (under WinNT), and runs two spreading routines in the background. One is activated once every 40 minutes, and the second one, once every hour. The first routine sends the infected messages by using the VBS file helper, as well as dropping and spawning five more viruses (see below). The second one infects the local network.


Sending E-mails


To send an infected message, the worm uses the MS Outlook and VBS helper file and runs SENDMAIL.VBS a script program in Visual Basic Script language. This script obtains all messages from the Inbox and "replies" to the first 20 with the following message:


Text:


Hi "sendername"


Received your mail, and will send you a reply ASAP


Until then, check out this funny Dilbert Dance (attached)


Attached file name: dilbertdance.jpg.exe


where "sendername" is the name of the replying message sender.


The worm then marks "answered" messages (affected messages) with a TAB char at the end of the message subject, and does not answer messages that have already been affected. So, the worm prevents duplicate replies to the same messages.

The worm stores all affected addresses in the WINDOWS.EXE file in the Windows directory, and does not send infected messages to the same addresses twice.

The worm also does not send infected messages in cases where the victim address contains the sub-strings: .mil, .gov, admin, master, abuse


Spreading to Local Network

To spread to a local network, the worm locates network resources (mapped drives), looks for those that are shared for reading/writing, and for WINDOWS and WINNT directories there. When one of these directories exists, the worm copies itself there with the same SETUP_.EXE name, and registers that file in the auto-run section in WIN.INI file or/and in system registry.

As a result, if there are computers on the network that have a shared Windows drive for reading/writing, the worm installs itself there and will be run on that computer(s) upon restart.

Because of a minor bug in the worm’s code, it is unable to run its spreading routing via both e-mail and LAN.


Payload

The worm also keeps copies of five viruses within its body, in encoded form. Depending on the system date, the worm extracts, drops, and spawns these viruses:



When / Virus name / File name (dropped by worm)


on 7 of month: / Win32.Bolzano / BOLZANO.EXE

on 15 of month: / Win95.CIH / CIH_15.EXE

on 17 of month: / VBS.FreeLink / LINKS.VBS

on 22 of month: / Win95.SK / WINSK.COM

on 31 of month: / Wni32.AOC / BEE_AOC.EXE




About Kaspersky Lab

Kaspersky Lab Ltd. is a fast growing international privately owned anti-virus software development company with offices in Moscow (Russia), Cambridge (UK) and Johannesburg (South Africa). Founded in 1997 the company concentrates its efforts on the development of world-leading anti-virus technologies and software. Kaspersky Lab also provides free online security related Internet information services. The company markets, distributes and supports its software and services in more than 40 countries worldwide.

Media Contacts

Denis Zenkin

Kaspersky Lab, Ltd.

Phone: +7 (095) 797 87 00

E-mail: denis@avp.ru

WWW: http://www.kasperskylabs.com


Sara Claridge

Marylebone Media Relations

Phone +44 118 975 5188

E-mail sara@marylebone.co.uk

This press release was distributed by ResponseSource Press Release Wire on behalf of Marylebone Media Relations in the following categories: Consumer Technology, Personal Finance, Business & Finance, Computing & Telecoms, for more information visit https://pressreleasewire.responsesource.com/about.