Let the little, tiny worm will turn off a process related to antivirus. Small chili?
Unlike the discussions on malicious programs at the previous articles, this time I am not discussing local malware, but malware is no less foreign cried with locally made.

Which will be discussed this time was W32/Email-Worm.Assiral. He is a type of malware worm that comes from abroad and the small body size, this is why I call it a small worm. Created using programming language C + +, up to now has many variants emerged. Assiral name itself is taken from the name Larissa is reversed, showing the maker's name used to introduce himself.

Endemic and Assault

Although small, this worm has the ability to spread itself via a USB Flash storage, share directories (shared directory), and e-mail. In addition he also will try to beat the antivirus in a way to stop (kill) any process which has one of the following names:
AGENTSVR.EXE, ANTI-TROJAN.EXE, ANTIVIRUS.EXE, ANTS.EXE, APIMONITOR.EXE, APLICA32.EXE, APVXDWIN.EXE, ATCON.EXE, ATGUARD.EXE, ATRO55EN.EXE, ATUPDATER.EXE, ATWATCH.EXE, AUPDATE.EXE, AUTODOWN.EXE, AUTOTRACE.EXE, AUTOUPDATE.EXE, AVCONSOL.EXE, AVGSERV9.EXE, AVLTMAIN.EXE, AVPUPD.EXE, AVSYNMGR.EXE, AVWUPD32.EXE, AVXQUAR.EXE, AVprotect9x.exe, Au.exe, BD_PROFESSIONAL.EXE, BIDEF.EXE, BIDSERVER.EXE, BIPCP.EXE, BIPCPEVALSETUP.EXE, BISP.EXE, BLACKD.EXE, BLACKICE.EXE, BOOTWARN.EXE, BORG2.EXE, BS120.EXE, CCAPP.exe, CDP.EXE, CFGWIZ.EXE, CFIADMIN.EXE, CFIAUDIT.EXE, CFINET.EXE, CFINET32.EXE, CLEAN.EXE, CLEANER.EXE, CLEANER3.EXE, CLEANPC.EXE, CMGRDIAN.EXE, CMON016.EXE, CPD.EXE, CPF9X206.EXE, CPFNT206.EXE, CV.EXE, CWNB181.EXE, CWNTDWMO.EXE, D3dupdate.exe, DEFWATCH.EXE, DEPUTY.EXE, DPF.EXE, DPFSETUP.EXE, DRWATSON.EXE, DRWEBUPW.EXE, ENT.EXE, ESCANH95.EXE, ESCANHNT.EXE, ESCANV95.EXE, EXANTIVIRUS-CNET.EXE, FAST.EXE, FIREWALL.EXE, FLOWPROTECTOR.EXE, FP-WIN_TRIAL.EXE, FRW.EXE, FSAV.EXE, FSAV530STBYB.EXE, FSAV530WTBYB.EXE, FSAV95.EXE, GBMENU.EXE, GBPOLL.EXE, GUARD.EXE, HACKTRACERSETUP.EXE, HTLOG.EXE, HWPE.EXE, IAMAPP.EXE, IAMSERV.EXE, ICLOAD95.EXE, ICLOADNT.EXE, ICMON.EXE, ICSSUPPNT.EXE, ICSUPP95.EXE, ICSUPPNT.EXE, IFW2000.EXE, IPARMOR.EXE, IRIS.EXE, JAMMER.EXE, KAVLITE40ENG.EXE, KAVPERS40ENG.EXE.

List the name of antivirus programs are just a small part, actually still very much to save the page so not all written here. But if you notice, a process that killed the processes related to anti-virus. So it seems this worm to disable the antivirus application to then make a larger attack.

Besides trying to attack antivirus programs, this worm also tried to beat the seperjuangannya friend who has W32/Worm.Bropia another name IM-Worm.Win32.VB.a. W32/Worm.Bropia also a propertied foreign worm spreading ability itself through instant messenger or Intant Messenger. This is why there is a sign of "IM-Worm" at the beginning of its name, the sign that usually provided by antivirus developers to mark the characteristics of a malicious program.


When first run, will create bookmarks W32/Email-Worm.Assiral himself a mutex (Mutual Exclusion) with the name "-)(-=| L4r1 $ $ 4 Note |=-)(-". mutex is typically used for inter singkronisasi application or thread reply contained in most multi-threading applications. But here, mutex Assiral worm used to mark him with the intention to prevent re-infection (reinfection) on washed-infected computers.

For the sake of keeping himself in order to keep running every time the computer is turned on, this worm will create 3 triggers by adding value to the address registry: HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run

Registry keys made, among others:

* "MSLARISSA" => leads to: "[system-dir] \ MSLARISSA.pif"
* "Command Prompt32" => leads to: "[system-dir] \ CmdPrompt32.pif"
* "($ 4 $ L4r1) (4nt1) (V1ruz)" => leads to: "[a win-dir] \ SP00Lsv32.pif"
* Try to open the browser directly to the destination address "http://roattack.go.ro".
* Trying to convey a message to the user and antivirus products by writing a message in the file "C: \ MESSAGE_TO_USER.txt", "C: \ MESSAGE_TO_AVs.txt", and "C: \ MESSAGE_TO_BROPIA.txt" which contains: 
C:\MESSAGE_TO_USER.txt:
Greetz to infected user!
I will survive
In this moment in time.
Your computer will crash,
So, you will be mine.
I will not crash,
I will not fail.
So, in this moment in time,
I will survive...
– LARISSA AUTHOR

C:\MESSAGE_TO_AVs.txt:
Greetz to AVs!
I wanna be in AV industry when I grow up :-)
  ---------------------------------------- 
       - LARISSA AUTHOR

C:\MESSAGE_TO_BROPIA.txt:
Hey Bropia.. stop making MSN worms it's stupid...
... lol -- Larissa Anti Bropia... -- Saving the world from BROPIA!!!
         - LARISSA AUTHOR

Cleaning and Prevention

To clean this worm, you can simply run the AVI which was updated you can get the DVD of this magazine innate or download at: http://www.infokomputer.com/avi/download-avi/download-link-for-avi. For prevention, install AVI as a real-time protection, and do not forget to always update your AVI to always up-to-date.

0 comments