|
| Symantec Security Response http://securityresponse.symantec.com |
W95.Fix2001 | 
|
W95.Fix2001 is an Internet worm that secretly steals dial-up information (including the password from memory) and sends the information out via email. Users that have accidentally run this worm are advised to change their password on all dial-up connections immediately.
The worm arrives via email as a MIME-encoded attachment named Fix2001.exe. The subject of the email is
- "Internet problem year 2000". It is sent by a person named "Administrator".
| Also Known As: | W32/Fix2001 [Sophos], I-Worm.Fix2001 [Kaspersky], W32/Fix.12288@M [McAfee], WORM_FIX2001.A [Trend], Win95.Fix2001.12288 [Computer Associates] |
| Type: | Worm |
| Infection Length: | 12,288 bytes |
| Systems Affected: | Windows 95, Windows 98, Windows Me |
| Systems Not Affected: | DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x |
 | ||||||||
| ||||||||
|
| |||||||||||||||||||||||||||
- Payload Trigger: Worm has replicated and active connection exists
- Payload:
- Deletes files: All files
- Releases confidential info: Dial-up passwords
- Subject of email: Internet problem year 2000
- Name of attachment: Fix2001.exe
- Size of attachment: 12,288 bytes
- Target of infection: Windows Registry, COMMAND.COM
The worm arrives through email as a MIME-encoded attachment named Fix2001.exe. The subject of the email is "Internet problem year 2000". It is sent by a person named "Administrator". The body of the message contains the following text:
- Estimado Cliente:
Rogamos actualizar y/o verificar
su Sistema Operativo para el correcto
funcionamiento de Internet a partir del
A_o 2000. Si Ud. es usuario de Windows
95 / 98 puede hacerlo mediante el
Software provisto por Microsoft (C)
llamado-Fix2001- que se encuentra
adjunto en este E-Mail o bien puede ser
descargado del sitio WEB de Microsoft
(C) HTTP://WWW.MICROSOFT.COM Si Ud. es
usuario de otros Sistemas Operativos,
por favor, no deje de consultar con sus
respectivos soportes tecnicos.
Muchas Gracias.
Administrador.
Translated to English:
- Internet Customer:
We will be glad if you verify your
Operative System(s) before Year 2000 to
avoid problems with your Internet
Connections. If you are aWindows 95 / 98
user, you can check your system using
the Fix2001 application that is attached
to this E-Mail or downloading it from
Microsoft (C) WEB Site:
HTTP://WWW.MICROSOFT.COM
If you are using another Operative System,
please don't wait until Year 2000, ask your
OS Technical Support.
Thanks.
Administrator
When initially executed, the worm installs itself on the local machine's ..\windows\system directory with the same name. It adds the worm to the registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
so that will execute each time Windows starts. When executed the first time, it displays the following message:
- Y2K Ready!!
Your Internet Connection
is already Y2K, you don't
need to upgrade it.
The worm checks if a window callback function with the name "AMORE_TE_AMO" exists. This window callback function has been created by the worm in order to send itself to other locations in the background.
Instead of modifying system DLL files, the worm hooks APIs to itself in memory by patching the process address space. This way, it executes each time Internet activity occurs on the local machine.
When RNAAPP.EXE (Dial-up Networking) is not running, the worm starts it with the -l parameter. RNAAPP.EXE has an import to RASAPI32.DLL. The worm places a hook routine to the "DialEngineRequest" API in RASAPI32.DLL when RNAAPP.EXE is loaded. It puts a jump to its hook routine to the entry point of this API, and patches its short code right after the import address table of RASAPI32.DLL. Similarly, Fix2001 also hooks the "send" and "connect" APIs of WSOCK32.DLL, which is loaded by Internet applications such as Internet Explorer or Outlook Express. Once RNAAPP.EXE is patched, the worm hides it from the task list by registering it as a service process. The worm itself is registered as a service process and does not appear on the task list.
The hook routine on the "send" API looks for the "RCPT" field of the mail header during postings. The worm sends its message with the Fix2001.exe attachment to the very same place right after the original message.
Fix2001 is the first Windows 95 worm which is hooking DLLs of other processes "on the fly" in memory.
The payload of the worm is activated after the worm has already posted itself to another location and an active connection exists. Then the routine performs a checksum on the last detected email address. If a particular email address encounters a checksum match, the worm will delete C:\COMMAND.COM, and it will create another 16-bit COM program also named COMMAND.COM that is 137 bytes long. This file is a trojan horse that NAV detects as Trojan.Fixed.
The trojan horse executes the next time the computer is started. If the trojanized COMMAND.COM is executed, it destroys the hard disk data (overwrites it by using I/O port commands) whenever the hard disk is an IDE drive.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
- Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
- If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
- Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
- Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
- Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
- Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
- Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
- Using Windows Explorer delete the following file:
C:\WINDOWS\SYSTEM\FIX2001.EXE
- Using regedit delete the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Fix2001"="FIX2001.EXE"
Write-up by: Peter Szor