I-Worm.Runnelot
VERY IMPORTANT: READ THE "PAYLOAD" AT THE BOTTOM !!
Runnelot is a worm virus spreading via the Internet as an attachment to infected emails. It also infects Win32 EXE files.
The worm itself is a Windows PE EXE file about 9KB in size when compressed by UPX; the decompressed size is about 20KB. It is written in Assembler.
The worm contains a "copyright" text string:
Runner "Pilot" 01/2003
Installing
While installing the worm writes its code to the Windows system
directory with the "Runner.exe" name and registers that file in system
registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Runner = Runner.exe /auto /rsrc32.dll
Infecting EXE files
The worm looks for PE EXE files and writes itself to the beginning
of these files. It looks for victim EXE files in directories located on
local and network hard drives.
To release control to host the program the worm creates on disk
a disinfected copy and spawns it. In case of an error the worm displays
fake error messages:
Error of loading WIN32.DLL file
Loading incomplete. Correct work is not warranted!
Continue?
General error 1452 in KERNEL32.DLL
Program terminated
Spreading: EMail
To send infected messages the worm uses direct access to the default
SMTP server. To get victim email addresses the worm looks for *.HTM* files,
it also writes these email addresses to the "runner.dll" file in the Windows
system directory.
The infected messages have different fields that are randomly constructed
from several variants:
From: "%str1%%str2%"
where following strings are randomly selected from:
%str1% : Dmitry Eugene Igor Jhon Mark Bill Frank Sam Tim Brad Samuel Dean Tom Robert Mostovoy Losinsky Kaspersky Danilov Smith Woodruf Brown Steel Driver Seldon Forge Stab McAndrew Gregor
%str2": @hotmail.com @yandex.ru @yahoo.com @newmail.ru
Subject: %subj1% %subj2%
where:
%subj1% :
Weclome to Pink World
Blacks on Blondes
New porno movies every day
TONS of porno movies
Fucking Wifes
%subj1% :
New FREE sex soft
FREE porno-soft
+ many FREE sex games
The body is randomly constructed from randomly selected text strings:
SUPERGAME! + Look as + fine
+ blonde
SEX SOFT! +
hot mom
black hitchiker teen
dirty girl
amateur slut
petite babe
busty teen
wet secretary
wild wife
This is a free demo version, and we hope you want visit
our web-site +
Please visit our web site
+
+
WWW.EXPLOITEDPUSSY.COM
WWW.SLEAZYDREAM.COM
WWW.ALLHOTPORN.COM
WWW.TEENFILES.NET
WWW.ADULTMOVIESTATION.NET
WWW.DISCRETESEX.COM
+
to take more sex programs
to take full version
150 GIG OF DOWNLOADABLE MOVIES - FREE PASSWORD
HIGH QUALITY MPEGS - NEW SCENES EVERY DAY - 100k+ PICS
TOO
Full lenght movies
THE BEST MOVIES ONLINE
HUGE archive of previous movies available! TONS of
movies
+
Full screen quality
Ultra fast downloads
Updated every day
All in DVD quality
WEBMASTERS MAKE MONEY
GET FULL ACCESS TO OUR MEMBERS AREA FOR 30 MINUTES
- FREE
GET YOUR 30 MINUTES FREE ACCESS
A new 150mb full lenght movie is added every day
+
Install NOW!!!
Installer in attach
Test our soft now!
or randomly selected from variants:
We presents to you ours new sex game as adversting
Install a locator of FREE sex movies of our site as
adversting
Install porno screen saver as adversting
This is a new imitator as adversting
Attachment:
sexy + girls.
+ dll
hottest blonde.
cumshot pamela.
analsex lesbians.
oralsex teens.
asian virgins.
hardcore .
slut
doggy
sucking
messy
Payload
On February 13, March 7, 16,
April 21, May 8, 18, June 11, July 3, August 29, October 30, November 5,
26, December 11, 30 the worm overwirtes all files in "Personal" folders
("My Documents", "History", "Cookies", etc.).
We thank you ALL for your kind votes which made this site FIRST in two categories.
A 10 vote = Very Good
A 1 vote = Waste of cyber Space !
ALL those sending emails of thanks are kindly requested to indicate whether these are for publication.
IMPORTANT NOTICE:
ALL those who are receiving this advise
and in the "name" field they find 'FAILED' and a 6 or 8 digit figure
after it, should be advised that at least once, emails to that address
have been received back by us. As the list of subscribers now exceeds 100,000, and since this
is a free service, we kindly urge you to become a registered
subscriber to this service and ensure delivery by subscribing under
a reliable email address. WE REGRET THAT AS AFTER THIS ISSUE,
ALL ADDRESSES THAT ARE NOT DELIVERABLE WILL BE REMOVED FROM THE LIST.
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind. In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages.
PLEASE ADVISE ALL YOUR FRIENDS ON YOUR LIST
PLEASE ALSO NOTE THE FOLLOWING:
1) You are currently SUBSCRIBED to our mailing list
2) If you are receiving more than one copy of this warning please click here
3) If you DO NOT wish to receive anymore of these alerts, please click here
4) YOUR friends are also welcome to be on the VIRUS ALERT but an email has to be
sent to the Webmaster by themselves so that a record of all requests can be kept in case
somebody cries "SPAM" ! Simply click here
and send the email as it appears.
5) THIS IS A FREE SERVICE RUN IN THE PUBLIC INTEREST BY
6) ALSO PLEASE BE ADVISED THAT YOUR EMAIL WILL
NEVER BE SOLD, EXCHANGED OR IN ANYWAY WHATSOEVER DISCLOSED TO ANYBODY ELSE.
******
Fabian Brincat
Webmaster
Fabian Enterprises Ltd.
SEE PREVIOUS VIRUS ALERT
RETURN TO VIRUS ALERT MAIN INDEX
©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.
200103/100904
