First Report: 2007-05-07 15:32
Last Update: 2007-05-07 16:07
W32/WBoy basically is an internet worm but as a side-effect it modifies 32 bit PE files with a pointer to a malicious file.
Detection was added to cover protection against 32 bit PE files, using variable names such as but not limited to: rhbbt.exe, sxjxt.exe, svchost.exe, having a filesize of 10.473 bytes decimal. The files are internally compressed with the FSG packer.
Upon execution, it runs silently, no gui messageboxes appear. It immediately removes itself from the location where it was initially run from. It copies itself to numerous files, upon testing it copied itself to over 30 files, with random filenames, but byte-identical content.
It not only copies itself to numerous files, it also tries to modify 32 bit PE executable files with a pointer to a malicious file. It does not include its full viral code in target files, it only adds a small routine to point to a malicious file. So when a target file gets executed, the worm will also be executed this way. The added routine is very small, about 100 - 110 bytes decimal get changed. It simply changes the EP (entrypoint) so the virus gets executed right away. The actual bytes point to a malicious file such as a copy of the dropped worm c:\winnt\system32\drivers\mikgi.exe (10.473 bytes) . With such minial changes to a file, usually the filesize of infected files stays the same, usually there's some empty spaces in areas like text section due to file alignment. Modified files are already detected fine with released dat-5024.
Additionally it drops 2 other files:
RS.bat (105 bytes) , this is already detected with dat-5024 as Bat/Sdbot trojan WUAUSERV.dll ( 9.216 bytes) this is an innocent file.