Email-Worm.VBS.Hely

From Total Malware Info

This worm spreads via internet in attachments of infected email messages. Program is a Visual Basic Script scenario file (VBS). The file is 6,935 bytes. It is written in Visual Basic Script (VBS).

Payload

Once launched, the Email-Worm copies itself under the following na mes:

%WinDir%\system32.dll.vbs
%System%\Mstask.exe.vbs
%Temp%\cookies.txt.vbs

Creates the following registry entries: so the worm executables would now be launched every time the Windows starts:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"system32.dll" = "%WinDir%\system32.dll.vbs"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"Mstask.exe" = "%System%\Mstask.exe.vbs "
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"kuliyuan" = "%Temp%\cookies.txt.vbs "

Payload

Then with the help of WMI (Windows Management Instrumentation) worm stops the following processes:

KAVPlus.exe
PFwmain.exe
RavMon.exe
VPC32.exe
KAV9X.exe
KAVPFW.exe
Rfw.exe
PFW.exe  

If the name of Windows directory starts with "WINNT" then the worm sends to IP-address 192.168.0.254 message:

"In the LAN,have some worm named *Kely worm*!"

After that worm tries to connect to the remote computers with administrator privileges. In order to establish connection the worm changes the value of the last octet of the IP-addresses 192.168.0.X (ranges from 1 to 254) and finds an administrator password among such words:

admin
administrator
root
123456
!@#$%^
webmaster
hacker
www
abcdefg
test
test123
windows
654321
admin

If connection was established successfully worm copies the file:

c:\kely.vbs

into the hidden resource of remote computer:

\\192.168.0.Х\admin$

Then the worm reads the first five characters of the Windows directory and if they are "WINNT" it registers new user "kely" as an administrator. It also sets a password for this user - "19851217".

If Outlook application presents on user's computer the worm begins to propagate infected email to the first 50 contacts from the address book. Subject of an infected letters randomly chooses from such sentences:

"Kely's mail!"
"Kely wana know u!"
"Kely is my girlfriend!"
"I love Kely!"
"Kely,I miss u!"

Mail Body: "Do u know,I love Kely very much!"

Attachment:

%WinDir%\system32.dll.vbs

After that worm copies itself in all folders and subfolders of all available removable, logical and network drives with the name:

Kely.vbs

Also worm searches all files which have such extensions:

"vbs", "vbe", "wsh", "mp3", "dll", "exe", "bak", "sys", "doc", "htm", "xls", "ppt", "zip", "rar",    "cab", "jpeg"

and infects them substituting original contents of files with worm's body. Then worm checks existing of such file:

c:\kely.DLL.exe

and if such file was created – launches it. In other case, worm changes start page in Internet Explorer browser replacing such value in a registry key:

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "*.*.*.*/kely.DLL.exe"

Worm creates two link-files on a desktop :

%Documents and Settings%\%CurrentUser%\Desktop\Kely.txt.lnk
%Documents and Settings%\%CurrentUser%\Desktop\Whitehouse.url

"Kely.txt.lnk" – file links the original file of the worm and the link-file "Whitehouse.url" links such webpage:

http://www.whitehouse.gov

Removal instructions

If your computer was not protected by Anti-Virus and has been infected by this malware, it is necessary to perform following actions to remove it:

1. Delete the original worm file (its file name and location depends on the way the worm originally penetrated the target computer).
2. Remove the following registry entries:

   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   "system32.dll" = "%WinDir%\system32.dll.vbs"
   
   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   "Mstask.exe" = "%System%\Mstask.exe.vbs "
   
   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   "kuliyuan" = "%Temp%\cookies.txt.vbs "
   
   [HKCU\Software\Microsoft\Internet Explorer\Main]
   "Start Page" = "*.*.*.*/kely.DLL.exe"

3. Delete files:

   %WinDir%\system32.dll.vbs
   %System%\Mstask.exe.vbs
   %Temp%\cookies.txt.vbs
   %Documents and Settings%\%CurrentUser%\Desktop\Kely.txt.lnk
   %Documents and Settings%\%CurrentUser%\Desktop\Whitehouse.url

4. Also delete such files if they were created:

   c:\kely.vbs
   c:\kely.DLL.exe

5. Delete account "kely".
6. Use Kaspersky Anti-Virus to delete the malware. Update your antivirus databases and perform a full scan of the computer.