Weekly Virus Report – Klexe, Scorvan and MyLife.M Worms

This report will focus on three worms: Klexe, Scorvan and MyLife.M. The effects of Klexe are dangerous, as it drops a Trojan that captures confidential information from the affected computer and sends it to an e-mail address. This malicious code follows the infection routine below:

– It sends an e-mail message that contains a link to a web page that passes itself off as a link for downloading an e-messenger card.

– When the user accesses the link included in the message, two files are downloaded to the computer: ‘ECMSETUP1.EXE’, which is the worm and is used to send out e-mail messages; and ‘KL.EXE’, which is the Trojan. This last file is copied as ‘WINDOWS EXPLORER.EXE’ to the Startup directories of the drives it can access (C:, D:, E: and F:). By doing this, Klexe ensures that it is run whenever the computer is started up.

Once it has reached the computer, Klexe displays an error message on screen and sends a copy of the message to all the contacts in the Address Book in Outlook.

The second worm analysed in this report is Scorvan, which spreads through peer-to-peer file sharing programs (P2P), such as KMD, Morpheus, Limewire, Grokster, Bearshare, Edonkey2002 and KaZaA. Once it has reached the computer, Scorvan launches the Windows calculator and when the user closes it, the worm goes memory resident.

Scorvan creates multiple copies of itself in the following directories, among others: ‘morpheus\my shared folder\’, ‘\bearshare\shared\’ and ‘\edonkey2002\incoming\’. The names of these files are made up of two parts: It selects one of the options from a list and then adds a space followed by ‘calculator.exe’ or ‘calc.exe’.

We are going to close this report with Mylife.M, which spreads via e-mail in a message with a subject that refers to either the actress Julia Roberts or the singer Shakira. This worm sends a copy of itself to all the contacts in the Windows Address Book. When Mylife.M is run, it simulates that the media player being opened.