Peter Ferrie
Virus Bulletin, June 2003, pp.6-7
ISSN 0956-9979
June 2003
Download PDF (26.86Kb) (You need to be registered on forum)Another day, another exploit is disclosed. A little over two months later, a virus using the exploit is discovered. It seems that some virus writers do read NTBugtraq. There is a new member of the W32/Chiton family. The author of the virus calls this one `W32/JunkHTMaiL', a variation of the name of the virus upon which it is based - W32/Junkmail (see VB, November 2002, p.10) - perhaps to draw attention to the self-executing HTML exploit which this virus uses to launch itself from email.
When JunkHTMaiL is started for the first time, it decompresses and drops a standalone executable file that contains only the virus code, using a `fixed' (taking into account the variable name of the Windows directory) filename and directory.
As with the other viruses in the family, this virus is aware of the techniques that are used against viruses that drop files, and will work around all of the countermeasures: if a file exists already, then its read-only attribute (if any) will be removed, and the file will be deleted. If a directory exists instead, then it will be renamed to a random name. The structure of the dropped file is the same as that used by W32/Junkmail. If the standalone copy is not running already, then the virus will run it now. The name of the dropped file is `ExpIorer.exe'. Depending on the font, the uppercase `i' may resemble a lowercase `L', making the viral process difficult to identify in the task list.