Worm Propagation Via Floppies, Revisited

Avert Labs recently discovered a worm subsequently named W32/Heiku (http://vil.nai.com/vil/content/v_143663.htm). Written in Visual Basic, the worm behaves much like any other piece of malware:

• It creates numerous copies of itself in the file system and creates registry entries to ensure those copies run at startup.
• It has a destructive payload – deleting files/directories.
• It causes the usual annoyances – modifies IE start page, adds shorcuts to porn sites in the IE Favorites.

One interesting thing about the worm that you don’t see very often is that it attempts to create copies of itself on a floppy drive!! It must be at least 2 years since I last saw a floppy, and that was when I was cleaning out an pile old junk. The worm must be an old relic of the days when the motivation for virus writing was simply to cause destruction. Another giveaway to this worm’s age is that it’s payload uses the command “deltree”, an old DOS command that is no longer included in Windows 2000 and later.

But even back when floppies were more commonplace, a worm copying itself there would be a weak attempt at spreading unless it could get itself to run automatically from the floppy, without the user explicitly running it. The more obvious technique would be to place an autorun.inf file on the floppy, same as the way to get cd-rom’s and other removable drives automatically run programs. But this sample had no traces of that filename in it’s body. Digging further, I found that the worm solves the autorun problem using a technique that was new to me – that is to use Windows’ Active desktop to get it to run. It’s been years since I analyzed malware on a daily basis, so pardon me if this is old news to many of you.

Active desktop allows the user to customize the way Windows Explorer displays the contents of a folder. These customization settings are stored in the file desktop.ini. The contents of a folder are essentially displayed in an HTML page that is based on a hypertext template (htt). This page is just like any other HTML page, and can contain text, links, ActiveX controls and script.

Along with the executable copies W32/Heiku creates on the floppy drive, it creates the files Folder.htt and Desktop.ini. Folder.htt contains encrypted vbscript whose function is simply to run the file a:\drvspace.com, which is one of the worm copies on the floppy drive. So the idea is that when a user views the contents of the infected floppy in Windows Explorer, the worm will automatically run (assuming active desktop is enabled).

With the flood of bots and generic mass-mailers out there, it’s interesting to find something different and new. Even if it was new a long time ago.