Subject: Malicious Code Alert - South Park Shooter Worm Date: Thu, 11 May 2000 20:11:45 +0100 Threat: Medium --------------------------------------------------------------- South Park Shooter Worm --------------------------------------------------------------- Finjan’s Malicious Code Research Center (MCRC) has analyzed a new worm called South Park Shooter that was discovered yesterday in the wild in Europe. This worm uses Microsoft Outlook to spread via e-mail to the entire contents of the victim’s address book every 30 seconds. It also will fill up the victim’s hard drive to maximum capacity. So the worm’s payload is a denial-of-service attack on both PCs and e-mail servers. DESCRIPTION File attachment: “South Park.exe” (Original name: “hit it.exe”) File size: 19,968 bytes Under file properties, the file is named “South Park Shooter” and the company name and copyright are listed as “Comicplanet” The e-mail is written in German with the subject: “Servus Alter!” (Translation: “Hey Dude!” (Bavarian slang)) Message body: “Hier ist das Spiel, das du unbedingt wolltest!” (Translation: “Here is the game, that you desperately wanted”) When launched, South Park Shooter adds 3 keys to the registry: HKEY_USERS/.DEFAULT/Software/Microsoft/Windows/CurrentVersion/Run Key name: windll Value: c:\winguard.exe HKEY_USERS/.DEFAULT/Software Key name: vb and va program settings Folder name: Microsoftt Sucks Folder name: Authors Key name: SUSI V1.0 Value: SUSI V1.3 made by ::((LITTLE JiM)):: The worm creates 2 .dll files C:\windowssystem.dll (1 K) C:\windowsstart.dll (1 K) and the executable file: C:\winguard.exe (19.5 K). It also copies the South Park.exe to the C: root directory and searches the floppy drive for a diskette. If it finds one, it copies PC system files and the attack file, effectively making the diskette capable to boot and infect other PCs. Once winguard.exe is running, it sends an e-mail with the South Park.exe attachment to all the contacts in the Microsoft Outlook address book every 30 seconds. Therefore, South Park Shooter has the ability to crash e-mail servers due to extreme bandwidth consumption. It also creates a text file: C:\swapfile.vxd and fills it with random characters until the hard drive is full, effectively creating a denial-of-service attack on the PC. We caution companies to be aware that English translations are likely and/or new variants may appear shortly.