W32.Icecubes.Worm.B


Aliases: W32.Icecubes.Worm.gen, WORM_ICECUBES.B, Worm/Icecubes.B, W32/Icecubes.B, Win32:IcuCube
Variants: Email-Worm.Win32.Icecubes.b, I-Worm.Icecubes.b, W32/IceCube.dll.b@M, Win32.Icecubes.6926, Win32/Icecubes.B.dll@m

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Slow
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 02 Jan 2001
Damage: Low

Characteristics: This malware attempts to disguise its true nature by displaying a humorous dialog box that allows the computer user to think that the application is just a hoax. This is presumed to be done to prevent arousing computer user suspicion. The W32.Icecubes.Worm.B can use various transport mechanisms in order to spread its codes to other machines. In some instances this malware has been observed to create multiple instances of itself in the compromised computer system.

More details about W32.Icecubes.Worm.B

This computer system threat is considered dormant primarily because it limits its infections to older versions of the Microsoft Windows Operating System platform. This means that newer 32- and 64-bit versions of this operating system environment are not susceptible to its payload. These older operating system are also almost absent from present day computer systems making the W32.Icecubes.Worm.B ineffective. On vulnerable computer systems the W32.Icecubes.Worm.B will activate whenever the computer user will send out an email message. The W32.Icecubes.Worm.B will also send another email message to the same recipient but this time with a file attachment of itself to spread its codes. This routine tricks the recipient into thinking that the spiked email message is legitimate and safe.

The message body states that the file attachment is a type of tool that can be used to reveal hidden settings of the operating system. The W32.Icecubes.Worm.B makes use of this trickery to prompt the recipient into launching it. When executed the W32.Icecubes.Worm.B will create a copy of a DLL file and rename it to an INF. A part of its code will be added to the end section of the new file. The W32.Icecubes.Worm.B will proceed to create an initialization file which will replace the original DLL file with the infected INF file after the machine has been restarted.