W32.Orfina@mm


Aliases: I-Worm.Baconex
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Fast
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: Easy
Platform: W32
Discovered: 23 Dec 2002
Damage: Low

Characteristics: The W32/Ordina@MM is a mass mailing worm which only activateswhen certain conditionsare met. The worm mass mails to transmit itself to contact in your local email address. The author chose to give this to AVERT. This worm automatically recovers email addresses from files with .asp, .doc, .ht*, .php, and .xls files in the compromised computer’s personal folder, favorites folder, temporary Internet files cache folder and the desktop folder.

More details about W32.Orfina@mm

This worm also uses its own SMTP engine to transmit a zipped copy of itself to all email addresses it finds. The email is text, base64 encoded, and e-mail with a ".zip" file attachment. The email contains this Subject texts stating, “Fw: Interesting! Re: Thanks,"hi, "Keep Smiling! :) Christman Greetings,”The Body may be,"look what i've made,"awesome stuff, check att” and "Something Special!" This also contains an attachment with files named as, "Happy_XMas.zip,"Happyy2k3.zi,"BestWishes.zip" and "attachment.zip." Once this “.zip” file is clicked, the embedded ".exe” files will open and the worm will generate new files saved in the windows directory folder. These files are bacoorfina.exe, bacoorfina.txt, bacoorfina.eml and bacoorfina.zip. This “bacoorfina.exe” file is known as thirty-two portable executable file which has a size of 7520 bytes and packed with FSG.

Once installed, the W32.Orfina@mm application will carry out tasks it was programmed to do. Allegedly, one of these tasks is to open a backdoor in the affected machine. This Trojan is composed of three parts which are the server, client, and/ or editor to allow a hacker to remotely control a computer. The server is installed in the hacker’s computer. This is responsible for communicating with the infected computer through the client. Meanwhile, the client is installed in the compromised machine and receives commands from the hacker. The editor, on the other hand, is an added tool, which allows the attacker to define the capabilities and limitations of the W32.Orfina@mm program.