By Andrew Brandt
It’s been a long time since I’ve worked on a malware file as singularly obnoxious as Worm-Shiv, a new worm we defined a few weeks ago. There isn’t anything especially technically avant-garde or advanced about the worm, nor was it especially difficult to detect or remove. It just exhibits behavior that, to be blunt, is about as annoying as it possibly can be.
The infection process starts with a small self-extracting RAR archive executable. When run, it drops and executes another .exe file, which in turn drops and executes yet another .exe file. Sounds pretty unobtrusive so far, right?
Well, even though the worm might have snuck by unnoticed, it would be hard to characterize its operational behavior as “staying below the radar.” The worm puts a copy of a file named wsock32.dll into every single folder on the hard drive. Every. Single. One. On my test system there were more than 200 copies left behind.
Then the fun begins.
The worm’s code is designed to prevent certain applications from working properly. For example, the brilliant freeware tool Process Explorer is automatically shut down the moment the mouse crosses the border into the program’s window. In some cases, the worm also modifies some registry settings that turn off certain columns in the Process Explorer window — important ones, like the one that shows the program’s name.
But even worse, the worm has been engineered to mess with the application window of many antivirus products, including ours. Take a look at the next video, where our product has detected the worm during a sweep. Not only does the worm make the Quarantine button disappear, but then the real shenanigans begin: When you move the mouse pointer anywhere within the program’s active window, it immediately snaps the Title Bar over the mouse pointer, which then sticks to the pointer. If you move the mouse too quickly when it’s “stuck” like that, the mouse pointer just slips off the title bar, leaving the window half off the screen.
Fortunately for you (and for our dedicated, patient technical support folks), there’s a keyboard shortcut for the Quarantine feature, so you can just hit the Alt-Q keys instead of trying in vain, over and over, to click the button.
I’ve never been happier to get rid of a piece of malware than I was when I came across Worm-Shiv. Maybe the evil genius drooling idiot who came up with this one will think of something even more annoying in the future, but for now, we can all breathe a little easier knowing this Sisyphean nonsense is contained — at least, for the moment.