The following has been derived from information provided by Network Associates and Symantec.

Virus Characteristics

This is new mass-mailing worm which also has file-infection capabilities. The worm uses both encryption and polymorphic techniques to avoid detection by anti-virus software.

The virus arrives via e-mail from a randomly generated name prepended to "@hotmail.com". The message will contain the following:

Subject: FW: Guess what, you're mine!
Body: You have been hit

This is the funny-attachment war! You have just been hit and by the rule book you can't hit this person back. To be in the game you need to send this message to five of your friends, try to find some small and funny attachment to send along. If you don't have time use the one you got hit by, go ahead hit someone!

Attachments: SETUP.EXE, COOKIE.ZIP

This COOKIE.ZIP file contains COOKIE.EXE and a text file named FILE_ID.DIZ. The text file contains the text:


                       FortuneCookie 32 - Version 1.0
                               * FREEWARE *

 DESCRIPTION:
 ============

       FortuneCookie 32 is a Windows 32 version of the classical
fortune cookies you can get at some restaurants. It's very simple
double clicking on the cookie.exe file will bring up a fortune cookie.
       This program is freeware so feel free to send out a word of
wisdom to your friends!

The worm attempts to use an Internet Explorer 5.5 MIME vulnerability to execute the SETUP.EXE attachment.

The COOKIE program uses an icon of a teddy bear.

When executed, the worm copies itself to %WinDir%\KERNEL32.dll and %WinDir%\SYSTEM\KERNEL32.VLL. An entry is created in the WININIT.INI file to replace the valid C:\WINDOWS\SYSTEM\KERNEL32.DLL file with the viral KERNEL32.VLL upon the next system restart.

The infected KERNEL32.DLL file hooks the functions CopyFileA, DeleteFileA, GetFileAttributesA, GetFileAttributesW, and MoveFileA.

A copy of the virus is saved to the file MMSYS32.EXE in the %WinDir%\SYSTEM directory and a registry run key is created to load the virus at startup:

HKLM\Software\Microsoft\CurrentVersion\Run\
MMSYS=%WinDir%\SYSTEM\MMSYS32.EXE

The virus also saves a zipped copy of itself to %WinDir%\SYSTEM\COOKIE.ATT, for use in further mailing. After the next reboot .EXE files viewed by explorer are infected.


Payload

The worm sends itself via email to email addresses gathered from the white pages of www.icq.com.
It has backdoor capabilities that can be used through IRC to execute arbitrary code.
The registry is modified upon first execution.


Preventative Measures

Block all attachments with EXE extensions at the SMTP gateway where possible. (or specifically: SETUP.EXE)


Fixes Available

AVP: No information at time of alert
Network Associates: Detected heuristically with 4137 DATs as "New Win32"
Symantec: Spec Defs pending release on May 09, 2001
Trend: No information at time of alert