Worm Propagation Via Floppies, Revisited
Wednesday December 12, 2007 at 6:31 am CST
Posted by Rodney Andres
Avert Labs recently discovered a worm subsequently named W32/Heiku (http://vil.nai.com/vil/content/v_143663.htm). Written in Visual Basic, the worm behaves much like any other piece of malware:
- It creates numerous copies of itself in the file system and creates registry entries to ensure those copies run at startup.
- It has a destructive payload - deleting files/directories.
- It causes the usual annoyances - modifies IE start page, adds shorcuts to porn sites in the IE Favorites.
One interesting thing about the worm that you don’t see very often is that it attempts to create copies of itself on a floppy drive!! It must be at least 2 years since I last saw a floppy, and that was when I was cleaning out an pile old junk. The worm must be an old relic of the days when the motivation for virus writing was simply to cause destruction. Another giveaway to this worm’s age is that it’s payload uses the command “deltree”, an old DOS command that is no longer included in Windows 2000 and later.
But even back when floppies were more commonplace, a worm copying itself there would be a weak attempt at spreading unless it could get itself to run automatically from the floppy, without the user explicitly running it. The more obvious technique would be to place an autorun.inf file on the floppy, same as the way to get cd-rom’s and other removable drives automatically run programs. But this sample had no traces of that filename in it’s body. Digging further, I found that the worm solves the autorun problem using a technique that was new to me - that is to use Windows’ Active desktop to get it to run. It’s been years since I analyzed malware on a daily basis, so pardon me if this is old news to many of you. 
Active desktop allows the user to customize the way Windows Explorer displays the contents of a folder. These customization settings are stored in the file desktop.ini. The contents of a folder are essentially displayed in an HTML page that is based on a hypertext template (htt). This page is just like any other HTML page, and can contain text, links, ActiveX controls and script.
Along with the executable copies W32/Heiku creates on the floppy drive, it creates the files Folder.htt and Desktop.ini. Folder.htt contains encrypted vbscript whose function is simply to run the file a:\drvspace.com, which is one of the worm copies on the floppy drive. So the idea is that when a user views the contents of the infected floppy in Windows Explorer, the worm will automatically run (assuming active desktop is enabled).
With the flood of bots and generic mass-mailers out there, it’s interesting to find something different and new. Even if it was new a long time ago.
December 13th, 2007 at 8:37 am
I think it would be most helpful to mention that this virus also copies itself to other drive letters the user has access to, which means even though its old-school it can still wreck havok over a corporate network where users have one or more mapped network drives. I think without mentioning that important point you are trivializing the damage this old school virus was able to do before detections were crafted for it, or for anyone still unprotected.