You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Disemboweler

 
Threat LevelHigh threatDamageSevereDistributionNot widespread

Effects 

Disemboweler infects all files with an EXE or SCR extensions in the hard disk of the computer under attack and in all the disk drives that can be accessed through a network.

The effects of Disemboweler are:

  • It renders all files on all disk drives unusable, if the operating system installed on the computer is Windows 2000 or Windows NT.
    In order to do this, Disemboweler overwrites the content of each file with the text YOUARESHIT. This action is only carried out a month after it has carried out its infection.
  • It deletes the CMOS memory and overwrites certain sections of the hard disk, if the operating system installed on the computer is Windows 95 or Windows 98.
  • It inserts the names of the infected files in the [windows] section of the WIN.INI file:

    [windows]
    run = %filename%.EXE
  • Disemboweler looks for the WIN.INI file in the following directories in all disk drives: WINNT, WINDOWS, WIN95 or WIN98.

Infection strategy 

Disemboweler is a polymorphic virus and as a result it uses a different infection routine every time. Its generic infection routine is:

  • It carries out its infection when the infected file attached to the e-mail message is run.
  • It uses sophisticated techniques to carry out its infection, such as modifying the entry point of the infected file. Disemboweler overwrites the Bytes (over 512 Bytes) at the beginning of this file.
  • When a file is infected it size increases (by around 28 Kb).
  • It protects itself by trying to avoid detection and analysis.
  • In order to do this, it uses anti-debug techniques, which allow it to detect if it is being traced or if a program that performs this operation (for example, Softice) is installed.
  • When an infected file is run, Disemboweler checks if Windows Explorer is running.
  • It does this by looking for the EXPLORER.EXE program in the computer’s memory.
  • It creates a file with a DAT extension  and in this file it saves some of the e-mail addresses to which it will send itself.
  • The file name consists of the name of the infected computer but each letter is replaced with its corresponding letter of the alphabet in reverse order.
  • For example, if the computer name is ABCD-15, the file will be called YXWV-15.DAT.
  • It enables a function that will allow it to wait three minutes before sending itself via e-mail and infecting files with an EXE or SCR extension.
    In order to do this, it hooks and enables the function     TranslateMessage. Then, Disemboweler creates a thread that will allow it to wait three minutes before continuing with its actions.
  • Disemboweler is run every time the infected computer is started up. It does this by modifying the following entry in the Windows Registry:

    HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run

Means of transmission 

Disemboweler mainly uses e-mail to spread and carry out its infection. It uses a message with the following characteristics:

  • The subject and text are made up of the terms from the following list selected at random:
    sentences you, sentences him to, sentence you to, ordered to prison, convict, judge, circuit judge, trial judge, found guilty, find him guilty, affirmed, judgment of conviction, verdict, guilty plea, trial court, trial chamber, sufficiency of proof, sufficiency of the evidence, proceedings, against the accused, habeas corpus, jugement, condamn, trouvons coupable, Ó rembourse, sous astreinte, aux entiers dÚpens, aux dÚpens, ayant dÚlibÚrÚ, le prÚsent arrÛt, vu l,27h,arrÛt, conformÚment Ó la loi, exÚcution provisoire, rdonn, audience publique, a fait constater, cadre de la procÚdure, magistrad, apelante, recurso de apelaci, pena de arresto y condeno, mando y firmo, calidad de denunciante, costas procesales, diligencias previas, antecedentes de hecho, hechos probados, sentencia, comparecer, juzgando, dictando la presente, los autos, en autos, denuncia presentada.
    Other subjects and messages can be texts that Disemboweler finds in files with TXT, JS and DOC extensions that it has already infected in the computer.
  • The message usually has one attachment. Only one in every five messages that it sends has more than one attached file.
  • Disemboweler sends the infected message to a large number of recipients or e-mail addresses. It sends itself to the following addresses:

    - All those in the Address Book (file with a WAB extension).

    - All those it finds in existing e-mail messages. In order to do this, Disemboweler examines the following e-mail programs: Outlook, Internet Mail and Netscape Messenger (files with MDX and DBX extensions).

    - All those it finds in with a JS extension.
  • Disemboweler saves the addresses to which it sends itself in a file with a DAT extension.

Further Details  

Disemboweler contains the following text string in its infection code, which refers to its name and its possible origin.

ARF! ARF! I GOT YOU! v1rus: Judges Disemboweler. by: The Judges Disemboweler. written in Malmo (Sweden)

In addition, the infection code is encrypted.