My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Invalid.A@mm

MEDIUM
MEDIUM
12288 bytes
(I-Worm.Invalid; W32.https.worm)

Symptoms

N/A


Removal instructions:

The virus doesn't install itself so no removal is necessary. The .exe files that are encrypted must be restored from a clean backup or an installation kit.

Analyzed By

Sorin Victor Dudea BitDefender Virus Researcher

Technical Description:

This is an Internet Worm who spreads through e-mail. It arrives by a message with the following format:

From: "Microsoft Support" support@microsoft.com
Subject: Invalid SSL Certificate
Body:
Hello,
Microsoft Corporation announced that an invalid SSL certificate that web sites use is required to be installed on the user computer to use the https protocol. During the installation, the certificate causes a buffer overrun in Microsoft Internet Explorer and by that allows attackers to get access to your computer. The SSL protocol is used by many companies that require credit card or personal information so, there is a high possibility that you have this certificate installed.
To avoid of being attacked by hackers, please download and install the attached patch. It is strongly recommended to install it because almost all users have this certificate installed without their knowledge.
Have a nice day,
Microsoft Corporation


Attachment: sslpatch.exe

When the attachment is executed the virus verifies the Internet connection. If there is no Internet connection the payload is executed. In case of finding an Internet connection, the virus will search for *.ht* files in "My Documents" directory. In every found file it searches for "mailto:" string and in case of founding that string it will take the e-mail address found after mailto: and it will send itself with his own e-mail client to that address in the same format as it arrives. If any error occurs in the process the payload is activated.

When the payload is activated the virus will search for all "*.exe" files in the current directory and in its parent directory and it will encrypt them with a key randomly generated from the text Invalid.Iworm using cryptapi functions, making those files unusable.