Name: I-Worm.Ivali Category: Viruses Description: Details I-Worm.Ivalid This is a dangerous worm that spreads via the Internet attached to e-mail messages. The worm itself is a Windows application about 12K in size. To spread, the worm uses SMTP and connects to the "mail.bezeqint.net" e-mail server in order to send infected messages. The worm obtains a victim's e-mail addresses from HTML files. It searches for *.HT* files on the hard drive and looks for e-mail addresses there. The infected messages contain the following data: From: "Microsoft Support" [support@microsoft.com] Subject: Invalid SSL Certificate',0Dh,0Ah Attach: SSLPATCH.EXE Message text: Hello, Microsoft Corporation announced that an invalid SSL certificate that web sites use is required to be installed on the user computer to use the https protocol. During the installation, the certificate causes a buffer overrun in Microsoft Internet Explorer and by that allows attackers to get access to your computer. The SSL protocol is used by many companies that require credit card or personal information so, there is a high possibility that you have this certificate installed. To avoid of being attacked by hackers, please download and install the attached patch. It is strongly recommended to install it because almost all users have this certificate installed without their knowledge. Have a nice day, Microsoft Corporation In case of an error, or when infected messages are sent, the worm encrypts all EXE files the in current and all parent directories. While encrypting, the worm uses standard Windows crypto API. The worm also contains the following texts in its body: I-Worm.Invalid, Written By Dr.T/BCVG Network, 2001 The Black Cat Virii Group, 2001