Fandom

Malware Wiki

Fix2001

1,321pages on
this wiki
Add New Page
Comment1 Share

Email-Worm.Win32.Fix2001 or Fix2001 is a mass-mailing email worm that runs on Microsoft Windows.

BehaviorEdit

Fix2001 is a virus worm that spreads via the Internet. It works similar to the Happy99 worm: it installs itself into the system, hooks the Internet access Windows functions, obtains Internet addresses to where it sends its copies. The worm has bugs and replicates under Win9x only, not under WinNT.

The worm appears as a "Fix20001.Exe" file attached to an e-mail message. The message has the subject "Internet problem year 2000." and the message text is written in two languages: English and Spanish:

Estimado Cliente:
Rogamos actualizar y/o verificar su Sistema Operativo para el
correcto funcionamiento de Internet a partir del Año 2000. Si
Ud. es usuario de  Windows 95 / 98  puede hacerlo mediante el
Software provisto por  Microsoft (C) llamado -Fix2001- que se
encuentra adjunto en este E-Mail o bien  puede ser descargado
del sitio WEB de Microsoft (C)  HTTP://WWW.MICROSOFT.COM
Si Ud. es usuario de otros Sistemas Operativos, por favor, no
deje de consultar con sus respectivos soportes tecnicos.
Muchas Gracias.
Administrador.
Internet Customer:
We will be glad if you verify your Operative System(s) before
Year 2000 to avoid problems with your Internet Connections.
If you are a  Windows 95 / 98 user, you can check your system
using the Fix2001 application that is attached to this E-Mail
or downloading it from Microsoft (C) WEB Site:
HTTP://WWW.MICROSOFT.COM
If you are using  another Operative System, please don't wait
until Year 2000, ask your OS Technical Support.
Thanks.
Administrator.

The worm also contains text strings that are used to generate and send attached data in an e-mail message, as well as the texts:

RCPT TO:
@hotmail.com>
@ciudad.com.ar>
Fix2001
THE REAL KEY TO LIVE A HAPPY LIFE, IS: BE A GOOD MAN.
PARA CONSEGUIR LA VERDADERA FELICIDAD, SE UN BUEN TIPO.

InstallationEdit

The attached file (the worm itself) is a Windows executable file about 12Kb in length. When executed, it installs itself into the system Windows directory with the FIX2001.EXE name and registers itself in the "Run=" system registry key to activate its copy upon each Windows restart:

HKEY_LOCAL_MASHINE\Software\Microsoft\Windows\CurrentVersion\Run
Fix2001 = "FIX2001.EXE"

The worm then displays a fake message to hide its activity.

SpreadingEdit

Upon being run from the installed FIX2001.EXE copy, the worm registers itself as a system-service process (to hide its window and stay active upon user logoff) with the "AMORE_TE_AMO" identification Window's headline; gains access to the WSOCK32.DLL Internet connection library; obtains addresses for "connect" and "send" functions; patches them with call instructions to the worm's hookers; and stays in the Windows memory as hidden applications.

When the Internet connection is activated, the worm scans data that is sent and received, obtains Internet addresses from there, and sends infected messages to these addresses.

PayloadEdit

The worm has a very dangerous payload that is activated when the text strings in the worm's body are patched or corrupted (this is possible, because the data are transferred via Internet channels). In this way, the worm overwrites the C:\COMMAND.COM file with a DOS Trojan that upon the next computer reboot, erases all data on the hard drive.

This payload fails on Windows NT-based systems as the COMMAND.COM file is not part of the startup.

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.