W32/Quaters-A is an internet worm which spreads by emailing itself to all addresses in the Microsoft Outlook address list and via IRC channels.
The worm attempts to copy itself to C:\PROGRA~1\ACCOUNT_DETAILS.DOC.EXE and adds the following entry to the registry to run itself on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Task Manager = C:\PROGRA~1\ACCOUNT_DETAILS.DOC.EXE
Emails have the following characteristics-
Subject line: absent or randomly chosen from the following:
Your Account Infomation.
Your Account is on hold.
Your Account has been suspended.
Account Infomation.
Account Invoice.
Email Account Infomation.
This quaters invoice.
Account Billing Information.
YOUR ACCOUNT REF: <random number>
Account, <random number> is on hold.
ORDER CONFIRMATION: <random number>
Message text: absent or constructed from the following:
Dear Sir,
Please can you check that your account information is up to date.
Your details are attached to this email.
Please can you confirm that your account information is correct.
Your current details are attached to this email.
Please find attached this quaters invoice for your Internet Account.
Regards, Billing Team.
Regards, Support Team.
Attached file: can have any name but may be one of the following:
Your Account.Doc.EXE
Account Details.Doc.EXE
Your Account Info.Doc.EXE
Account Information.Doc.EXE
Billing Information.Doc.EXE
Invoice.Doc.EXE
Account Update.Doc.EXE
Account Status.Doc.EXE
Your Account Status.Doc.EXE
The worm overwrites SCRIPT.INI so that it sends a copy of the worm over IRC channels as a file called CHAIN_MAIL_WORLD_RECORD.IRC along with the message "Hey, Do you want to take part of the iRC chain mail world record? If so all you have to do is load up the program add your irc nick and press submit! Just rename the file from .irc to .exe and your ready to go!"
W32/Quaters-A creates the file C:\WIN32.SORT.IT.OUT.BLAIR.TXT which contains the text "Infected by the WIN32.SORT-IT-OUT-BLAIR Virus!" and proceeds to overwrite several script files within C:\inetpub\wwwroot (e.g. default.html) with this file.
W32/Quaters-A will attempt a denial-of-service attack on www.number-10.gov.uk on the 11th of any month, and may display the message
"INFECTED BY: WIN32.SORT-IT-OUT-BLAIR
Dear Tony Blair,
Why are you spending all our taxes on illegal immigrants!?!
How about you stop worrying about other countries and worry about ours???
Stop spending money on immigrants and spend it on things like OAP's who fought to keep this country free but are now getting treated worst than illegal immigrants!
How about spend a little money on the NHS or the education system!?!
Think about it Mr Blair.
Your career depends on it.
We've had enough."
Finally, W32/Quaters-A attempts to terminate several processes related to anti-virus and security software, e.g. SWEEP95.EXE, SWNETSUP.EXE, ZONEALARM.EXE, ANTI-TROJAN.EXE