Kaspersky Threats

Class

Platform

Description

Technical Details

Nevezed is a worm virus spreading via Microsoft Outlook. The worm itself is a Java Script file about 4KB in size and written in Java.

Installation

During installation the worm copies itself to the Windows system StartUp directory under the name “StartUp.js” and the Windows System directory under the name “CmdWsh32.js”. It them registers this later file in the system registry as a java-class file. The worm also creates a backup copy of itself in the root directory of other drives.

Spreading: Email
To send infected messages the worm uses MS Outlook to send messages to all the addresses found in a victim’s Outlook address book.

Infected messages sent by the worm have various subject titles. Possible subject titles could be:

Hello name
Hey name
Fwd: Hey You!
Fwd: Check this!
Fwd: Just Look
Fwd: Take a look!
Fwd: Loop at this!
Fwd: Check this out!
Fwd: It’s Free!
Fwd: Look!
Fwd: Free Mp3s!
Fwd: Here you go!
Fwd: Have a look!
Look name!
Fwd: Read This!

Message body text is as follows:

Hello!

Check out this great list of mp3 sites that I included in the attachments!
I can get any Mp3 file that I want from these sites, and its free!
And please don’t be greedy! forward this email to all the people that
you consider friends, and Let them benefit from these Mp3 sites aswell!
Enjoy !

Infected messages contain one of following attachments:

Free_Mp3s.js
Fwd_Mp3s.js
Mp3_Sites.js
Mp3_Web.js
Mp3_List.js
Mp3_Pages.js
Web_Mp3s.js
Mp3-Sites.js
Fwd-Mp3s.js
Mp3-Fwd.js
Fwd-Sites.js

Class	Email-Worm
Platform	JS
Description	Technical Details Nevezed is a worm virus spreading via Microsoft Outlook. The worm itself is a Java Script file about 4KB in size and written in Java. Installation During installation the worm copies itself to the Windows system StartUp directory under the name “StartUp.js” and the Windows System directory under the name “CmdWsh32.js”. It them registers this later file in the system registry as a java-class file. The worm also creates a backup copy of itself in the root directory of other drives. Spreading: Email To send infected messages the worm uses MS Outlook to send messages to all the addresses found in a victim’s Outlook address book. Infected messages sent by the worm have various subject titles. Possible subject titles could be: Hello name Hey name Fwd: Hey You! Fwd: Check this! Fwd: Just Look Fwd: Take a look! Fwd: Loop at this! Fwd: Check this out! Fwd: It’s Free! Fwd: Look! Fwd: Free Mp3s! Fwd: Here you go! Fwd: Have a look! Look name! Fwd: Read This! Message body text is as follows: Hello! Check out this great list of mp3 sites that I included in the attachments! I can get any Mp3 file that I want from these sites, and its free! And please don’t be greedy! forward this email to all the people that you consider friends, and Let them benefit from these Mp3 sites aswell! Enjoy ! Infected messages contain one of following attachments: Free_Mp3s.js Fwd_Mp3s.js Mp3_Sites.js Mp3_Web.js Mp3_List.js Mp3_Pages.js Web_Mp3s.js Mp3-Sites.js Fwd-Mp3s.js Mp3-Fwd.js Fwd-Sites.js

Email-Worm.JS.Nevezed

Technical Details