Kaspersky Threats

Class

Platform

Description

Technical Details

This worm spreads via e-mail by sending infected messages from affected computers. While spreading, the worm uses MS Outlook and sends itself to all addresses that are stored in the MS Outlook Address Book. As a result, an infected
computer sends as many messages, as many addresses are kept in MS Outlook contacts list.

The worm arrives to a computer as an e-mail message with an attached VBS file that is the worm itself. The message in original worm version contains the following:

The Subject: requested info
Message body: Thank for your order and your confidence in us.
Attached file name: REQUESTED_INFO.DOC.vbs

Depending on your system settings, a real extension of the attached file (“.vbs”) may not be shown. In this case, the filename of the attached file is displayed as “REQUESTED_INFO.DOC”.

Being activated by a user (by double clicking on the attached file), the worm checks the system for a data file of the Union Bank of Switzerland electronic payment software. If such a file is found, the worm sends it to three e-mails (to worm’s author) and then exits.

In another case, if a file is not found, the worm runs its spreading routine: opens MS Outlook, gains access to the Address Book, obtains all the addresses from there and sends messages with an attached worm copy to all of them. The message
subject, body and attached file name are the same as above.

Class	Email-Worm
Platform	VBS
Description	Technical Details This worm spreads via e-mail by sending infected messages from affected computers. While spreading, the worm uses MS Outlook and sends itself to all addresses that are stored in the MS Outlook Address Book. As a result, an infected computer sends as many messages, as many addresses are kept in MS Outlook contacts list. The worm arrives to a computer as an e-mail message with an attached VBS file that is the worm itself. The message in original worm version contains the following: The Subject: requested info Message body: Thank for your order and your confidence in us. Attached file name: REQUESTED_INFO.DOC.vbs Depending on your system settings, a real extension of the attached file (“.vbs”) may not be shown. In this case, the filename of the attached file is displayed as “REQUESTED_INFO.DOC”. Being activated by a user (by double clicking on the attached file), the worm checks the system for a data file of the Union Bank of Switzerland electronic payment software. If such a file is found, the worm sends it to three e-mails (to worm’s author) and then exits. In another case, if a file is not found, the worm runs its spreading routine: opens MS Outlook, gains access to the Address Book, obtains all the addresses from there and sends messages with an attached worm copy to all of them. The message subject, body and attached file name are the same as above.

Email-Worm.VBS.Req

Technical Details