Technical Details
This worm spreads in e-mail messages. The worm itself is a DOS EXE file about 30K in length. When run, it installs itself to the Windows directory with the TYPEDEF.EXE name and registers itself in a WIN.INI file in the auto-run section.
To hide its activity, the worm then displays a fake message and exits:
PKSFX Self Extraction Utility Version 2.50 03-01-1999
Copr. 1989-1999 PKWARE Inc. All Rights Reserved. Shareware Version
PKZIP Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745
Error in SFX – Unable to extract !!
While installing, the worm tries four “hardcoded” variants of the Windows directory name: C:WINDOWS, C:WIN95, C:WIN98, C:WINNT, and fails to install itself when Windows is installed in the directory with different name.
Upo the next Windows start-up, the worm copy is activated as a TYPEDEF.EXE file from the Windows directory. The worm runs a counter that is stored in the TYPEDEF.INI file and is incremented on each TYPEDEF.EXE file start (i.e., on each
Windows start-up). Depending on that counter (once per three runs), the worm creates a TYPEDEF.VBS file and writes a VisualBasicScript program to there that sends the worm copy attached to e-mail messages.
That program opens MS Outlook, reads e-mail addresses from the AddressBook and sends messages to all of them. The message subject is: “Check this out”.
The message text and attached file name are randomly selected from eight variants:
It seems internet explorer 5 has some kinda bug which leaves some secuirity holes and allows somebody to write files onto your system. I downloaded this fix. I am sending it as an attatchment.
Attach: IE5FIX.EXE
I found something to help get rid of those irritating ads that pop up when you go to some sites. I am sending it as an attatchment.
Attach: NOADS.EXE
Here are some images you might like. You really need to check them out.
Attach: IMAGES.EXE
I am sending some of the coolest pictures known to man. You might want to check them out.
Attach: COOLPICS.EXE
Please take a look at these documents. I am sending them compressed in a self extractor.
Attach: DOCS.EXE
I am sending you the setup of the latest shareware version of PKZip. It gives excellent compression ratios. You might want to install it.
Attach: PKSETUP.EXE
I downloaded a patch to some bug in Internet Explorer. I am sending it as an attatchment.
Attach: PATCH.EXE
I downloaded a screen saver with cool effects. I am sending you its installation. Do try it out
Attach: SCRNSAVE.EXE
Also depending on the counter, the worm displays the text:
------ --
- -- - --
-- ---- ---- ---- ---- --
-- -- -- -- -- -- -- -----
-- -- -- ---- ---- ------ -- --
-- -- -- -- -- -- -- --
---- ---- ---- ---- ----- --- --
----- --- --
-- -- -- --
--- --- -- --- --
--- -- -- -- -----
--- ----- -- ----- -- --
-- -- -- -- -- -- -- -- --
----- --- -- --- --- -- --- --
!!! and scrambled eggs !!!
I-WORM.TSSE
Coded by [Offset]
The worm also contains the text strings:
The Tossed Salad and Scrambled Eggs Worm = I-Worm.TSSE. Coded by [Offset]
|