This is a worm that spreads under Win32 systems. The virus sends e-mail messages
with infected files attached, as well as installs a spying Trojan component
to steal information from infected systems. The worm was discovered
in-the-wild in November 2001.
The worm itself is a Win32 executable file (PE EXE file). It was found
in-the-wild in compressed form, and is about 29Kb in size. Upon being
decompressed, the worm file length becomes about 60Kb in size.
The worm consists of two main components, the Worm and Trojan. The “Worm”
component sends infected messages, and the “Trojan” component sends out
information (user’s info, RAS data, cached passwords, keyboard log) from
infected computers to a specified e-mail address. It also keeps a “keylogger”
program body in its code, and installs it into the system while infecting a new
Infecting the system
When an infected file is run (when a user clicks on an attached file and
activates it, or if the worm gains control through an IFRAME security breach),
the worm code gains control. First of all, it drops (installs)
its components to the system and registers in the system registry.
The installed Trojan file-name, the target directory and registry key are
optional. They are stored in encrypted form in the Trojan file at the file end.
A hacker may configure them before sending them to a victim’s machine, or
before putting it on a Web site.
The worm also drops an additional keyboard hooker (Win32 DLL file) to the system,
and then uses this to spy on text entered by a keyboard. The DLL file name is
optional as well.
Other optional features are:
– the worm deletes original infected file when installation is complete
– the size of keyboard log file
To send infected messages, the worm uses a direct connection to an SMTP server.
A victim’s e-mail addresses are obtained in two different ways:
#1. The worm scans *.HT* and *.ASP files and extracts e-mail addresses from here
#2. The worm, using MAPI functions, reads all e-mail from the incoming box,
and obtains e-mail addresses from here.
Next, the worm sends infected messages. The message body contains HTML format, and
uses an IFRAME breach to spawn an infected attachment on vulnerable machines.
The message fields are as follows:
From: – original sender, or fake address, randomly selected from:
“Mary L. Adams”
The original sender address is a bit modified: the “_” character is inserted
before the e-mail address in there, for example:
“John K. Smith” “Vasja Pupkin” – original address
“John K. Smith” <firstname.lastname@example.org> “Vasja Pupkin” <email@example.com> – sent by worm
Subject: empty, or “Re:”, or “Re:” followed by original Subject from real
Inbox messsage (see #2 above)
Attachment: randomly selected “filename + ext1 + ext2” where:
Pics (or PICS ) Card (or CARD)
images (or IMAGES) Me_nude (or ME_NUDE)
news_doc (or NEWS_DOC) docs (or DOCS)
HAMSTER Humor (or HUMOR)
YOU_are_FAT! (or YOU_ARE_FAT!) fun (or FUN)
"ext1": .DOC .ZIP .MP3
"ext2": .scr, .pif
For example: “info.DOC.scr”
The worm doesn’t send infected messages twice to the same address. To do this,
it stores all infected e-mails in the Windows system directory in a PROTOCOL.DLL
file, and checks this file content before sending a new message.
This routine stores stolen information to a log file (with an optional name), and
encrypts this information with a key (also optional). After a period of time, this
information is sent to one of a number of randomly selected e-mail addresses. A list of these addresses appears below; the list contains 22 addresses and e-mail servers; and
these messages are sent through (email + server):
This worm variant found in-the-wild on November 24, 2001 has the following
It installs itself to a Windows system directory with the KERNEL32.EXE name, and
registers it in the following registry key:
Kernel32 = kernel32.exe
It drops a keyboard hooker with the KDLL.DLL name. The log info is stored in the Windows system
directory with the CP_25389.NLS name.