This virus spreads via the Internet as an attachment to infected messages. The worm itself is a Windows PE EXE file 14136 bytes in size.
The worm copies itself to the Windows root directory as brsh32.exe:
It then registers this file in the Windows system registry as a new service. This ensures that the worm will be launched each time Windows is rebooted on the victim machine:
[HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices] "brsh32Service"="%WinDir%brsh32.exe -q"
The worm will:
The worm sends itself to email addresses harvested from the victim machine.
When sending infected messages, the worm establishes a direct connection to the recipient’s SMTP server.
The message subject is chosen at random from the list below:
The message body does not change, and is as follows:
Funny Pics Inc. strikes back with more free stuff.Visit our new website with lots of funny pics and new screensavers like this! www.funnypics.com
The worm sends a copy of itself in the following attachment: %windir%brsh32.exe. However, it disguises this file as a picture from www.funnypics.com.
The attachment name is chosen at random from the list below:
The worm will open a TCP port between 8000 and 8255 (chosen at random) and will listen for commands.
This provides a remote malicious user with full access to the victim machine, making it possible to get information from the victim machine, download, launch and delete files.