Class | Email-Worm |
Platform | Win32 |
Description |
Technical DetailsThis virus spreads via the Internet as an attachment to infected messages. The worm itself is a Windows PE EXE file 14136 bytes in size. InstallationThe worm copies itself to the Windows root directory as brsh32.exe: %WinDir%brsh32.exe It then registers this file in the Windows system registry as a new service. This ensures that the worm will be launched each time Windows is rebooted on the victim machine: [HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices] "brsh32Service"="%WinDir%brsh32.exe -q" The worm will:
The worm sends itself to email addresses harvested from the victim machine. When sending infected messages, the worm establishes a direct connection to the recipient’s SMTP server. Email SubjectThe message subject is chosen at random from the list below:
Email ContentsThe message body does not change, and is as follows: Funny Pics Inc. strikes back with more free stuff.Visit our new website with lots of funny pics and new screensavers like this! www.funnypics.com
AttachmentThe worm sends a copy of itself in the following attachment: %windir%brsh32.exe. However, it disguises this file as a picture from www.funnypics.com. The attachment name is chosen at random from the list below:
PayloadThe worm will open a TCP port between 8000 and 8255 (chosen at random) and will listen for commands. This provides a remote malicious user with full access to the victim machine, making it possible to get information from the victim machine, download, launch and delete files. Removal instructions
|