Email-Worm.Win32.Gismor

Class Email-Worm
Platform Win32
Description

Technical Details

This is the worm virus spreading via the Internet being attached to infected
emails. The worm itself is Windows PE EXE file about 8Kb of length written in
Assembler.

The infected messages have following fields:

Mail From: < Gismo@gmx.de >
From: MP3 Deluxe
To: My best friends
Subject: Phenomenal
Body: body is empty
Attach: MP3Player.exe

To run from infected message the worm uses IFrame security breach. The worm
then installs itself to the system and runs spreading routine.

While installing the worm copies itself to Windows system directory with the
SSMS.EXE name and registers this file in system registry auto-run key:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun

To send infected messages the worm uses direct connection to default SMTP
server, or to “mail.gmx.net” server.

To get victims’ email addresses the worm uses Windows MAPI functions and
reads emails from email boxes.