Email-Worm.Win32.Langex

Class Email-Worm
Platform Win32
Description

Technical Details

Langex is a worm virus spreading via the Internet as an attachment to infected emails. The worm itself is Windows PE EXE file about 3KB in and length written in Assembler.

The worm activates from infected email only in case user clicks on attached
file. The worm does not install itself to the system and is not activated
anymore (except the cases when user clicks on attached email again).

To spread the worm uses Windows MAPI functions and “answers” to messages from
Email box. The worm sends “reply” to each message:

The subject is original message subject with prepended “Re:” text.

The message body begins with the text:

CLIENT NOTICE: the recipient viewed your message and this is the reply
message (original version of your message is shown after this text). Due to
the differences of text encoding method used by the recipient and the method
used on this system, the needed language pack is attached to this message. If
the the corrections will be applied, you will be able to read the reply message.

with original message text appended to that, and the attached file name is:

LANG.EXE

The “answerred” message is deleted then by the worm.

The worm also has “copyright” text in its body:

Simple MAPI demonstration : kahuna/TKT’