Email-Worm.Win32.Shatrix

Class Email-Worm
Platform Win32
Description

Technical Details

This is a virus-worm that spreads via the Internet attached to infected
e-mails. The worm also spreads over a local network by copying to shared drives.
The worm itself is a Windows PE EXE file about 380Kb in length, and is written in Delphi.

Infected messages contain:

Subject: FW:Shake a little

Body: Hi !
This will shake your world 🙂
Regards,
%username%

Attachment: SHAKE.EXE

Where %username% is the name of the infected-machines’s user.

The worm is activated from infected e-mail only when a user clicks on an attached
file. The worm then installs itself to the system, runs its spreading routine and
payload.

While installing, the worm copies itself to the Windows system directory with a
random name, and registers that file in the system registry auto-run key:

HKLMSoftwareMicrosoftWindowsCurrentVersionRun
SystemInfo = %worm file name%

To send infected messages, the worm uses MS Outlook MAPI. To obtain victim
addresses, the worm looks for and scans the following files:

*.asp *.html *.htm

Depending on the system date, the worm creates random directories, and drops HTML files
with texts randomly constructed from the following strings:

MatriX is out there
MatriX has You…
MatriX is All around You
01001101011000010111010001110010011010