Email-Worm.Win32.Silly

Detect Date 11/14/2005
Class Email-Worm
Platform Win32
Description

This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim computer.

The worm itself is a PE EXE file 15462 bytes in size, written in Visual Basic.

Installation

When installing, the worm copies itself to the Fonts folder in the Windows root directory under a random name:

%Windir%Fonts<random name>.com

The worm also registers itself in the system registry, ensuring that it will be launched each time Windows is rebooted on the victim machine:

[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]



 "TempCom"="%Windir%Fonts<random name>.com"

The worm modifies the following system registry entries:

[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerCabinetState]

 “fullpath”=”1”

[HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced]

 “HideFileExt” = “1”

 “Hidden” = “0”

Propagation via email

The worm sends itself to addresses harvested from the MS Windows address books on the victim machine.

Infected messages

Message subject

Document

Attachment name

Document.exe