Detect Date | 11/14/2005 |
Class | Email-Worm |
Platform | Win32 |
Description |
This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim computer. The worm itself is a PE EXE file 15462 bytes in size, written in Visual Basic. InstallationWhen installing, the worm copies itself to the Fonts folder in the Windows root directory under a random name: %Windir%Fonts<random name>.com The worm also registers itself in the system registry, ensuring that it will be launched each time Windows is rebooted on the victim machine: [HKLMSoftwareMicrosoftWindowsCurrentVersionRun] "TempCom"="%Windir%Fonts<random name>.com" The worm modifies the following system registry entries: [HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerCabinetState] “fullpath”=”1” [HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced] “HideFileExt” = “1” “Hidden” = “0” Propagation via emailThe worm sends itself to addresses harvested from the MS Windows address books on the victim machine. Infected messagesMessage subjectDocument Attachment nameDocument.exe |
Find out the statistics of the threats spreading in your region |