Email-Worm.Win32.Sint

Class Email-Worm
Platform Win32
Description

Technical Details

This is email worm spreading by affecting MS Outlook. The worm itself is Win32 executable file about 30K of length. The worm is written in Visual Basic language.

When the worm is run it copies itself to Windows directories with the names:

C:WindowsVicevi_teza_odvala.txt.exe
C:windowssystemVicevi_teza_odvala.txt.exe

The second file is then registered in system registry auto-run key:

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Sintesys = c:windowssystemVicevi_teza_odvala.txt.exe

The “C:Windows” directory name is hardcoded in worm code, so it is not able to affect the system in case Windows directory name is not like that one.

The worm also copies itself with the same name to root directories of all available logical drives (local or remote).

The worm then connects to MS Outlook by using MAPI functions, gets all addresses from Address Book and sends messages to all of them. The messages have:

Subject: Vicevi!
Attach: Vicevi_teza_odvala.txt.exe

Text body is randomly selected from four variants:

Cao! Izvini sto te uznemiravam ovako, ali evo saljem ti neke viceve koji cete sigurno oraspoloziti!

Vozdra! Evo pogledaj ove viceve koje sam i ja dobio neki dan! Pravo su smijesni!

Cao korisnice! Znam da sigurno nemas vremena da pogledas ove viceve koje ti saljem. Nadam se da ces imati vremena da ih pogledas!

Zdravo! Nemoram ti nista pricati…samo pogledaj ovu veliku kolekciju viceva 😉

Vicevi!- Message
  Cao! Izvini sto te uznemiravam ovako, ali evo saljem ti
  neke viceve koji cete sigurno oraspoloziti!

To hide its activity the worm displays the fake error messages:

...cash!
  Raspakuj viceve!

WinZip SelfExtractor: Warning
  CRC error: 234#21