Email-Worm.Win32.Snapper

Technical Details

Snapper spreads over the Internet in infected emails as a link to an infected website.

Infected emails contain the following HTML coded link:

Once the link is activated Snapper exploits a MS Internet Explorer vulnerability described in the MS03-040 Security Bulletin.

As a result, a script Trojan is downloaded and executed. The Trojan extracts and installs the main component of the worm into the system – IELOAD.DLL

Snapper is a PE dll file about 8 KB in size. It installs itself into the Windows system folder and is launched as a system library.

The worm harvests all email addresses from the MS Outlook address book and uses the local SMTP server to send emails to these addresses.