Snapper spreads over the Internet in infected emails as a link to an infected website.
Infected emails contain the following HTML coded link:
Once the link is activated Snapper exploits a MS Internet Explorer vulnerability described in the MS03-040 Security Bulletin.
As a result, a script Trojan is downloaded and executed. The Trojan extracts and installs the main component of the worm into the system – IELOAD.DLL
Snapper is a PE dll file about 8 KB in size. It installs itself into the Windows system folder and is launched as a system library.
The worm harvests all email addresses from the MS Outlook address book and uses the local SMTP server to send emails to these addresses.