Kaspersky Threats

Class

Platform

Description

Technical Details

This is a virus-worm that spreads via the Internet attached to infected
e-mails. The worm itself is a Windows PE EXE file about 21Kb in length
(compressed by UPX, decompressed size is about 45K), and is written in Visual Basic.

Infected messages contain:

Subject: Good News
Attachment: SoftwareKey.exe

The body is selected from the following three variants:

Wanna remove the I-worms CodeRed, BadTrans, Goner, Updater, etc?
Good news for you because we’re giving you a software which removes the latest internet worms in your pc.
Included is your free software from AVP.

Hi! You are a winner of a trip to Iceland.
Included in this message is a software which can help you claim your prize.
See you there!!! Iceland.com

Hi! You have just won yourself a plane ticket to Bali, Indonesia!
Click the attachment to see how to claim your price.
This message is courtesy of YouCanSeeTheWorld.com.

The worm is activated from an infected e-mail only when a user clicks on the attached
file. The worm then installs itself to the system, and copies itself to
C:WINDOWS directory with the following names:

C:WINDOWSSoftwareKey.exe
C:WINDOWSSYSNOM.EXE
C:WINDOWSSCANREGW.EXE (opriginal SCANREGW file is overwritten by worm copy)

and registers one file in the system registry auto-run key:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
System Monitor = c:WINDOWSSYSNOM.EXE

The worm then displays the following message:

and starts its e-mail spreading routine. To send infected messages, the worm uses
MS Outlook, sending messages to all addresses found in the Outlook address
book.

The worm then opens the “http://www.avp.ch” site with IEXPLORER.EXE, and starts a DoS attack on
the “indovirus.8m.com” site.

The worm does not manifest itself in any other ways.

Class	Email-Worm
Platform	Win32
Description	Technical Details This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE EXE file about 21Kb in length (compressed by UPX, decompressed size is about 45K), and is written in Visual Basic. Infected messages contain: Subject: Good News Attachment: SoftwareKey.exe The body is selected from the following three variants: Wanna remove the I-worms CodeRed, BadTrans, Goner, Updater, etc? Good news for you because we’re giving you a software which removes the latest internet worms in your pc. Included is your free software from AVP. Hi! You are a winner of a trip to Iceland. Included in this message is a software which can help you claim your prize. See you there!!! Iceland.com Hi! You have just won yourself a plane ticket to Bali, Indonesia! Click the attachment to see how to claim your price. This message is courtesy of YouCanSeeTheWorld.com. The worm is activated from an infected e-mail only when a user clicks on the attached file. The worm then installs itself to the system, and copies itself to C:WINDOWS directory with the following names: C:WINDOWSSoftwareKey.exe C:WINDOWSSYSNOM.EXE C:WINDOWSSCANREGW.EXE (opriginal SCANREGW file is overwritten by worm copy) and registers one file in the system registry auto-run key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun System Monitor = c:WINDOWSSYSNOM.EXE The worm then displays the following message: and starts its e-mail spreading routine. To send infected messages, the worm uses MS Outlook, sending messages to all addresses found in the Outlook address book. The worm then opens the “http://www.avp.ch” site with IEXPLORER.EXE, and starts a DoS attack on the “indovirus.8m.com” site. The worm does not manifest itself in any other ways.

Email-Worm.Win32.Sysnom

Technical Details