Email-Worm.Win32.Sysnom

Class Email-Worm
Platform Win32
Description

Technical Details

This is a virus-worm that spreads via the Internet attached to infected
e-mails. The worm itself is a Windows PE EXE file about 21Kb in length
(compressed by UPX, decompressed size is about 45K), and is written in Visual Basic.

Infected messages contain:

Subject: Good News
Attachment: SoftwareKey.exe

The body is selected from the following three variants:

Wanna remove the I-worms CodeRed, BadTrans, Goner, Updater, etc?
Good news for you because we’re giving you a software which removes the latest internet worms in your pc.
Included is your free software from AVP.

Hi! You are a winner of a trip to Iceland.
Included in this message is a software which can help you claim your prize.
See you there!!! Iceland.com

Hi! You have just won yourself a plane ticket to Bali, Indonesia!
Click the attachment to see how to claim your price.
This message is courtesy of YouCanSeeTheWorld.com.

The worm is activated from an infected e-mail only when a user clicks on the attached
file. The worm then installs itself to the system, and copies itself to
C:WINDOWS directory with the following names:

C:WINDOWSSoftwareKey.exe
C:WINDOWSSYSNOM.EXE
C:WINDOWSSCANREGW.EXE (opriginal SCANREGW file is overwritten by worm copy)

and registers one file in the system registry auto-run key:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
System Monitor = c:WINDOWSSYSNOM.EXE

The worm then displays the following message:

and starts its e-mail spreading routine. To send infected messages, the worm uses
MS Outlook, sending messages to all addresses found in the Outlook address
book.

The worm then opens the “http://www.avp.ch” site with IEXPLORER.EXE, and starts a DoS attack on
the “indovirus.8m.com” site.

The worm does not manifest itself in any other ways.