Technical Details
This is a virus-worm that spreads via the Internet attached to infected
e-mails. The worm itself is a Windows PE EXE file about 21Kb in length
(compressed by UPX, decompressed size is about 45K), and is written in Visual Basic.
Infected messages contain:
Subject: Good News
Attachment: SoftwareKey.exe
The body is selected from the following three variants:
Wanna remove the I-worms CodeRed, BadTrans, Goner, Updater, etc?
Good news for you because we’re giving you a software which removes the latest internet worms in your pc.
Included is your free software from AVP.
Hi! You are a winner of a trip to Iceland.
Included in this message is a software which can help you claim your prize.
See you there!!! Iceland.com
Hi! You have just won yourself a plane ticket to Bali, Indonesia!
Click the attachment to see how to claim your price.
This message is courtesy of YouCanSeeTheWorld.com.
The worm is activated from an infected e-mail only when a user clicks on the attached
file. The worm then installs itself to the system, and copies itself to
C:WINDOWS directory with the following names:
C:WINDOWSSoftwareKey.exe
C:WINDOWSSYSNOM.EXE
C:WINDOWSSCANREGW.EXE (opriginal SCANREGW file is overwritten by worm copy)
and registers one file in the system registry auto-run key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
System Monitor = c:WINDOWSSYSNOM.EXE
The worm then displays the following message:

and starts its e-mail spreading routine. To send infected messages, the worm uses
MS Outlook, sending messages to all addresses found in the Outlook address
book.
The worm then opens the “http://www.avp.ch” site with IEXPLORER.EXE, and starts a DoS attack on
the “indovirus.8m.com” site.
The worm does not manifest itself in any other ways.
|