This is the worm virus spreading via the Internet being attached to infected
The worm itself is Windows PE EXE file about 35Kb of length (compressed by
The texts and attached file names in infected messages are different, they depend
The message body is completed with "A presto..." or "Bye." text.
tettona.exe euro.exe tattoo.exe
The worm activates from infected email only in case a user clicks on attached
While installing the worm copies itself to Windows directory with the
The worm then displays fake error message:
Error VBRUN49.DLL not found!
To send infected messages the worm uses direct connection to default SMTP
The backdoor procedure opens connection on port 5001 and listens to the "master". Then it processes following instructions:
"HELO" - replies with "Hello, guy" text "SCAN" - scans all directories and reports dir/files in there (like remote DIR command) "EXEC" - runs specified file "UNINST" - removes itself from the system, including registry "Run" key. "VIEW" - displays to "master" specified file "DOWN" - downloads to "master" specified file
On January 12th the worm displays the message:
Hello, Ciao, il tuo computer � infettato dal virus Fral�. Certo che devi essere proprio un pirlone, per esserti fatto fregare dal mio stupidissimo worm. Va b�,v�,non ti preoccupare,oggi non sono in vena di cattiverie, ed � anche un giorno festivo per me. Buona giornata.. by 4nt4R35