Class | Email-Worm |
Platform | Win32 |
Description |
Technical DetailsThis is the worm virus spreading via the Internet being attached to infected The worm itself is Windows PE EXE file about 35Kb of length (compressed by The texts and attached file names in infected messages are different, they depend Subjects are:
The message body is completed with "A presto..." or "Bye." text. Attached files: tettona.exe euro.exe tattoo.exe The worm activates from infected email only in case a user clicks on attached InstallingWhile installing the worm copies itself to Windows directory with the
The worm then displays fake error message: Error VBRUN49.DLL not found! SpreadingTo send infected messages the worm uses direct connection to default SMTP BackdoorThe backdoor procedure opens connection on port 5001 and listens to the "master". Then it processes following instructions: "HELO" - replies with "Hello, guy" text "SCAN" - scans all directories and reports dir/files in there (like remote DIR command) "EXEC" - runs specified file "UNINST" - removes itself from the system, including registry "Run" key. "VIEW" - displays to "master" specified file "DOWN" - downloads to "master" specified file PayloadOn January 12th the worm displays the message: Hello, Ciao, il tuo computer � infettato dal virus Fral�. Certo che devi essere proprio un pirlone, per esserti fatto fregare dal mio stupidissimo worm. Va b�,v�,non ti preoccupare,oggi non sono in vena di cattiverie, ed � anche un giorno festivo per me. Buona giornata.. by 4nt4R35 |
Find out the statistics of the threats spreading in your region |