Class | Email-Worm |
Platform | Win32 |
Description |
Technical DetailsThis is the worm virus spreading via the Internet being attached to infected emails. The worm The worm itself is a Windows PE EXE file about 91Kb of length written in Microsoft Visual C++. InstallingWhile installing the worm copies itself to Windows system directory with the random selected
where %rnd% is random number, and registers that file in system registry auto-run key:
There are two values written to all those keys:
where %worm name% is worm file name without extentions, %worm file name% is full file name, for
It seems that “.default” duplicate is written to registry key because of a bug in worm code. Later the worm also copies itself with EXPLORER.PIF name to the Desktop. SpreadingTo get victim emails the worm looks for *.HTM and *.DBX files and extracts emails addresses While sending itself the worm appends to its copy following information:
By using these data that is possible to trace particular worm copy “migration” process. The infected messages have different data in email fields. Below the %RegisteredOwner% and Subject is randomly (depending on worm “generation”) selected from variants:
The last (third) variant is selected in case there is no “RegistreredOrganization” key in The message body is also selected depending on worm generation:
or:
Attached file names can be different, for example:
Where “WIN” names have random number at the end (in this case – “40B1”). At the same time To run from infected message the worm uses two security breaches:
PayloadThe worm looks for anti-virus programs, firewalls and debuggers and tries to terminate them, as The worm drops to Windows system directory “WIN%Rnd%.TMP” file, writes “Win32.Funlove” virus to The worm displays the message:
In an endless loop the worm opens the http://www.symantec.com Web site (it seems that worm The worm also has following encrypted text strings:
|