Solutions for:
Home Products
Small Business
Medium Business
Enterprise
Vulnerabilities Threats
Home Threats Porn-Downloader Win32

Porn-Downloader.Win32.Smatcher

Class
Porn-Downloader
Platform
Win32

Parent class: Pornware

Pornware is the term used for programs that display pornographic material to the user. Programs in the Pornware class may be deliberately installed by the user in order to search for and obtain pornographic material. In such cases, the programs are not unwanted. On the other hand, the very same programs can be installed on a user’s computer by malicious users by exploiting operating system or browser vulnerabilities, or by using Trojans such as Trojan-Downloader and Trojan-Dropper. This is usually done to push advertisements for fee-based pornographic websites and services that a typical user might otherwise not be aware of.

Read more

Class: Porn-Downloader

This behaviour downloads pornographic media files to the user’s computer from the Internet. Unlike malicious programs, such programs notify the user of their actions.

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.

Description

Technical Details

This is an Internet worm spreading via e-mail attached as an EXE file. The worm itself is a Win32 executable file about 30Kb in length, written in Visual Basic.

The worm seems to be based on the "Melissa" macro-virus worm - the functions and sequence of instructions in the worm code are very similar to the "Melissa" source code. It seems that this worm was compiled from a slightly modified "Melissa" source.

When the worm EXE file is being run from an attachment, it sends infected messages and registers itself in a system to run each time Windows starts up.

To spread from an infected computer, the worm uses MS Outlook by obtaining addresses from the MS Outlook Address Book and sends messages there.

The message Subject, Body and Attachment appear follows:

Subject: Matcher
Body: Want to find your love mates!!! Try this its cool... Looks and Attitude Maching to opposite sex.
Attach: matcher.exe

To install into a system, the worm copies itself to the Windows system directory with the MATCHER.EXE name, and registers this file in the Windows registry auto-run section:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
%SystemDir%matcher.exe

where %SystemDir% is the name of the Windows system directory.

The worm also adds to the end of C:AUTOEXEC.BAT the commands:

@echo off
echo from: Bugger
pause

These commands display the "from: Bugger" message when system is booting up and processes the AUTOEXEC.BAT.

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Related articles
20 December 2024
Securelist
BellaCPP: Discovering a new BellaCiao variant written in C++
19 December 2024
Securelist
Attackers exploiting a patched FortiClient EMS vulnerability in the wild
19 December 2024
Securelist
Lazarus group evolves its infection chain with old and new malware
18 December 2024
Securelist
Analysis of Cyber Anarchy Squad attacks targeting Russian and Belarusian organizations
17 December 2024
Securelist
Download a banker to track your parcel
16 December 2024
Securelist
Dark web threats and dark market predictions for 2025
Found an inaccuracy in the description of this vulnerability?
If you found a new Threat or Vulnerability, please, let us know by email:
newvirus@kaspersky.com
Found a new Threat or Vulnerability?
If you found a new Threat or Vulnerability, please, let us know by email:
newvirus@kaspersky.com
Solutions for
Home Products
Small Business
Medium Business
Enterprise
Select language
Sorting
Threat
Confirm changes?
Your message has been sent successfully.