This is a multi-component Internet-worm infecting Win32 machines and spreading in e-mail messages as an attached EXE file. The worm has several components, and is able to “upgrade” itself from an Internet Web site.
There are two principal worm components: Loader and Main component.
The Loader is a Windows EXE file about 25K in size (it is compressed by a UPX PE EXE file-compression utility, which being decompressed reaches about 70K in size). When the loader is activated on a computer (being run from e-mail attach),
where “WinSystem” is the Windows system directory name. As a result, the worm Loader then is executed upon each Windows startup. Note that there are standard Windows components in this directory: GDI.EXE and GDI32.DLL. The
To hide its activity, the worm then displays the fake error message:
where FileName is the actual file name the worm was started from.
The worm then activates the main procedure that obtains and executes the Main component. It enters the http://www.geocities.com/olivier1548/ Web page and obtains several files from there:
The nn.ZIP and GATEWAY.ZIP files are not actually archives, but an encrypted Windows EXE file. The worm Loader decrypts them, copies to the Windows directory and spawns. As a result, the Main component is activated on the computer.
The Main worm component is the Windows EXE file about 40K in size (it is compressed by a UPX PE EXE file-compression utility, which being decompressed reaches 120K in size). It is installed to the Windows directory with the GDI32A.EXE name and is registered in the system registry in a similar way as
The Main worm component also has Backdoor abilities to watch at infected computer and run its resources from remote host machine.