When executed, the worm creates one of the listed files:
- %windows%\Rundll16.exe
- %system%\New winzip file.exe
- %system%\sample.zip
- %system%\winzip_tmp.exe
and files:
- %system%\scanregw.exe
- %system%\update.exe
- %system%\sample.zip
- %system%\winzip.exe
The worm is autostarted with Windows using the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunIts item „ScanRegistry” has the value “%System%\scanregw.exe /scan”
The worm collects mail addresses from documents on the infected computer. The infected mail has one of the Subjects:
*Hot Movie*
A Great Video
Arab sex DSC-00465.jpg
eBook.pdf
Fuckin Kama Sutra pics
Fw:
Fw: DSC-00465.jpg
Fw: Funny :)
Fw: Picturs
Fw: Sexy
Fwd: image.jpg
Fwd: Photo
give me a kiss
Miss Lebanon 2006
My photos
Part 1 of 6 Video clipe
Re:
Re: Sex Video
School girl fantasies gone bad
The Best Videoclip Ever
the file
Word file
You Must View This Videoclip!
The infected attachment is in the file named
007.pif
04.pif
677.pif
document.pif
DSC-00465.Pif
eBook.PIF
image04.pif
New_Document_file.pif
photo.pif
School.pif
Sometimes, the attachment is MIME encoded and uses one of the names
3.92315089702606E02.UUE
Attachments00.HQX
Attachments001.BHX
Attachments[001].B64
eBook.Uu
Original Message.B64
SeX.mim
Sex.mim
Video_part.mim
WinZip.BHX
Word_Document.hqx
Word_Document.uu
In such case, special tool is needed to unpack and execute the worm.
On every 3-rd day of month, the worm tries to delete data files with the extensions *.dmp, *.doc, *.mdb, *.mde, *.pdf, *.pps, *.ppt, *.psd, *.rar, *.xls, *.zip
avast! with VPS file dated on or after 17th January 2006 is able to detect this worm.
_________________________________________________________
No comments:
Post a Comment