%WINDOWS%\[8 random characters a-z].exe
%WINDOWS%\tmpworm.exe
In the registry, the worm creates inside the key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run the following item:
ScanDisk=%WINDOWS%\SCANDISK.exe
The worm is launched from the registry at every computer start. Except this, it might be launched from the modified executables, it adds a code for launchig itself from the files in the %WINDOWS% folder to the executable files. The size of modified files is increased of 567 bytes.
Note: %WINDOWS% is a folder where the Windows system is installed. It's usually "C:\Windows" on Windows 95, 98 or ME, or "C:\WinNT" on Windows NT, 2000 or XP. Those folder names are default, but user can decide for any other name at Windows system instalation.
The worm tries suspend running services named:
The worm spread through email to addresses it founds in the Windows Address Book or in the files with .dbx, .eml or .htm extensions. Infected mails are either english or swedish, depending on the system language of infected computer. Infected mail have the following features: Subject line is either empty, or it's one of the following phrases (in the english version):
- Catlover
- Disgusting propaganda
- DISKRIMINERAD !!!!
- GO USA !!!!
- G.W Bush animation
- Is USA a UFO?
- Is USA always number one?
- LINUX
- Nazi propaganda?
- Screensaver advice
- Spy pics
The attachment has size of 45056 bytes with random 2-letter name and scr extension.
The worm fakes sender address. It chooses message body randomly from 10 messages, either english and swedish.
No comments:
Post a Comment