|
Wednesday, 19 January 2005 |
W32.Zar.A@mm is a mass-mailing worm that uses MAPI to send an email to all addresses in the Microsoft Outlook Address Book. This threat is written in Visual Basic.
Also Known As: W32/VBSun-A [Sophos], WORM_ZAR.A [Trend Micro]
Type: Worm
Infection Length: 20,480 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When W32.Zar.A@mm is executed, it performs the following actions:
Creates the following files:
%Windir%crssr.exe
%Windir%
az32.exe
%Windir% sunami.exe
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows or C:Winnt.
Adds the value:
"CaptionMgr32" = "%Windir%crssr.exe"
to the registry key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
so that it is executed every time Windows starts.
Uses MAPI to send an email to all addresses it finds in the Microsoft Outlook Address Book.
The email has the following properties:
Subject: Tsunami Donation! Please help
Message Body:
Please help us with your donation and view the attachment below!
We need you!
Attachment: tsunami.exe
Attempts to carry out a Denial of Service attack against the domain www.hacksector.de.
Displays the following message:
Title: Tsunami
Message: Run-time error 438; Object doesnt support this property or method.
|
