|
Tuesday, 18 January 2005 |
W32.Zar.A@mm is a mass-mailing worm that uses MAPI to send an email to all addresses in the Microsoft Outlook address book. This threat is written in Visual Basic.
Also Known As: W32/VBSun-A [Sophos], WORM_ZAR.A [Trend Micro]
Type: Worm
Infection Length: 20,480 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When W32.Zar.A@mm is executed, it performs the following actions:
Creates the following files:
%Windir%crssr.exe
%Windir%
az32.exe
%Windir% sunami.exe
Adds the value:
"CaptionMgr32" = "%systemroot%crssr.exe"
to the registry key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
so that it is executed every time Windows starts.
Uses MAPI to send an e-mail to all addresses it finds in the Microsoft Outlook address book.
The e-mail has the following properties:
Subject: Tsunami Donation! Please help
Message Body:
Please help us with your donation and view the attachment below!
We need you!
Attachment: tsunami.exe
Attempts to carry out a Denial of Service attack against the domain www.hacksector.de.
|
