|
Friday, 05 August 2005 |
Malware type: Worm
Aliases: No Alias Found
In the wild: Yes
Destructive: No
Language: English
Platform: Windows 98, ME, NT, 2000, XP
Encrypted: No
Characteristics: Propagates via email, Propagates via network shares
Overall risk rating: Low
Reported infections: Low
Damage potential: High
Distribution potential: High
Description:
This worm propagates by mass-mailing copies of itself to email addresses it finds in the affected systems Windows Address Book (WAB), as well as from files with specific extension names.
The email messages that it sends contain the following details:
From: {Spoofed}
Subject: (any of the following)
? Changes..
? Encrypted document
? Fax Message
? Forum notify
? Incoming message
? Notification
? Pass - {Random characters}
? Password - {Random characters}
? Password: {Random characters}
? Protected message
? Re:
? Re: Document
? Re: Hello
? Re: Hi
? Re: Incoming Message
? RE: Incoming Msg
? RE: Message Notify
? Re: Msg reply
? RE: Protected message
? RE: Text message
? Re: Thank you!
? Re: Thanks :)
? Re: Yahoo!
? Site changes
? Update
Message body: (any of the following)
? Archive password: {Image}
? Attach tells everything.
? Attached file is protected with the password for security reasons. Password is {Image}
? Attached file tells everything.
? Check attached file for details.
? Check attached file.
? For security purposes the attached file is password protected. Password -- {Image}
? For security reasons attached file is password protected. The password is {Image}
? Here is the file.
? In order to read the attach you have to use the following password: {Image}
? Message is in attach
? More info is in attach
? Note: Use password {Image} to open archive.
? Password - {Image}
? Password: {Image}
? Pay attention at the attach.
? Please, have a look at the attached file.
? Please, read the document.
? Read the attach.
? See attach.
? See the attached file for details.
? Try this.
? Your document is attached.
? Your file is attached.
Attachment: (any combination of the following file names and extension names)
File name:
? Details
? Document
? Info
? Information
? Message
? MoreInfo
? Readme
? Sources
? text_document
? Updates
Extension name:
? EXE
? ZIP
It also drops copies of itself into all folders in the affected system that contain the text string shar. It uses this routine to make itself available to other machines on a network, banking on the probability that the folder with the text string shar is a network shared folder.
It utilizes social engineering by using file names of legitimate programs or using interesting file names to entice other users to click on its dropped files.
This worm opens and listens to port 9030, to wait for commands from a remote user. Once connected, the remote user can then command the malware to download an updated copy of itself.
It also terminates a number of processes mostly related to security and antivirus programs. |
