|
Wednesday, 03 August 2005 |
Malware type: Worm
Aliases: No Alias Found
In the wild: Yes
Destructive: No
Language: English
Platform: Windows 98, ME, NT, 2000, XP
Encrypted: No
Characteristics: Propagates via email, Propagates via software vulnerabilities
Description:
This worm propagates via email. It sends copies of itself as attachments to email messages that it sends out using its own Simple Mail Transfer Protocol (SMTP) engine.
Users must be wary of the email message it sends that contains the following details:
From: (any combination of the following names and domains)
Names:
? admin
? support
Domains:
? @aol.com
? @ca.com
? @f-secure.com
? @kaspersky.com
? @mail.com
? @mastercard.com
? @matrix.com
? @mcafee.com
? @microsoft.com
? @msn.com
? @nai.com
? @paypal.com
? @sarc.com
? @security.com
? @securityfocus.com
? @sophos.com
? @symantec.com
? @trendmicro.com
? @visa.com
? @yahoo.com
Subject: Re_
Message body: (any of the following)
? Animals
? foto3 and MP3
? fotogalary and Music
? fotoinfo
? Lovely animals
? Predators
? Screen and Music
? The snake
Attachment: (any combination of the following file names and extensions)
File names:
? Cat
? Cool_MP3
? Dog
? Doll
? Fish
? Garry
? MP3
? Music_MP3
? New_MP3_Player
Extensions:
? BAT
? CMD
? COM
? CPL
? EXE
? PIF
? SCR
? ZIP
It spoofs the From field or the senders name in an attempt to trick an affected user into opening the attachment.
It also propagates by taking advantage of the Windows LSASS vulnerability. For more information on this vulnerability, check the following Microsoft Web page:
Microsoft Security Bulletin MS04-011
It modifies the HOSTS file to prevent the affected user from accessing certain Web sites, most of which are related to antivirus and security applications.
This worm can disable the Windows Task Manager and the Registry Editor on Windows 98 and ME. |
