This worm spreads via the Internet as an attachment to infected messages.
It sends messages to all email addresses harvested from the victim computer.
The worm itself is a Windows PE EXE file approximately 172KB in size,
packed using UPX. The unpacked file is approximately 262KB in size.
Installation
Once launched, the worm copies itself to the Windows system directories
under a variety of names, e.g.:
C:\WINDOWS\SYSTEM32\dl.exe
C:\WINDOWS\SYSTEM32\drivers\ndisrd.sys
C:\WINDOWS\SYSTEM32\ndisapi.dll
C:\WINDOWS\SYSTEM32\ndisrd.sys
C:\WINDOWS\SYSTEM32\syslogin.exe
C:\WINDOWS\SYSTEM32\tutorial.doc .exe
C:\WINDOWS\SYSTEM32\tutorial.zip
The worm then registers itself in the system registry as a key to enable
autorun:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"syslogin"="%system%\syslogin.exe"
This ensures that the worm will be launched each time the system is
rebooted.
Propagation via email
The worm searches for files with the extensions list below:
htm
dbx
tbi
tbb
txt
and sends itself to all email addresses harvested from these files.
The worm establishes a direct connection to the recipient's SMTP server in order to send messages.
Infected messages
Message subject (chosen from the list below):
[Fwd: Broken link]
big announcements
building maintenance
Cost Inquiry
Deactivation Notice
failure notice
find a solution with this customer
Fwd: Password
Fwd: Your Funds are Eligible for Withdrawal
Knowledge Base Article
Message recieved, please confirm
My funny stories
Need help pls
No Subject
Open Invoices
Order Approval
progress news
Questions
Re: Help Desk Registration
Re: payment
RE: quote request
RE: Re: A question
Re: User ID Update
referrences
Returned mail: see transcript for details
troubles are back again
units available
Webmail Invite
What is this ????
when should i call you?
WinXP
You have recieved an eCard!
Attachment name (chosen from the list below):
account.doc .exe
arch.doc .exe
archive.doc .exe
atach.doc .exe
att.doc .exe
contact.doc .exe
db.doc .exe
doc.doc .exe
documents.doc .exe
file.doc .exe
mail.doc .exe
message.doc .exe
messages.doc .exe
msg.doc .exe
read.doc .exe
readme.doc .exe
support.doc .exe
warning.doc .exe
account.zip
arch.zip
archive.zip
atach.zip
att.zip
contact.zip
db.zip
doc.zip
documents.zip
file.zip
mail.zip
message.zip
messages.zip
msg.zip
read.zip
readme.zip
support.zip
warning.zip
Message body (chosen from the list below):
Hello,
Sorry, I forgot to attach the new contact information.
Please view the attached (.pdf) contact sheet.
Sincerely,
User
Hello,
I resent this email as attachment because
it was previously blocked by your email filters.
Please read the attachment and respond.
Thanks,
User
Hello,
I was in a hurry and I forgot to attach an important
document. Please see attached.
Best Regards,
User
Hello,
Your email was received.
YOUR REPLY IS URGENT!
Please view the attached text file for instructions.
Regards,
User
Hello,
Your email was sent in an INVALID format.
To verify this email was sent from you,
simply open the attached email (.eml) file
and click yes in the sender options box.
Thank You,
User
Hello,
My PC crashed while I was sending that last email.
I have re-attached the document of yours that I discovered.
Please read attached document and respond ASAP.
Sincerely,
User
Hello,
What version of windows you are using?
This last document I received from you came out weird.
Please see the attached word file and resend the file to me.
Many thanks,
User
***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM***
Hello,
The previous email you sent has been recognized as spam.
This means your email was not delivered to your friend or client.
You must open the attached file to receive more information.
***YOUR MESSAGE HAS BEEN RECOGNIZED AS SPAM***
***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!***
You are currently unable to send emails.
This may be a billing issue.
Please call the billing center.
The # for the billing office is located in the attached
contact list for your convenience.
***ATTENTION: YOUR EMAIL IS NOT BEING DELIVERED!***
***URGENT: SERVICE SHUTDOWN NOTICE***
Due to your failure to comply with our email
Rules and Regulations, your email account has been
temporarily suspended for 24 hours unless we are contacted regarding
this situation.
You must read the attached document for further
instructions. Failure to comply will result in termination of your account.
Regards,
Net Operator
***URGENT: SERVICE SHUTDOWN NOTICE***
last request before refunding
Check out if we have free
removal tool for this virus
