This worm spreads via the Internet as an attachment to infected messages.
It sends itself to all email addresses found on the victim machine. The worm
itself is a PE EXE file. It is written in Visual Basic and packed using UPX.
The packed file is approximately 43 KB in size (this may vary slightly). The
unpacked file is approximately 140 KB in size.
Installation
Once launched, the worm opens Windows Notepad, which will display a random
selection of characters:
During installation the worm copies itself to the Windows system directory
under a random name made up of words chosen from the following list:
- 32
- crypt
- data
- diag
- dir
- disc
- expoler
- host
|
- log
- run
- service
- smss32
- spool
- sys
- win
|
for example: %System%\cryptdialog.exe
It then registers itself in the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"<random key name>" = "%System%\<name of worm file>"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"<random key name>:" = "%System%\<name of worm file>"
The worm also creates several additional files in the Windows system directory
under the following names:
- %System%\datamx.dam
- %System%\dgsfzipp.gmx
- %System%\dgssxy.yoi
- %System%\nonrunso.ber
- %System%\Odin-Anon.Ger
- %System%\read.me
- %System%\sysmms32.lla
Propagation via email
The worm scans MS Windows address books for email addresses, and all files
with the following extensions:
- abc
- abd
- abx
- adb
- ade
- adp
- adr
- asp
- bak
- bas
- cfg
- cgi
- cls
- cms
- csv
- ctl
- dbx
- dhtm
- doc
- dsp
- dsw
- eml
- fdb
- frm
- hlp
|
- imb
- imh
- imh
- imm
- inbox
- ini
- jsp
- ldb
- ldif
- log
- mbx
- mda
- mdb
- mde
- mdw
- mdx
- mht
- mmf
- msg
- nab
- nch
- nfo
- nsf
- nws
- ods
|
- oft
- php
- pl
- pmr
- pp
- ppt
- pst
- rtf
- shtml
- slk
- sln
- stm
- tbb
- txt
- uin
- vap
- vbs
- vcf
- wab
- wsh
- xhtml
- xls
- xml
|
and sends itself to email addresses harvested from these files. The worm connects
to the recipient's SMTP server in order to send messages.
It will not send messages to addresses which contain the following text strings:
- .dial.
- .kundenserver.
- .ppp.
- .qmail@
- .sul.t-
- @arin
- @avp
- @ca.
- @example.
- @foo.
- @from.
- @gmetref
- @iana
- @ikarus.
- @kaspers
- @messagelab
- @nai.
- @panda
- @smtp.
- @sophos
- @www
- abuse
- announce
- antivir
- anyone
- anywhere
- bellcore.
- bitdefender
|
- clock
- -dav
- detection
- domain.
- emsisoft
- ewido.
- freeav
- free-av
- ftp.
- gold-certs
- google
- host.
- icrosoft.
- info@
- ipt.aol
- law2
- linux
- mailer-daemon
- me@
- mozilla
- mustermann@
- nlpmail01.
- noreply
- nothing
- ntp-
- ntp.
- ntp@
- office
|
- password
- postmas
- reciver@
- secure
- service
- smtp-
- somebody
- someone
- spybot
- sql.
- subscribe
- support
- t-dialin
- test@
- time
- t-ipconnect
- user@
- variabel
- verizon.
- viren
- virus
- whatever@
- whoever@
- winrar
- winzip
- you@
- yourname
|
Infected messages
Message subject (chosen from the list below):
- I've got YOUR email on my account!!
- Ey du DOOF Nase, warum beantw...
Message body (chosen at random from those listed below):
- Hello,
First, Sorry for my very bad English!
Someone send your private mails on my email account!
I think it's an Mail-Provider or SMTP error.
Normally, I delete such emails immediately, but in the mail-text is a
name & adress. I think it's your name and adress.
In the last 8 days i've got 7 mails in my mail-box, but the recipient
are you, not me. lol
OK, I've copied all email text in the Windows Text-Editor and i've
zipped the text file with WinZip.
The sender of this mails is in the text file, too.
bye
- Warum beantwortest Du meine E-Mails nicht?
Kommen meine Mails nicht mehr bei dir an oder so???
Habe mir jetzt extra eine neue Mail Adresse bei GMX gemacht!
Ich hoffe mal, das sie jetzt zu dir durch dringen wird.
In meinen anderen Mails habe ich einige Wichtige Dinge
niedergeschrieben, hatte aber keine Lust alles nochmal zu schreiben.
Deshalb habe ich die alten Mail-Texte im Texteditor kopiert und mit
Winzip kleiner gemacht.
Lesen und diesmal auch bescheid geben!!!!
tschau.....
Attachment (chosen from the list below):
Attachments will have one of the following extensions:
Check out if we have free removal tool for this virus