|
Description:
As of May 11, 2005 at 4:30 am (Pacific Daylight Time; GMT-7:00) TrendLabs has declared a Medium risk alert in order to control this new WURMARK variant that is currently spreading in France, India, Singapore, and Taiwan.
To get a one-glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.
Description
This memory-resident worm arrives via email messages. It may also be downloaded by the malware detected by Trend Micro as TROJ_DLOADER.MI.
Upon execution, it drops a copy of itself in the Windows system folder using a random file name.
This worm drops several .ZIP files in the Windows system folder as email attachment.
This worm propagates by sending a copy of itself via email. The email message contains the following details:
Subject: (any of the following)
•details
•girls
•image
•love
•message
•music
•news
•photo
•pic
•readme
•resume
•screensaver
•song
•video
Attachment: (any of the following file names)
•details.zip
•girls.zip
•image.zip
•love.zip
•message.zip
•music.zip
•news.zip
•photo.zip
•pic.zip
•readme.zip
•resume.zip
•screensaver.zip
•song.zip
•video.zip
The email that it sends does not contain any message body. It appear as:
For a more detailed discussion on the email that this worm sends out, please click here.
It also drops a randomly named (Dynamic Link Library) DLL file, which is a spyware detected as TSPY_AGENT.C, in the Windows system folder.
This worm also has a keylogging capability. It logs and saves user keystrokes in a randomly named .DLL file.
For additional information about this threat, see:
Solution
Technical Details
Statistics
Description created: May. 9, 2005 6:13:43 AM GMT -0800
Description updated: May. 11, 2005 4:41:45 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
