Description:
To get a one-glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.
Malware Overview
This worm propagates by sending copies of itself as an attachment to email messages that it sends to target recipients, using its own Simple Mail Transfer Protocol (SMTP) engine. Through the said SMTP engine, it is able to easily send email messages even without using other mailing applications, such as Microsoft Outlook.
The email message it sends out has the following details:
Subject: (any of the following)
• Come Be With Me, my Love!
• Love you with all my heart!
• My dream is coming true!
• See you tonight!
• Will You Be My Valentine?
Message body: (any of the following)
A stranger came to the door at eve,And he spoke the bridegroom fair.He bore a green-white stick in his hand,And, for all burden, care.He asked with the eyes more than the lipsFor a shelter for the night,And he turned and looked at the road afarWithout a window light.The bridegroom came forth into the porch
With, "Let us look at the sky,And question what of the night to be,Stranger, you and I."The woodbine leaves littered the yard,The woodbine berries were blue,Autumn, yes, winter was in the wind;"Stranger, I wish I knew."Within, the bride in the dusk alone Bent over the open fire,Her face rose-red with the glowing coalAnd the thought of the heart's desire.The bridegroom looke
d at the weary road,Yet saw but her within,And wished her heart in a case of goldAnd pinned with a silver pin.The bridegroom thought it little to giveA dole of bread, a purse,A heartfelt prayer for the poor of God,Or for the rich a curse;But whether or not a man was askedTo mar the love of twoby harboring woe in the bridal house,The bridegroom wished he knew.
---
Love at the lips was touchAs sweet as I could bear;And once that seemed too much;I lived on airThat crossed me from sweet things,The flow of - was it muskFrom hidden grapevine springsDown hill at dusk?I had the swirl and acheFrom sprays of honeysuckleThat when they re gathered shakeDew on the knu
ckle.I craved strong sweets, but thoseSeemed strong when I was young;The petal of the roseIt was that stung.Now no joy but lacks saltThat is not dashed with painAnd weariness and fault;I crave the stainOf tears, the aftermarkOf almost too much love,The sweet of bitter barkAnd burning clove.When stiff and sore and scarredI take away my hand
From leaning on it hardIn grass and sand The hurt is not enough:I long for weight and strengthTo feel the earth as roughTo all my length.
---
I woke up in a white roomwith white lace curtains.Snow covered landscape;I_m in Memphis for certainYesterday, it took over three hoursjust to travel the last twenty miles.But nothing is like my wife_s familyalways being greeted with smilesI was hoping for a White Christmas.You_d be surprise how simple I am.Be careful what you wish forGod may be listening to your plan.Most of the nation is coveredwith that dangerous and beautiful thingI am grateful for arriving safelyfor my wife_s happiness is everything.She wanted to see her family,her father, uncles and aunts.I ve kept her in Southwest Texas too long;this trip
I most willingly grant.So, here we are nowin a snowy southern wonderland.Waiting for Christmas dinner to come;a present only my wife can understand
Attachment: (any of the following)
• love_me.exe
• love_me_now.exe
• Mplay.exe
It is also capable of propagating via peer-to-peer (P2P) networks. It drops copies of itself in folders whose names contain the string SHAR. It does this routine under the assumption that the folder is used in various P2P applications.
The said copies are usually named after popular applications and actresses in order to entice users into downloading and executing the said files.
Upon execution on the affected system, this worm displays the following fake error message:
It does this to trick users into thinking that the program failed to execute.
It then creates an autostart registry entry. It also creates a registry entry to add itself to the Windows Firewall exception list, thus enabling it to bypass the affected system's firewall settings.
It deletes certain antivirus and security-related registry keys. It does this routine in order to make early detection and removal more difficult.
It waits for active Internet connection and accesses several Web sites to download various files. As a result, it may download malicious files that may further compromise system security.
Like earlier WORM_BAGLE variants, this worm also tries to remove instances of WORM_NETSKY variants from the affected system. It does the mentioned routine by creating several mutexes.
For additional information about this threat, see:
Solution
Technical Details
Description created: Feb. 15, 2006 7:04:11 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
