|
Description:
This memory-resident worm propagates via email and network shares. Upon execution, it drops the following files in the Windows system folder:
- Drvsys.exe
- Drvsys.exeopen
- Drvsys.exeopenopen
It may also create more copies of itself with the string open appended in the file names of these additional copies.
The email it sends out has varying subjects, message bodies, and attachment file names. It uses specific user names followed by the domain of the recipient's email address to spoof the From field. It sends two attachments. One of them is a picture of a girl in .JPEG format. The other attachment is a copy of this worm with any of the following extension names:
- COM
- CPL
- EXE
- HTA
- SCR
- VBS
- ZIP
Below is a sample email screenshot:
It also searches for target email addresses in files having certain extensions. However, it skips those addresses that contain particular strings.
This worm drops copies of itself using specific file names in folders that contain the string shar in their folder names. This routine is an attempt at propagating via shared folders.
It terminates several antivirus and security programs. It also creates a separate thread that listens to port 2535 for commands from remote users. It then tries to connect to several Web sites.
This worm deletes several registry entries that WORM_NETSKY variants and other normal applications use to automatically run. After January 25, 2005, it also deletes a certain registry key and entry in what appears to be an attempt at uninstalling itself.
This UPX-compressed malware runs on Windows 95, 98, ME, NT, 2000, and XP.
For additional information about this threat, see:
Solution
Technical Details
Description created: Apr. 26, 2004 8:51:34 AM GMT -0800
Description updated: May. 20, 2004 11:00:25 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
