Malware type: Worm

Aliases: Email-Worm.Win32.Combra.b (Kaspersky), Downloader-ABU (McAfee), W32.Comdor.B@mm (Symantec), Worm/Combra.B (Avira), W32/Combra-C (Sophos),

In the wild: Yes

Language: Portuguese

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Description: 

This worm arrives via email.

The email message informs the recipient that a greeting card has been sent by the sender, and to view the card, the recipient must click on the link indicated in the message. Instead of showing the greeting card, it downloads a copy of the worm.

The email message has the following details:

From:{Spoofed email address}
To:{Recipient}
Subject:Ola, {recipient's name}, {spoofed email address} comtem uma entrega para você!
Message:
Olá {name of recipient}, {name of sender} lhe enviou uma mensagem! Veja o cartão que preparei para você:http://www.o{BLOCKED}r/lercartao.php?id=8908993975A4132 Você também poderá visualizá-lo colocando o número do seu cartão

Here is a screenshot of the email message:

In a rough English translation, the Subject means "Ola {name of recipient}, {name of sender} have a delivery for you!". The message as roughly translated in English is:

Ola {name of recipient}, {name of sender} sent a message! See the card that I prepared for you:
http://www.o{BLOCKED}r/lercartao.php?id=8908993975A4132
You will able to view it by placing the number of the card:{random number}

It searches the affected system for email addresses, and sends the email message to these addresses.

This worm also accesses the following Web site and attempts to download and execute the file CRSS3.EXE (detected by Trend Micro as TSPY_BANKER.RN):

http://d423107.u31.websit{blocked}esource.net/web/base/gui

For additional information about this threat, see:
Solution
Technical Details

Description created: May. 19, 2005 11:40:26 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.