|
Description:
This memory-resident worm propagates by mass-mailing copies of itself to recipients, whose addresses it has gathered from an infected system. It uses its own Simple Mail Transfer Protocol (SMTP) to send email messages.
The email details are as follows:
From: <spoofed>
Subject: any of the following
• <blank>
• Error
• Circus
• Server Report
• Mail Transaction Failed
• Mail Delivery System
Message Body: any of the following
• <blank>
• <random characters>
• test
• Mail transaction failed. Partial message is available.
• The message contains Unicode characters and has been sent as a binary attachment.
• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Attachment:
The malware attachment may have any of the following file names:
• thank
• game
• body
• message
• test
• data
• file
• text
• readme
• document
The file name may have two extensions. The first may be the any of the following extension names, which is followed by several spaces:
• doc
• htm
• txt
It uses any of the following for its second extension name (or if the attachment has only one extension name):
• bat
• cmd
• exe
• scr
• pif
• zip
It has a DLL backdoor component, which opens TCP port 3127 and listen for commands from a remote host. It also enables this worm to act as a mail relay.
It has a payload of opening a text file that contains garbage data, using Notepad application.
It is written in Visual C++ and arrives as a UPX-compressed file. It runs on Windows 95, 98, ME, NT, 2000 and XP.
For additional information about this threat, see:
Solution
Technical Details
Description created: May. 19, 2004 4:01:50 PM GMT -0800
Description updated: May. 27, 2004 4:01:50 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
