Description:
To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
This worm propagates via email. On spammed email messages purporting to be electronic greeting cards (eCards) sent by contacts known to a target user, it includes a link where a copy of this worm can be downloaded. The message body of these spammed email messages are in GIF format. This qualifies these messages as image spam, a type of spam known for its ability to effectively escape email content filters.
The said eCards supposedly come from legitimate eCard Web sites. It gathers target email addresses from files with the certain file name extensions. It avoids sending email messages to addresses containing certain strings.
This worm uses the eDonkey2000/Overnet protocol to communicate with "peers" within the bot network it is a part of and to receive commands from its bot master.
It uses its own Simple Mail Transfer Protocol (SMTP) engine to send the email. Having its own SMTP engine allows it to send messages without using any mailing application, such as Microsoft Outlook.
Possibly in connection with its email propagation routine, it synchronizes the time of an affected system with a Network Time Protocol (NTP) server.
Moreover, it employs rootkit techniques to hide its files and processes. This routine enables it to avoid detection and easy removal from an affected system.
For additional information about this threat, see:
Solution
Technical Details
Description created: Jul. 1, 2007 7:34:22 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
