|
Description:
This worm propagates via network shares and via email using its own SMTP (Simple Mail Transfer Protocol) engine. It
gathers its target email addresses from files with the following extensions:
When constructing email, this worm spoofs the From field such that a different email address appears instead of the email account it uses to send the messages. It can use support@yahoo.com, an email address that it has obtained from the system, or the user name and the domain of the currently logged on user.
It sends email with the following details:
From: (any of the following)
support@yahoo.com
<username@domain.com>
<obtained email address>
Subject: (any of the following)
referer.pif
004448554.pif
re.document.pif
new_document.pif
submited.pif
Screensaver.scr
movie.pif
Applications.pif
Application.pif
Your application
Re: Re: Document
Re: Re: Application ref. 003644
Re: Documents
Re: Screensaver
Re: Submited (Ref: 003746)
Re: Movies
Re: Movie
Re: Application
Message body: Please see the attached zip file for details.
Attachment: (any of the following)
Movie.zip (Movie.pif)
screensaver.zip (sky_world.scr)
document.zip (document.pif)
application.zip (application.pif)
Your_details.zip(details.pif)
The attachment is a compressed ZIP file containing a single copy of this worm. The file name of the compressed copy is indicated inside the parenthesis (refer to the list above).
A sample of this email would be:
This worm deactivates its spreading routine on July 14, 2003. It runs on Windows 95, 98, ME, NT, 2000, and XP.
For additional information about this threat, see:
Solution
Technical Details
Description created: Jun. 25, 2003 1:15:48 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
