|Detected||Feb 09 2006 14:20 GMT|
|Released||Feb 09 2006 14:20 GMT|
|Published||Mar 30 2006 11:57 GMT|
This worm spreads via the Internet as an attachment to infected messages. It also spreads via file-sharing networks. It sends itself to email addresses harvested from the victim machine.
The worm has backdoor functionality. It is also able to download other files from the Internet without the knowledge or consent of the user.
The worm itself is a PE EXE file approximately 26KB in size.
Once launched, the worm causes the following error message to be displayed:
During installation, the worm copies itself to the Windows system directory under the following names:
%System%\regmaping.exe %System%\regmaping.exeopen %System%\regmaping.exeopenopen
The worm then registers itself in the system registry, ensuring that it will be launched each time Windows is rebooted on the victim machine:
The worm also creates a file named winresw.exe in the Windows root directory:
This file is the worm's Trojan component which downloads other files from the Internet without the user's knowledge.
The worm sends itself to email addresses harvested from files with the extensions listed below:
adb asp cfg cgi dbx dhtm eml htm jsp mbx mdx mht mmf msg nch ods oft php pl sht shtm stm tbb txt uin wab wsh xls xml
When sending infected messages, the worm establishes a direct connection to the recipient's SMTP server.
The worm does not send itself to addresses which contain the strings listed below:
@avp. @foo @hotmail @iana @messagelab @microsoft @msn abuse admin anyone@ bsd bugs@ cafee certific contract@ feste free-av f-secur gold-certs@ google help@ icrosoft info@ kasp linux listserv local news nobody@ noone@ noreply ntivi panda pgp postmaster@ rating@ root@ samples sopho spam support unix update winrar winzip
Dear Sir or Madam,
This notification is just a friendly reminder (not a bill or a second charge) that on 15-JAN-06, you placed an order from Symantec Store. This order was paid using your Visa, whose last 4 digits are ************2346, and will be appearing on your billing statement shortly. The charge will appear as DR *Symantec. This is just a reminder to help you recognize the charge. You will not be charged again.
You antivirus definition file is attached to this email, please install it to be perfectly protected from the latest viruses and other internet threats.
Details about your reciept attached with this email. You have to use Adobe Acrobat Reader to open it.
Transaction Number: <random number>
This is your receipt for your $1490 purchase of a 1.0 months
subscription which will appear on your statement as <random number>.
Your membership will automatically renew per the terms and conditions.
Should you ever have any
problems whatsoever, please don't hesitate to contact our live technical support staff - available 24 hours a day 7 days a week. We can be reached by phone toll free in the US at 800-***-8593. Rather use email?
Drop us a line at email@example.com and we'll always get back to you within an hour.
Enjoy the service!
Your email <recipient's address> has exceeded its
bandwidth quota in the period beginning on 2006-01-01.
Your quota is set to 10485760 bytes (10.0 MB), and
your email has consumed 559189702 bytes (533.285 MB) beyond that quota.
Our over-bandwidth charges are
Additional Bandwidth/Month Monthly Cost
100 Mb $200.00
200 MB $360.00
300 MB $480.00
400 MB $624.00
500 Mb $740.00 <- your over-usage
600 Mb $850.00
Our automatically generated bill is attached with this email.
The attachment may contain a text file called Description.txt, which contains the following text:
The worm creates copies of itself in all subdirectories which have the word "Shar" in the name. The copies are saved under names chosen from the list below:
The worm opens TCP port 6777 to listen for commands.
The winresw.exe component created by the worm contains a list of URLs which the worm checks for the presence of files. If a file is placed on one of these URLs, the worm will download it to the victim machine, and launch it for execution.
The worm may download updates to itself, or other malicious programs from these URLs.
The worm deletes the following records from the system registry:
The worm body contains the following strings:
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.