After decrypting its data, worm is using www.whatismyip.com to get IP address of the newly infected host. Next, it will harvest e-mail addresses: It will extract e-mail addresses from Thunderbird, MS Outlook, and will also search in files from all devices.
It will install itself in registry, this way will make sure it survives after reboot.
your system security by editing registry key:
This worm should also set registry key:
but because of a bug in its code, won't do this correctly.
These settings in registry will allow users to automatically download and execute files from internet without any popups informing you about the security problem.
It Will add itself to the firewall's Authorized applications list.
in order to do this, modifies registry key:
"HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List" will add "%WinDir%\system32\vxworks.exe", this way windows firewall will permit internet activity for this worm.
Meanwhile, another component detected as Backdoor.Bot.67413 is loaded. This one has backdoor capability, and will also log everything you type, and save in a file (drm.ocx). Then will send this file to a server.Spreading mechanism:
Worm will spread by copying itself into shared folders of Peer-2-Peer Applications (Kazza, DC++, eMule, Morpheus, Tesla, etc) using the following "hot" file names:
"Windows XP PRO Corp SP3 valid-key generator.exe"
"Kaspersky Internet Security 2009 keygen.exe"
"Tuneup Ultilities 2008.exe"
"Joannas Horde Leveling Guide TBC Woltk.exe"
"Wow WoLTk keygen generator-sfx.exe"
"FOOTBALL MANAGER 2009.exe"
"Winamp.Pro.v6.53.PowerPack.Portable [XmaS edition].exe"
"Half life 3 preview 10 minutes gameplay video.exe"
"Sophos antivirus updater bypass.exe"
"xbox360 flashing tools and guide including bricked drive fix.exe"
"Google Earth Pro 4.2. with Maps and crack.exe"
"Ultimate xxx password generator 2009.exe"
"Perfect keylogger family edition with crack.exe"
"Divx Pro 18.104.22.168 + keymaker.exe"
"G-Force Platinum v3.7.5.exe"
"Power ISO v4.2 + keygen axxo.exe"
"Super Utilities Pro 2009 11.0.exe"
"CleanMyPC Registry Cleaner v6.02.exe"
"Alcohol 120 v1.9.7.exe"
"Silkroad Online guides and wallpapers.exe"
"Download Boost 2.0.exe"
"Daemon Tools Pro 4.11.exe"
"Absolute Video Converter 6.2.exe"
"Microsoft Visual Studio 2008 KeyGen.exe"
"Smart Draw 2008 keygen.exe"
"Motorola, nokia, ericsson mobil phone tools.exe"
"Nero 8 Ultra Edition 22.214.171.124 Full Retail.exe"
"Myspace theme collection.exe"
"Internet Download Manager V5.exe"
"Opera 10 cracked.exe"
"Download Accelerator Plus v8.7.5.exe"
"LimeWire Pro v4.18.3.exe"
"Acker DVD Ripper 2009.exe"
"Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe"
"Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe"
"Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe"
"Norton Anti-Virus 2009 Enterprise Crack.exe"
"BitDefender AntiVirus 2009 Keygen.exe"
"Red Alert 3 keygen and trainer.exe"
"TCN ISO SigmaX2 firmware.bin.exe"
"TCN ISO cable modem hacking tools.exe"
"WinRAR v3.x keygen RaZoR.exe"
"Adobe Photoshop CS4 crack.exe"
"Adobe Acrobat Reader keygen.exe"
"Windows 2008 Enterprise Server VMWare Virtual Machine.exe"
"Youtube Music Downloader 1.0.exe"
"K-Lite codec pack 4.0 gold.exe"
Will also spread by copying itself into any removable media connected to the system, creating an "autorun.inf" file to execute the worm when the device is connected to another system.
This worm is also a mass-mailer using its own SMTP engine, like many others. It sends itself to the harvested e-mail addresses.
Mails can arrive in various types:Subject
: "Mcdonalds wishes you Merry Christmas!"Sender
: "Coca Cola is proud to accounce our new Christmas Promotion." Sender
: "You've received A Hallmark E-Card!'"Sender
Screen captures below
Attachments are compressed files, containing the worm itself.