It arrives as an e-mail in the following format: From: admin@%domain%
is the same domain as recipient’s domain. Subject:
Your account %randomstring% Body: Hello there,
I would like to inform you about important information regarding your
email address. This email address will be expiring.
Please read attachment for details.
Best regards, Administrator
Same %randomstring% Attachment: Message.zip
When the user opens the attachment it will find a file named message.html
. That file contains the executable worm encapsulated in a special formatted html file. The worm uses a code base exploit so when the html file is opened will drop foo.exe
in Temporary Internet Files Folder, and it will execute it.
For more information about this exploit go to: http://support.microsoft.com/default.aspx?scid=kb;en-us;330994
is executed the worm creates the following files: %WINDOWS%\videodrv.exe
is a copy of foo.exe
is the zipped file that will be sent as attachment when spreading. %WINDOWS%\exe.tmp
is a copy of message.html
It also creates the following registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\VideoDriver
with the value: %WINDOWS%\videodrv.exe
The worm uses its SMTP engine for sending the e-mails. It searches for e-mails in every file except the files with the following extensions: com
All the addresses it finds are then added to the following file: %WINDOWS%\Eml.tmp
The worm sends itself to all email addresses has found in the same format it arrives. NOTE:
The html file inside the zip has variable size.