50720 bytes, 32768 bytes
The following files in %windir%:
The following files in C:\ directory:
Mshome.hta, Logo.jpg, wind.gif, logobig.gif
The following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\system with value %windir%\sys32.exe
Let BitDefender delete the infected files it finds
Sorin Victor Dudea
This is an polymorphic mass mailer with backdoor capabilities.
It arrives in the following format:
where %name% can be any name from the following list:
%yourdomain% is your computer domain name.
%domain% is one of the following:
Subject and body:
A combination of words contained in the worm body.
cool pictures just for you
Hello my darling Barbara
My sister had best sex I ever seen last night with the friend of Alice
I turned on my digital hp video camera and create a lot of excellent pictures!
I beg you do not show it anybody else, deal?
A combination from the following words:
My, priv, private, prv, the, best, super, great, cool, wild, sex and
Pic, img, phot, photos, pctrs, images, imgs, scene, plp, act, action
with one of the following extensions:
.pif, .scr, .exe, .jpg.scr, .jpg.pif, .jpg.exe, .gif.exe, .gif.pif, .gif.scr
Example of attachment:
It is made by 2 components:
a polimorphic dropper and the worm itself.
The dropper is the file that comes as an attachment in an infected e-mail. When the user opens the attachment the dropper polymorphs itself and copies itself to %windir%\sys32.exe
It adds the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\system with value:%windir%\sys32.exe
Then it drops the file outlook.exe in %windir%, it executes it and displays an error message:
'ERROR: Bad CRC32'
The outlook.exe is the internet worm.
After it is run it does the following:
It scans for internet services running at the infected computer and sends them
to some e-mail address.
It gathers e-mail addresses from all the files in computer except files with the
the following extensions:
com, wav, cab, pdf, rar, zip, tif, psd, ocx, vxd, mp3, mpg, avi, dll, exe, gif, jpg, bmp
It saves the e-mail addresses it finds in the following file:
It sends the <sys32.exe file to all the e-mail addresses it the same format it arrives.
It opens a shell on port 3000 and waits for connections.
It waits for remote connections on port 6667.
It drops the file c:\mshome.hta and executes it.
The hta file it is used for gathering personal information. These information are then sent to some e-mail addresses
The worm also uses the following registry keys for keeping track of its progress:
The worm contains the following text:
*** GLOBAL WARNING: if any free email company or hosting company will close/filter my email/site accounts, it will be DDoS'ed in next version. WARNING: ********* will be DDoS'ed in next versions, coz they have closed my mimail-email account. Who next? *** visit our friendly site **************'