My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


50720 bytes, 32768 bytes


The following files in %windir%:
Sys32.exe, sys32.cfg
Outlook.exe, outlook.cfg

The following files in C:\ directory:
Mshome.hta, Logo.jpg, wind.gif, logobig.gif
mminfo2.txt, mminfo.txt

The following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\system with value %windir%\sys32.exe

Removal instructions:

Let BitDefender delete the infected files it finds

Analyzed By

Sorin Victor Dudea

Technical Description:

This is an polymorphic mass mailer with backdoor capabilities.
It arrives in the following format:
where %name% can be any name from the following list:


%yourdomain% is your computer domain name.
%domain% is one of the following:


Subject and body:
A combination of words contained in the worm body.
cool pictures just for you

Hello my darling Barbara
It’s amazing
My sister had best sex I ever seen last night with the friend of Alice
I turned on my digital hp video camera and create a lot of excellent pictures!
I beg you do not show it anybody else, deal?

A combination from the following words:

My, priv, private, prv, the, best, super, great, cool, wild, sex and
Pic, img, phot, photos, pctrs, images, imgs, scene, plp, act, action

with one of the following extensions:

.pif, .scr, .exe, .jpg.scr, .jpg.pif, .jpg.exe, .gif.exe, .gif.pif, .gif.scr

Example of attachment:


It is made by 2 components:
a polimorphic dropper and the worm itself.
The dropper is the file that comes as an attachment in an infected e-mail. When the user opens the attachment the dropper polymorphs itself and copies itself to %windir%\sys32.exe
It adds the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\system with value:%windir%\sys32.exe
Then it drops the file outlook.exe in %windir%, it executes it and displays an error message:
'ERROR: Bad CRC32'

The outlook.exe is the internet worm.
After it is run it does the following:
It scans for internet services running at the infected computer and sends them
to some e-mail address.
It gathers e-mail addresses from all the files in computer except files with the
the following extensions:
com, wav, cab, pdf, rar, zip, tif, psd, ocx, vxd, mp3, mpg, avi, dll, exe, gif, jpg, bmp
It saves the e-mail addresses it finds in the following file:
It sends the <sys32.exe file to all the e-mail addresses it the same format it arrives.
It opens a shell on port 3000 and waits for connections.
It waits for remote connections on port 6667.
It drops the file c:\mshome.hta and executes it.
The hta file it is used for gathering personal information. These information are then sent to some e-mail addresses
The worm also uses the following registry keys for keeping track of its progress:

The worm contains the following text:

*** GLOBAL WARNING: if any free email company or hosting company will close/filter my email/site accounts, it will be DDoS'ed in next version. WARNING: ********* will be DDoS'ed in next versions, coz they have closed my mimail-email account. Who next? *** visit our friendly site **************'