Presence of mutex 'SwebSipcSmtxS1'.
Presence of files 'zsdssfds.exe' and 'taskmon.exe' in %SYSDIR%.
Identify and kill the process ( if active ), then remove the registry keys and files from the system.
Automatic removal: let BitDefender disinfect infected files.
Alexandru Carp BitDefender Virus Researcher
The worm comes by mail, with the following characteristics:
'This is a multi-part message in MIME format.'
'Mail transaction failed. Partial message is available.'
'The message contains Unicode characters and has been sent as a binary attachment.'
'The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.'
'Mail Delivery System'
'Mail Transaction Failed'
The sender of the mail is spoofed.
Once executed, the worm:
- copies itself to Windows System directory as taskmon.exe;
- opens notepad with some binary data in it;
- checks for presence in memory by means of the mutex 'SwebSipcSmtxS1';
- searches in files with the extension wab,htm,sht,php,asp,dbx,tbb,adb for mail addresses;
- also checks the default Windows Addressbook file;
- uses DNS and the registry in order to find a STMP server;
- opens multiple threads for sending mail;
- downloads the file at 'http://jljfytdtk.chat.ru/DSC00173.jpg' as 'zsdssfds.exe'.
This worm is by no means special.