25 January 2006
18 January 2006
Installation to system Email-Worm.Win32.VB.bi is written in Visual Basic and compiled as p-code. The size of the main executable is about 95 kilobytes. When executed, it first copies itself to several locations: %Windows%\rundll16.exe %System%\scanregw.exe %System%\Update.exe %System%\Winzip.exe where '%Windows%' presents the system Windows folder. In Windows XP systems, it is usually C:\WINDOWS. '%System%' is the system32 folder. The worm installs the following registry key for ensuring it will be started on system startup: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "ScanRegistry" = "%System%\scanregw.exe" Spreading in e-mails The worm collects e-mail addresses from files with following extensions: .HTM .DBX .EML .MSG .OFT .NWS .VC .MBX .IMH .TXT .MSF And from the files with the following string in name: CONTENT TEMPORARY The worm sends itself as attachment in the infected e-mail. The e-mail subject is one the following: The Best Videoclip Ever School girl fantasies gone bad A Great Video Fuckin Kama Sutra pics Arab sex DSC-00465.jpg give me a kiss *Hot Movie* Fw: Funny :) Fwd: Photo Fwd: image.jpg Fw: Sexy Re: Fw: Part 1 of 6 Video clipe You Must View This Videoclip! Miss Lebanon 2006 Re: Sex Video My photos The message body may be one of the following: Note: forwarded message attached. Hot XXX Yahoo Groups Fuckin Kama Sutra pics ready to be FUCKED ;) Note: forwarded message attached. forwarded message attached. VIDEOS! FREE! (US$ 0,00) i attached the details. Thank you. >> forwarded message ----- forwarded message ----- i just any one see my photos. It's Free :) The worm can attach itself as executable file. It uses one the following names in attachment: 007.pif School.pif 04.pif photo.pif DSC-00465.Pif image04.pif 677.pif New_Document_file.pif eBook.PIF document.pif DSC-00465.pIf Sometimes, the worm MIME-encodes the file. In these cases, the attachment name can be one of the following: Attachments.B64 3.92315089702606E02.UUE SeX.mim Original Message.B64 WinZip.BHX eBook.Uu Word_Document.hqx Word_Document.uu The filename inside MIME-encoding is one of the following: Attachments.B64 [spaces] .sCR 3.92315089702606E02.UUE [spaces] .sCR SeX,zip [spaces] .sCR WinZip.zip [spaces] .sCR ATT01.zip [spaces] .sCR WinZip.zip [spaces] .sCR Word.zip [spaces] .sCR Word XP.zip [spaces] .sCR Spreading in shared folders The worm searches for remote shared folders and tries to copy itself using one of the following filenames: \Admin$\WINZIP_TMP.exe \c$\WINZIP_TMP.exe \c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe Other details The worm attempts to disable several security-related programs.