This is a mass-mailing worm that arrives in an email message as follows: From: (spoofed) Subject: (Random) Body: (Varies, such as) - The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
- The message contains Unicode characters and has been sent as a binary attachment.
- Mail transaction failed. Partial message is available.
Attachment: (varies [.exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes) The icon used by the file tries to make it appear as if the attachment is a text file When this file is run it copies itself to the local system with the following filenames: - c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr
- %SysDir%\taskmon.exe
(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM) It also uses a DLL that it creates in the Windows System directory: It also uses a DLL that it creates in the Windows System directory: - %SysDir%\shimgapi.dll (4,096 bytes)
It creates the following registry entry to hook Windows startup: - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe The worm opens a connection on TCP port 3127 suggesting remote access capabilities. AVERT is currently analyzing this the threat. Details will be posted, as they are available. |