- Jun 5, 2000
- 36,410
- 616
- 126
my phone is ringing with people in the company getting this as an email attachment.
I have searched McAfee, Nortons, google and i cant find anything about it.
are any of you seeing it?
Finally NAI has info on it.
NAI
This is a mass-mailing worm with the following characteristics:
contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
attachment can be a password-protected zip file, with the password included in the message body.
contains a remote access component (notification is sent to hacker)
copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines
terminates processes of security programs and other worms
deletes registry entries of security programs and other worms
Mail Propagation
The details are as follows:
From : (address is spoofed)
Subject :
Re:
Body Text:
>foto3 and MP3
>fotogalary and Music
>fotoinfo
>Lovely animals
>Animals
>Predators
>The snake
>Screen and Music
The worm will add the following body text if the attachment is sent as a password-protected ZIP file.
Password: (random number)
Pass - (random number)
Key - (random number)
Attachment:
MP3
Music_MP3
New_MP3_Player
Cool_MP3
Doll
Garry
Cat
Dog
Fish
The virus copies itself into the Windows System directory as WinXP.exe . For example:
C:\WINNT\SYSTEM32\WinXP.exe
It also creates other files in this directory to perform its functions:
%SysDir% \WinXP.exeopen
%SysDir% \WinXP.exeopen open
%SysDir% \WinXP.exeopen openopen
%SysDir% \WinXP.exeopen openopenopen
The following Registry key is added to hook system startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "key" = %SysDir% \WinXP.exe
AVERT is continuing to analyse this threat and will post more information as it is available
I have searched McAfee, Nortons, google and i cant find anything about it.
are any of you seeing it?
Finally NAI has info on it.
NAI
This is a mass-mailing worm with the following characteristics:
contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
attachment can be a password-protected zip file, with the password included in the message body.
contains a remote access component (notification is sent to hacker)
copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines
terminates processes of security programs and other worms
deletes registry entries of security programs and other worms
Mail Propagation
The details are as follows:
From : (address is spoofed)
Subject :
Re:
Body Text:
>foto3 and MP3
>fotogalary and Music
>fotoinfo
>Lovely animals
>Animals
>Predators
>The snake
>Screen and Music
The worm will add the following body text if the attachment is sent as a password-protected ZIP file.
Password: (random number)
Pass - (random number)
Key - (random number)
Attachment:
MP3
Music_MP3
New_MP3_Player
Cool_MP3
Doll
Garry
Cat
Dog
Fish
The virus copies itself into the Windows System directory as WinXP.exe . For example:
C:\WINNT\SYSTEM32\WinXP.exe
It also creates other files in this directory to perform its functions:
%SysDir% \WinXP.exeopen
%SysDir% \WinXP.exeopen open
%SysDir% \WinXP.exeopen openopen
%SysDir% \WinXP.exeopen openopenopen
The following Registry key is added to hook system startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "key" = %SysDir% \WinXP.exe
AVERT is continuing to analyse this threat and will post more information as it is available
Facebook
Twitter