IDM IncoNet-Data Management
New Page 1
About IDM Products My Account Support Point oF Sales Contact Us Webmail
Support  
   Connection Lines
   Flat Rate FAQ
   Online Support
    Dial Up
    Software
    Fax Sav
    Roaming
    Virus Alert
   Scheduled Maintenance
 
            


 


 

  

02/02/2006

This is a mass-mailing worm that bears the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • spreads through open network shares
  • tries to lower security settings and disable security software
  • overwrites files on the 3rd of each month

E-mail Component:

The virus arrives in an email message as follows:

From: (Spoofed email sender)

Do not assume that the sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

  • Photos
  • My photos
  • School girl fantasies gone bad
  • Part 1 of 6 Video clipe
  • *Hot Movie*
  • Re:
  • Fw: Picturs
  • Fw: Funny :)
  • Fwd: Photo
  • Fwd: image.jpg
  • Fw: Sexy
  • Fw:
  • Fwd: Crazy illegal Sex!
  • Fw: Real show
  • Fw: SeX.mpg
  • Fw: DSC-00465.jpg
  • Re: Sex Video
  • Word file
  • the file
  • eBook.pdf
  • Miss Lebanon 2006
  • A Great Video
  • give me a kiss

Body:  (Varies, such as)  

  • Note: forwarded message attached.
  • You Must View This Videoclip!
  • >> forwarded message
  • i just any one see my photos.
  • forwarded message attached.
  • Please see the file.
  • ----- forwarded message -----
  • The Best Videoclip Ever
  • Hot XXX Yahoo Groups
  • F***in Kama Sutra pics
  • ready to be F***ED ;)
  • VIDEOS! FREE! (US$ 0,00)
  • It's Free :)
  • hello,
  • i send the file.
  • bye
  • hi
  • i send the details
  • i attached the details.
  • how are you?
  • What?
  • Thank you
  • i send the details.
  • OK ?

(N.B. *** replaces content for filtering purposes)

Attachment:

The files attached to the email may either be the executable itself or a MIME encoded file which contains the executable.

The executable filename is chosen from the following list:

  • 04.pif
  • 007.pif
  • School.pif
  • photo.pif
  • DSC-00465.Pif
  • Arab sex DSC-00465.jpg
  • image04.pif
  • 677.pif
  • DSC-00465.pIf
  • New_Document_file.pif
  • eBook.PIF
  • document.pif
Network Share Component:

The worm will attempt to copy itself to the following shares, using the current user's authentication:

  • C$\documents and settings\all users\start menu\programs\startup\winzip quick pick.exe
  • Admin$\winzip_tmp.exe
  • C$\winzip_tmp.exe

The worm creates scheduled tasks on the remote computer to run winzip_tmp.exe during the 59th minute of every hour.  Once the 59th minute is reached, the remote computer would itself be infected  as it runs the dropped payload.

For additional information, please contact our Support Department by phone at
1282 24 hours a day, 7 days a week or contact us by e-mail: support@idm.net.lb

 

  

 © 2010 Inconet Data Management all rights reserved