This trojan is detected heuristically as New Malware.b by DAT sets older than 4285.
From examination of the program, it can be seen that this is intended to be a mass-mailing virus, however under testing AVERT has been unable to reproduce this behaviour, possibly due to a flaw in the program. We are therefore currently designating it as a trojan rather than a virus.
The file is 252,416 bytes in length and may arrive attached to an E-Mail message.
From examination of the trojan the message may have the following subjects and message bodies:
- FW:Messanger tool
- FW:FW:Msg tool very cool
- FW:net send tool
- FW:set send msg tool
- Hey check this out it's cool and funny :-)
- Super cool messanger tool, check it out ;)
- nice tool, to send - net send messages
The trojan also contains an embedded DLL file with a length of 73,728 bytes, which is meant to be installed by the trojan, though again this was not observed in testing.
When run, the trojan copies itself to the %SYSTEM% folder on the local system using a randomly generated name (i.e. EOI3QFRP.EXE, O3FZMZPJ.EXE)and creates the registry key
Where the FILENAME.EXE is the randomly generated name as detailed above.