Virus Characteristics
This trojan is detected heuristically as New Malware.b by DAT sets older than 4285.
From examination of the program, it can be seen that this is intended to be a mass-mailing virus, however under testing AVERT has been unable to reproduce this behaviour, possibly due to a flaw in the program. We are therefore currently designating it as a trojan rather than a virus.
The file is 252,416 bytes in length and may arrive attached to an E-Mail message.
From examination of the trojan the message may have the following subjects and message bodies:
Subjects
- FW:Messanger tool
- FW:FW:Msg tool very cool
- FW:net send tool
- FW:set send msg tool
Message Body
- Hey check this out it's cool and funny :-)
- Super cool messanger tool, check it out ;)
- nice tool, to send - net send messages
The trojan also contains an embedded DLL file with a length of 73,728 bytes, which is meant to be installed by the trojan, though again this was not observed in testing.
When run, the trojan copies itself to the %SYSTEM% folder on the local system using a randomly generated name (i.e. EOI3QFRP.EXE, O3FZMZPJ.EXE)and creates the registry key
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\SystemManager=FILENAME.EXE
Where the FILENAME.EXE is the randomly generated name as detailed above.