-- Update August 4, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at::
This mass-mailing virus arrives as an email attachment with the following characteristics:
(spoofed From: header)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.
The from address is constructed by taking a common name carried within the virus body and prepending it to the recipients domain name. (ie. email@example.com)
The common names used are as follows:
(one of the following)
- Delivery Status (Secure)
- failed transaction
- Re: Extended Mail
- Re: hello (Secure-Mail)
- Re: Server Reply
- Secure delivery
- SN: New secure mail
- SN: Server Status
(varies, such as)
:: Automatically Secure Delivery: for email address
:: Mail Delivery Server System: for email address
:: Extended secure mail message available at: email address
:: Secure Mail Server Notification: for email address
:: New mail secure method implement: for email address
- New policy requested by mail server to returned mail
as a secure compiled attachment (Zip).
- Now a new message is available as secure Zip file format.
Due to new policies on clients.
- This message is available as a secure Zip file format
due to a new security policy.
- For security measures this message has been packed as Zip format.
This is a newly added security feature.
- New policy recommends to enclose all messages as Zip format.
Your message is available in this server notice.
- You have received a message that implements secure delivery technology.
Message available as a secure Zip file.
- This message is an automatically server notice
from Administration at domain
- Server Notice: New security feature added. MSG:ID: 455sec86
- New feature added for security reasons
- Automatically server notice:,
Server reply from domain
- New service policy for security added from domain
(one of the following)
Followed by one of the following
When the attachment is manually executed, the virus will run Notepad.
The virus copies itself to the WINDOWS SYSTEM (such as c:\Windows\System32) directory as winlibs.exe
, and creates a registry run key to load itself at system startup:
Additionally, the following registry keys are created:
The virus extracts e-mail addresses from the local system by analyzing files that contain the following extensions:
The virus also queries Yahoo for additional recipient addresses.
Additionally, the virus avoids email addresses containing the following strings: