-- Update Dec 14th 2004 --
The risk assessment of this threat was raised to Medium due to increased prevalence. The 4414 DATs were released early for this threat.
This new variant contains the following characteristics:
- contains its own SMTP engine to construct outgoing messages
- spoofs the From: address
- harvests target email addresses from the victim machine
- outgoing email message body is either in Hungarian or English
- displays p2p worm behaviour
- shuts down security services
The worm can send itself as an attachment in email with any of the following extensions: ZIP, CMD, PIF, BAT or COM.
The worm harvests email addresses from files with the following extensions:
Harvested addresses are stored in five files in the system32 folder using random names and the file extension .DLL. For example:
The worm avoids sending itself to certain email addresses, those containing any of the following strings:
The body of the email sent by the worm are in the form of Christmas greetings. Like previous variants, the worm sends itself out in different languages depending on the Top Level Domain (TLD) of the recipient's address. For example, a user with a .COM mail address, will receive the English mail body, while someone with an .DE Mail address will receive the German body.
Below is an example of an email sent by this worm. The graphic and format of the email in other languages are the same.
The worm copies itself to directories on the C: drive containing one of the following strings:
It copies itself using the below filenames:
- winamp 5.7 new!.exe
- ICQ 2005a new!.exe
In an attempt to thwart manual identification and cleaning of an infected machine, the worm will attempt to render the following processes containing the following strings unavailable:
The worm also attempts to shutdown security services like firewalls, and AV software upon execution.