This new variant contains the following characteristics:
- contains its own SMTP engine to construct outgoing messages
- spoofs the From: address
- harvests target email addresses from the victim machine
- outgoing email message body is either in Hungarian or English
- displays p2p worm behavior
- shuts down security services
The worm can send itself as an attachment in email with any of the following extensions: ZIP, CMD, PIF, BAT or COM.
The worm harvests email addresses from files with the following extensions:
Harvested addresses are stored in five files in the system32 folder using random names and the file extension .DLL. For example:
The worm avoids sending itself to certain email addresses, those containing any of the following strings:
The body of the email sent by the worm are in the form of a MSN Photo Email . Like previous variants, the worm sends itself out in different languages depending on the Top Level Domain (TLD) of the recipient's address. For example, a user with a .COM mail address, will receive the English mail body, while someone with an .DE Mail address will receive the German body.
Below is an example of an email sent by this worm. The graphic and format of the email in other languages are the same.
The worm copies itself to directories on the C: drive containing one of the following strings:
It copies itself using the below filenames:
The worm also attempts to shutdown security services like firewalls, and AV software upon execution.