This is a mass-mailing and peer-to-peer file-sharing worm that arrives in an email message as follows:
From: (spoofed email sender)
Subject: (Varies, such as)
Error
Status
Server Report
Mail Transaction Failed
Mail Delivery System
hello
hi
Body: (Varies, such as)
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
The message contains Unicode characters and has been sent as a binary attachment.
Mail transaction failed. Partial message is available.
Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes)
examples (common names, but can be random)
doc.bat
document.zip
message.zip
readme.zip
text.pif
hello.cmd
body.scr
test.htm.pif
data.txt.exe
file.scr
The icon used by the file tries to make it appear as if the attachment is a text file:
When this file is run, it copies itself to the WINDOWS SYSTEM directory as taskmon.exe
%SysDir%\taskmon.exe
(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)
It creates the following registry entry to hook Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe
The virus uses a DLL that it creates in the Windows System directory:
%SysDir%\shimgapi.dll (4,096 bytes)
This DLL is injected into the EXPLORER.EXE upon reboot via this registry key:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir%\shimgapi.dll
Peer To Peer Propagation
The worm copies itself to the KaZaa Shared Directory with the following filenames:
nuke2004
office_crack
rootkitXP
strip-girl-2.0bdcom_patches
activation_crack
icq2004-final
winamp
Remote Access Component
The worm (this functionality is in the dropped DLL) opens a connection on TCP port 3127. If that fails it opens next available port up to port 3198. Such behaviour suggests remote access capabilities.
Denial of Service Payload
On the first system startup on February 1st or later, the worm changes its behavior from mass mailing to initiating a denial of service attack against the sco.com domain. This denial of service attack will stop on the first system startup of February 12th or later, and thereafter the worm's only behavior is to continue listening on TCP port 3127.
Indications of Infection
Upon executing the virus, Notepad is opened, filled with nonsense characters.
Existence of the files and registry entry listed above
Method of Infection
This worm tries to spread via email and by copying itself to the shared directory for Kazaa clients if they are present.
The mailing component harvests address from the local system. Files with the following extensions are targeted:
wab
adb
tbb
dbx
asp
php
sht
htm
txt
Additionally, the worm contains strings, which it uses to randomly generate, or guess, addresses. These are prepended as user names to harvested domain names:
sandra
linda
julie
jimmy
jerry
helen
debby
claudia
brenda
anna
alice
brent
adam
ted
fred
jack
bill
stan
smith
steve
matt
dave
dan
joe
jane
bob
robert
peter
tom
ray
mary
serg
brian
jim
maria
leo
jose
andrew
sam
george
david
kevin
mike
james
michael
john
alex
Finally the virus sends itself via SMTP. The worm guesses the recipient email server, prepending the target domain name with the following strings:
mx.
mail.
smtp.
mx1.
mxs.
mail1.
relay.
ns.
Just makes you wonder 