Subscribe0 0
This worm spreads via the Internet as an attachment to infected messages.
It sends itself to email addresses harvested from the victim machine.
The worm itself is a Windows PE EXE file approximately 30KB in size, packed using MEW. The unpacked file is approximately 168KB in size.
The worm contains a backdoor.
InstallationOnce launched, the worm copies itself to the Windows system directory as 'winlogoff.exe'
It then changes the system registry accordingly:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell" = "Explorer.exe winlogoff.exe"
The worm creates a unique identifier "KiPiSx017ZxQ" in order to flag its presence in the system.
Propagation via emailThe worm harvests email addresses from the MS Outlook address book. The worm establishes a direct connection to the SMTP server to send itself to these addresses.
Infected messages Message subject (chosen at random from the list below):Hello Hi love Re:kiss Re:LoveMessage body (chosen at random from the list below):
Hello baby,this is me screen! Hello! I love sex, is you? Hello this is me present! Cool screen. Bye. I Love You!:) Your Present! Scrren is me faice:) Bye baby!Attachment name (chosen at random from the list below):
FACE.SCR I LOVE YOU.SCR LOVE.SCR PRESENT.SCR SCREEN.SCRRemote administration
The worm opens TCP port 25 on the victim machine in order to connect to mx1.hotmail.com
PayloadThe worm deletes a range of firewall and antivirus applications from victim machines.
Hot Articles