Worm.Win32.Drew.a
| Alert Level : | Medium |
| Discovered: | Dec 16 2004 |
| Tag: | Internet Worms |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
This worm spreads via the Internet as an attachment to infected messages.
It sends itself to email addresses harvested from the victim machine.
The worm itself is a Windows PE EXE file approximately 30KB in size, packed using MEW. The unpacked file is approximately 168KB in size.
The worm contains a backdoor.
InstallationOnce launched, the worm copies itself to the Windows system directory as 'winlogoff.exe'
It then changes the system registry accordingly:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell" = "Explorer.exe winlogoff.exe"
The worm creates a unique identifier "KiPiSx017ZxQ" in order to flag its presence in the system.
Propagation via emailThe worm harvests email addresses from the MS Outlook address book. The worm establishes a direct connection to the SMTP server to send itself to these addresses.
Infected messages Message subject (chosen at random from the list below):Hello Hi love Re:kiss Re:LoveMessage body (chosen at random from the list below):
Hello baby,this is me screen! Hello! I love sex, is you? Hello this is me present! Cool screen. Bye. I Love You!:) Your Present! Scrren is me faice:) Bye baby!Attachment name (chosen at random from the list below):
FACE.SCR I LOVE YOU.SCR LOVE.SCR PRESENT.SCR SCREEN.SCRRemote administration
The worm opens TCP port 25 on the victim machine in order to connect to mx1.hotmail.com
PayloadThe worm deletes a range of firewall and antivirus applications from victim machines.
0
Removal Worm.Win32.Drew.a instructions:
0
Need help? Live computer support via remote at SupportSpace |
