Subscribe0 0
This worm spreads via the Internet as an attachment to infected messages. It sends itself to email addresses harvested from the infected machine.
The worm itself is a VBS file approximately 7 KB in size.
Installation
When the worm runs, it displays the following message box:
If the answer is 'Yes', the worm will terminate itself and the payload will not be triggered.
If the answer is 'No', the worm will display the following message box:
Then the worm copies itself as "OXNEY.B.VBS" to the Windows system directory:
C:\WINDOWS\System32\OXNEY.B.VBS
Then it registers this file as a key to enable autorun in the system registry:
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "SPINX" = "Wscript.exe %System%\OXNEY.B.VBS %"
Propagation via email
The worm sends itself to all email addresses harvested from the victim computer. The worm looks for e-mail addresses in MS Outlook Address Book.
Infected messages
Subject:
Fw: I give you again Body text: Spidey has give you some password of xxx site (cute) Spidey
Payload
Yeno.b creates the following system registry keys:
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SPINX] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices] "Load-Guard" = "Wscript.exe %Windir%\LGuarg.exe.vbs %" [HKEY_USERS\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel] "GeneralTab" = "1" [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] "Window Title" = "Micosoft Internet Explorer Provided by : Spidey" "Start Page" = "Spidey.uni.cc"
The worm looks for files with the extensions .htm and .html in drives C, D, and E and infects them by inserting a script to run the following files:
%System%\OXNEY.B.VBS %Windir%\LGuarg.exe.vbs
The worm looks for the files with the extension .vbs and .vbe in drives C, D, and E and infects them by adding a copy of its code.
Hot Articles