Propagation via e-mail
The worm mass spreads via e-mail using its own SMTP engine. It sends its
viral copies to all the addresses found in files with the following
extensions:
.wab
.txt
.htm
.html
.dbx
.mdx
.eml
.nch
.mmf
.ods
.cfg
.asp
.php
.pl
.adb
.sht
It does not send messages to the addresses which have the following strings:
@hotmail.com
@msn.com
@microsoft
@avp.
noreply
local
root@
postmaster@
The mail message infected with the worm may look as follows:
The sender's address is spoofed by the worm
The subject is chosen from the following list:
^_^ meay-meay!
^_^ mew-mew (-:
Aline
Anna
Audra
Bad girl
Barbi
beautiful
Caitie
caroline
ello! =))
Fotograf
Gallery photos
groom
Hey, dude, it's me ^_^ :P
Hey, ya! =))
Hi! :-)
Hokki =)
Jammie
Juli
Julie
kate
Katrina
Kelley
kleopatra
Lisa
Mandy
Mary
Mary-Anne
My beautiful person
My Name is Frenk
My photoalbum
My photos
Myphotos
Photoalbum
rebecca
Rena
Sara
stacy
Tammy
Wau... beautiful (-:
Weah, hello! :-)
Weeeeee! ;)))
The
message body may be on of the following:
Argh, i don't like the plaintext :)
Fell free to chat with me I accept all ages. Dont worry I dont
bite........hope to hear from you soon!
If you are going to make me cry, at least be there to wipe away the tears
*Right now the worst
thing for you to tell me that I can find someone
better than you, especially when you are all I want
You don't know what you've got till it's gone *You hurt me more than I
deserve, how can
you be so cruel? I love you more than you deserve, how
can I be such a fool?
I sit with elders of a gentle race, whose world is seldom seen.Who sit and
talk of days for
which they wait, when all will be revealed. These are
song lyrics.
I'm a social butterfly and a natural flirt. Very hard to get my complete
attention. Very open
and will answer almost anything. But please don't
piss me off. I can be sweet and cuddly or a whatever mood
I am in that
day so everyday
Love the outdoors, literature, writing, and athletics
When The Trust is Gone So Is The Love That Fades Like the Rain Washing Away
All The Sorrows
Of Yesterday Why I Ask Myself Must It End Like This
Tomorrow, I Tell Myself, I'll Be Okay For Now, I'll Just Live
In The
Memories Of Our Life Together
I enjoy clean conversations but am open to conversing with women and men
with little ones as well.
I am very open-minded. All authorization
requests will be denied if I don't receive messages and get to know you
first.
I love camping, dirt track racing, going for walks, and I have 2 cats -
HotRod and Deebo (named
from the movie 'Friday' and he lives up to it!).
Life is ever changing, never always easy...
i love to chat to just about anyone!!
If I'm online, it problably means I'm pretty bored....so feel free to
message me and say hi or
whatever else comes to mind at the moment.
Hey people whats goin on? If there is anything you want to know about me ask
me...
I am pretty easygoing I won't bite....not at first anywayz
hahaa.....one thing I will say on here tho I am not into the Cyber thing so
don't even ask.....Ciao...
Hi! My name is Shreya and I am a goof off!!! So, If you love the outdoors,
travelling, books, music,
movies, laffing, teasing and/or can poke fun
at yourself... please come a hollerin'!!
I love to dance, read poetry, make people laugh, and hug as many people a
day as i can.
Single Mom of 3, Full time college student, Graduate in December with an
Associates of Applied Science
in Computer Information Systems Love the
internet.
My hobbies include crochet, sewing, painting lead figures and playing AD&D.
Favorite activities include
fishing and camping. I love cats,
unicorns(go figure), and fantasy in general.
I like to be in a company of smart, delicate, and with a good sense of humor
people. I am Bulgarian,
currently getting my Master's in International
Business in USA. Favorite actor: Michael Dudikoff
i'm tall and skiny I'm studying in Pharm. D program in FL. i like music,
movie, dancing, sports,
SCUBA diving, traveling and make a lot friends.
Nice friends, nice men, nice sex and feeling great. I don't mind the odd
bout of cybersex as I love to use my
imagination when I masterbate.
Hey, guys! by the way, I have no problems with my sexual life, so it's
absolutly useless try to have icq sex or
things like that. Thanks
I'm an open minded person and enjoy chatting w/ other people. I'm free and
willing to chat about anything. So feel free
to Imed me if you wanna
chat.
I love meeting new people and making new friends. I am a Mary Kay Beauty
Consultant. I am married to a wonderful
man. We have no children, exept
for a minature schnauzer that thinks he is a child. Looking forward to
meeting you.
I am from Taiwan but I study in Camden, New Jersey now. I like to know
people from different places .
If the attached file is password protected, the message may end with:
archive password: [password]
password: [password]
pass: [password]
The
attachment may have .exe, src or .zip extension, its name is
chosen by the worm from the following list:
Anna
Audra
Bad girl
Barbi
Caitie
caroline
Gallery
It_I
Jammie
Juli
Julie
kate
Katrina
Katrina
Kelley
kleopatra
Lisa
Mandy
Mary
Mary-Anne
myfotos
Photoalbum
Photomontage
Picture
rebecca
Rena
Sara
stacy
Tammy
To disguise the viral module of the worm its creator uses an icon of a
folder to make user think the file attached is a plain text file.
The worm can also propagate across file-sharing networks. It scans the
drives of the infected PC for folders the names of which contains the string
"shar" and copies itself there using the following file names:
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno Screensaver.scr
Porno, sex, oral, anal cool, awesome!!.exe
Serials.txt.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
being run, the worm checks the system date, and if it exceeds March 25
immediately terminates. To avoid repeated infections with itself, the worm
sets the mutex
imain_mutex.
Then, it drops its copy named i1ru54n4.exe to the System folder
(in Windows 9x/ME it's C:\Windows\System, in Windows
NT/2000 it's C:\WINNT\System32, in Windows XP it's
C:\Windows\System32) and points to it in the system registry:
HKEY_LOCAL_USER\Software\Microsoft\Windows\CurrentVersion\Run
"rate.exe"="%SysDir%\i1ru54n4.exe"
thus securing its automatic execution at every Windows session.
It also creates several more files in the same folder:
ii5nj4.exe - a dynamically linked library which has an
extension of an executable, contains the system library downloading
procedure
go54o.exe - a dynamically linked library which contains the
worm's mass-mailing procedure
i1ru54n4.exeopen - a zip-archive with the executable module of
the worm dispatched at its mass
distribution
Besides, the worm adds the value
"frun" ="1"
to the registry entry
HKEY_CURRENT_USER\Software\winword
The worm opens port 2745 and starts listening the Internet waiting for
instructions of a remote intruder. The backdoor procedure, launched by the
worm terminates various antivirus/security related programs installed in
the
infected system:
ATUPDATER.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVLTMAIN.EXE
AVPUPD.EXE
AVWUPD32.EXE
AVXQUAR.EXE
CFIAUDIT.EXE
DRWEBUPW.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
LUALL.EXE
MCUPDATE.EXE
NUPGRADE.EXE
OUTPOST.EXE
UPDATE.EXE
The Dr.Web updating utility (DRWEBUPW.EXE) is on the
worm's list too, and this makes difficult to disinfect it with antivirus
means. If you fail to launch the updating utility, we recommend to delete
the registry key created by the worm (see above) and reboot the system.
After that the updater will safely run.
The backdoor procedure will also try to establish connection with the
following web sites:
http: // postertog.de/scr.php
http: // www.gfotxt.net/scr.php
http: // www.maiklibis.de/scr.php
It tries to send to these sites the number of the open port and the ID of
the infected machine.
