Method of Distribution
Via E-mail
The worm searches all fixed drives for e-mail addresses in files with these extensions:
.tx*
.wab*
.ph*
.pl*
.sht*
.dbx*
.asp*
.adb*
.tbb*
.ht*
It also uses major search engines such as Lycos, Altavista, Yahoo and Google to collect e-mail addresses. The number of results to obtain is randomly selected from 20, 50 or 100. The worm selects a keyword from "contact", "reply", "mail", "mailto", "email" and "e-mail", and uses this with a web page name (the worm collects the name from the local disk when searching for e-mail addresses) as the search key. The worm then saves the result to a temp file and parses it for e-mail addresses using the same routine that it used for the files on the local affected machine.
It ignores any address if the user name is any of the following:
info
noone
nobody
nothing
anyone
someone
your
you
me
rating
site
soft
no
foo
help
not
feste
ca
gold-certs
the.bat
page
or if the user name contains one of these sub-strings:
support
ntivi
submit
listserv
bugs
secur
privacycertific
accoun
sample
master
abuse
spam
mailer-d
or if the domain contains one of the following sub-strings:
syma
sarc.
microsoft
msdn.
msn.
hotmail
panda
spersk
yahoo
sophos
example
domain
uslis
update
trend
foo.com
bar.
secur
seclist
gmail
gnu.
google
arin.
ripe.
sourceforge
sf.net
rarsoft
winzip
winrar
The worm arrives attached to an e-mail with a variable Subject and Message Body. The attachment also uses variable names and file extensions.
The Subject line may be randomly generated, or one of the following:
hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error
The message body may be randomly generated or one of the following:
[The or Your] [message or Message] could not be delivered.
----------
The original message was included as attachment
----------
The original message was received at [(time) or (blank)]
from (sender domain)(random IP address)
----- The following addresses had permanent fatal errors -----
(recipient address)
----- Transcript of [the or (blank)] session follows -----
... while talking to [[host or mail or (blank)] server] [(recipient domain). or (random IP address)]:
followed by one or several of the following:
>>> MAIL [From or FROM]:(sender domain)
--
<<<50(random digit) [(sender domain...) or (blank)][Refused or [Access [denied or Denied]]]
--
[User or Domain or Address] [unknown or blacklisted]
--
554 <(recipient domain)>... [Mail quota exceeded or Message is too large]
--
554 <(recipient domain)>... Service unavailable
--
550 5.1.2 <(recipient domain)>... Host unknown (Name server: host not found)
--
554 [5.0.0 or (blank)]Service unavailable; [(random IP address)] blocked using [relays.osirusoft.com or bl.spamcop.net]
[, reason: Blocked or (blank)]
--
Session aborted[, reason: lost connection or (blank)]
--
>>> RCPT To:<(recipient address)>
--
<<<550 [MAILBOX NOT FOUND or 5.1.1 <(recipient address)>... [User unknown or Invalid recipient or Not known here or (blank)]
--
>>> DATA or
--
<<<400-aturner; %MAIL-E-OPENOUT, error opening !AS as output
--
<<<400-aturner; -RMS-E-CRE, ACP file create failed
--
<<<400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded
--
<<<400
--
(blank)
----------
Dear user [(recipient domain) or of (recipient domain)], [[Mail or mail] [system or server] [administrator or administration] of (recipient domain) would like to [inform you that[: or ,]] or let you know [that or the following][. or : or ,] or (blank)]
We have [detected or found or received] reports that [your or Your] [e-mail or email] account [has been or was] used to send a [large or huge] amount of [[unsolicited [ commercial or (blank)] or junk] [e-mail or email or spam][ messages or (blank)] [during this or the [last or recent]] week.
[We suspect that or Probably, or Most likely or Obviously,] your computer [had been or was] [compromised or infected [ by a recent virus or (blank)] and now [runs or contains] a [trojan or trojaned or (blank) or hidden] proxy server.
[Please or We recommend [that you or you to]] follow [our or the or (blank)]instructions or instruction] [in the [attachment or attached [text or file] or (blank)] in order to keep your computer safe.
[[Virtually or Sincerely] yours or Best [wishes or regards or Have a nice day], [(recipient domain) [user or technical or (blank)] support team. or The (recipient domain) [support or (blank)] team.
For example one of the possible combinations might result in the following message body:
Dear user of (recipient domain),
We have found that your email account was used to send a huge amount of spam messages during this week.
We suspect that your computer had been infected and now contains a hidden proxy server.
We recommend you to follow instruction in order to keep your computer safe.
Best wishes,
The (recipient domain) support team.
----------
[The or This or Your] message was[ undeliverable or not delivered] due to the following [reasons or reason]:
Your message [was not or could not be] delivered because the destination [computer or server] was
[not or un]reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message [was not or could not be] delivered within (a random digit) days:
[[Mail [server or Server]] or Host] (random IP)) is not responding.
The following recipients [did or could] not receive this message:
<(recipient address)>
Please reply to postmaster@[(sender domain) or (recipient domain)]
if you feel this message to be in error.
----------
The Attachment file name may be randomly generated, or one of the following:
readme
instruction
transcript
mail
letter
file
text
attachment
document
message
with one of these extensions:
cmd
bat
com
exe
pif
scr
The attachment name may also be the e-mail address of the recipient.
The attachment could also be in a ZIP archive, and can have a "double extension", with "doc", "txt", "htm" or "html" followed by many spaces, then the real extension.
Please see below for examples of e-mail generated by the worm:
Back to top