Method of Infection
When executed, the worm creates a mutex with the name "MS.NETFmwk1.0" to ensure that multiple copies of the worm do not run simultaneously.
It then drops a copy of itself and a DLL to the %System% directory. The filenames of these files consist of a set of randomly generated alphabetic characters, with '32' appended to the executable, and randomly generated alphabetic characters appended to the DLL, for example:
Akkehs32.exe and Apjffefn.dll
Note: '%System%' is a variable location. The worm determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
The worm adds the following registry values:
HKCR\CLSID\{3845CD5A-6FA0-3E0C-3980-000CD8DE3A31}\InProcServer32\(Default) = "%System%\<dropped dll name >"
HKCR\CLSID\{3845CD5A-6FA0-3E0C-3980-000CD8DE3A31}\InProcServer32\ThreadingModel = "Apartment"
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\.Net Framework = "{3845CD5A-6FA0-3E0C-3980-000CD8DE3A31}"
The DLL is used to execute a copy of the worm, which together with the added registry values ensures that the worm runs on every boot of the infected system.
When DLL is loaded it creates its own mutex "MS.NETFmwk1.1" to ensure that only single copy of the DLL is present in system's memory. The DLL process exits as soon as the copy of the worm is executed.
Back to top
Method of Distribution
Via E-mail
The worm utilizes its own SMTP engine and sends itself as an e-mail attachment.
It collects e-mail addresses by parsing files on the infected system with the following extensions:
.cgi
.vcf
.wab
.asc
.nws
.eml
.js
.vb
.pl
.ph
.asp
.shtm
.txt
.htm
E-mail generated by the worm are highly variable and may take one of the following forms (where messages are constructed from many possible combinations):
Message 1:
Subject:
[Re:][personal pictures|personal images|personal photos|private photos|photography|pic|pix]
Message Body:
[Greetings|Hi|Hello|Good night baby|Hi baby|Good night|Greet|Hail baby], do you remember you spoke something about [My|Your|His|Her|Our|Their] [personal pictures|personal images|personal photos|private photos|photography|pic|pix] in a naked kind?
I have found [such|it|one|<1 to 5 dig random number > pieces], i [don't|do not] know it is pleasant to you whether or not but i have decided to [give|present|give to see|transmit|show|send] it to you [password|pasw|passwd|pass|psw|access|secret|zip secret|magic word|zip word|archive word|package psw|zip access word|zip archive pasw|unlock code|code|unlock pass|guard code|access code][<a sequence of up to 15 randomly generated alpha numeric characters >].
As you will decide to [go to concert|go to cinema|have a rest|go to restaurant|go to cafe|go to movie|chat|meet] with me, call.
[<local email account user name >]
Message 2:
Subject:
[prono|mega porno|cyber porno|hardcore porno|mega hardcore porno|softcore porno|sadomaso] art.
Message Body:
[Good evening|Good day|Hello|Hi|Good afternoon|Dear|Good night|Greets|Greetings] [Valery|Vanessa|Julia|Clare|Kate|Maria|Darcy|Tory|Jane|Monica|Ann|Sarah|Susan|Gloria],
[Three hour ago|Too hour ago|One hour ago|One day ago|# hours and ## minutes ago|# hours ago|# days ago|Yesterday|Today] i have found [one thousand|two thousand|one million|dump of|heap of|<1-5 digit number>|three thousand|hundred|two hundred|three hundred] [prono|mega porno|cyber porno|hardcore porno|mega hardcore porno|softcore porno|sadomaso] [pictures|images|pix|pixxx|pics|photographys|photos] on the [brother`s|sister`s|cousin`s|friend`s|bro`s|boss|chief`s|partner`s|work|home|school|mr. John`s|mr. Fred`s|mr. Jack`s|mr. Smith`s|mr. Brown`s|Jacky`s] computer,
you [know|introduce]? And as you the [judge|amateur] of [their|similar] art I have decided to
[send|show|email|mail|transmit|give to see|present|give|bring] [a part|one of thees|it|<1 digit number > pieces|<1 digit number > photos|<2 digit number > pictures|<1 digit number > jpegs|a little bit of thees] to you [ :-)) | :) | :-P~ | ,) | :)~ | %) | :-] | %-] | '-) | ,-) | %-) | :-} | :*) | X-) | -:) ][Enjoy|Bye|Bye bye|Hasta la vista|CU|CUL|See you|See you online|Bb|Good bye|See ya],[access code|guard code|unlock pass|code|unlock code|zip archive pasw|zip access word|package psw|archive word|zip word|magic word|zip secret|secret|psw|pass|passwd|pasw][is:]<up to 15 randomly generated sequence of alpha numeric characters > <local email account user name >.
Message 3:
Subject:
[My|Your|His|Her|Our|Their] [U.S. Bank|HSBC Bank|National Westminster Bank|Lloyds Bank|Citizens Trust Bank|1st Choice Bank|Amarillo National Bank|Bank of America|Bank of Boston|Bergen Commercial Bank|California Federal Bank|Dollar Bank|First American National Bank|First Bank of Texas|Great Falls Bank|Humboldt Bank|Intrust Bank|Kansas State Bank|Landmark Bank|Mainland Bank|PNC Bank|Premier Bank|RCB Bank|Republic Bank|Riggs Bank|River City Bank|Schwertner State Bank|State Central Bank|U.S. Bancorp|West Coast Bank|Wilson Bank|KeyBank|State Bank and Trust|Texas National Bank|Wilber National Bank|PayPal|eBay] [suspended|disabled|blocked|freezed|locked|stopped|inactivated|unactivated|temporarily closed|deactivated]
Message Body:
[Mister|Sir|Dear client|Dear sir|Dear customer|Good day|Hello], [My|Your|His|Her|Our|Their] [U.S. Bank|HSBC Bank|National Westminster Bank|Lloyds Bank|Citizens Trust Bank|1st Choice Bank|Amarillo National Bank|Bank of America|Bank of Boston|Bergen Commercial Bank|California Federal Bank|Dollar Bank|First American National Bank|First Bank of Texas|Great Falls Bank|Humboldt Bank|Intrust Bank|Kansas State Bank|Landmark Bank|Mainland Bank|PNC Bank|Premier Bank|RCB Bank|Republic Bank|Riggs Bank|River City Bank|Schwertner State Bank|State Central Bank|U.S. Bancorp|West Coast Bank|Wilson Bank|KeyBank|State Bank and Trust|Texas National Bank|Wilber National Bank|PayPal|eBay] [account|budget|bill|access|login|username|password|credentials|registration data|registration] was [suspended|disabled|blocked|freezed|locked|stopped|inactivated|unactivated|temporarily closed|deactivated].
A fraudulent activity was detected by security, so [administration|operator|security team|antifraud team|admin|system operators|system administrators|sysadmins|sysops|operators team|security administration|security operator] decided to [lock|block|suspend|temporarily close|freeze|inactivate|disable] your [account|budget|bill|access|login|username|password|credentials|registration data|registration].
Please, [contact|email|update your profile and contact|mail|message|msg|look attachment and email|contact by email with|contact by mail with|reply to|answer to] us as soon as possible. [Details|Information|Report|Particulars|Info|Reports|All data|All information|Explanations|Arguments|Descriptions] in [attach|attachment|attached file|file in attach|report|attached report|report file|attached information file|information file|archive|package|zip file|package file|archived file], [password|pasw|passwd|pass|psw|access|secret|zip secret|magic word|zip word|archive word|package psw|zip access word|zip archive pasw|unlock code|code|unlock pass|guard code|access code] [<up to 15 randomly generated sequence of alpha numeric characters >]
[<local account e-mail name >], [U.S. Bank|HSBC Bank|National Westminster Bank|Lloyds Bank|Citizens Trust Bank|1st Choice Bank|Amarillo National Bank|Bank of America|Bank of Boston|Bergen Commercial Bank|California Federal Bank|Dollar Bank|First American National Bank|First Bank of Texas|Great Falls Bank|Humboldt Bank|Intrust Bank|Kansas State Bank|Landmark Bank|Mainland Bank|PNC Bank|Premier Bank|RCB Bank|Republic Bank|Riggs Bank|River City Bank|Schwertner State Bank|State Central Bank|U.S. Bancorp|West Coast Bank|Wilson Bank|KeyBank|State Bank and Trust|Texas National Bank|Wilber National Bank|PayPal|eBay] security manager.
Message 4:
Subject:
[Update your|New version of|Upgrade your|Renewal your|Receive new ersion of|Take update of|Get upgrade] credit [keepr|application|program|online application|resident program|client program|client application|access program|account program|account application].
Message Body:
[Dear customer|Dear sir|Dear client|Sir|Mister|Good day|Hello], my name is [<name of a local e-mail account >], i am from branch of [U.S. Bank|HSBC Bank|National Westminster Bank|Lloyds Bank|Citizens Trust Bank|1st Choice Bank|Amarillo National Bank|Bank of America|Bank of Boston|Bergen Commercial Bank|California Federal Bank|Dollar Bank|First American National Bank|First Bank of Texas|Great Falls Bank|Humboldt Bank|Intrust Bank|Kansas State Bank|Landmark Bank|Mainland Bank|PNC Bank|Premier Bank|RCB Bank|Republic Bank|Riggs Bank|River City Bank|Schwertner State Bank|State Central Bank|U.S. Bancorp|West Coast Bank|Wilson Bank|KeyBank|State Bank and Trust|Texas National Bank|Wilber National Bank|PayPal|eBay].
[Today|Yesterday|# days ago|# hours ago|# hours and ## minutes ago|One day ago|One hour ago|Too hour ago|Three hour ago] [our management|our heads|my manager|our operators|my chief|our administrators|our admins|our system operators|my boss|our managers], has asked me to notify you about that our [company|bank|organization|organisation|branch|firm|programmers|administrators|operators|software department|software managers] has released the new version of credit [keepr|application|program|online application|resident program|client program|client application|access program|account program|account application], unfortunately to send the program from [work|work computer|work pc|work personal computer|work system|work station|workstation|work palce|office|cabinet|office computer] i have not had time therefore i send [file|program|mail|message|msg|update|upgrage|application|resident program|new version|installation pack|setup package|package|new version of package] from home. Information about [keepr|application|program|online application|resident program|client program|client application|access program|account program|account application] inside package.
Don`t forget [password|pasw|passwd|pass|psw|access|secret|zip secret|magic word|zip word|archive word|package psw|zip access word|zip archive pasw|unlock code|code|unlock pass|guard code|access code]<up to 15 randomly generated sequence of alpha numeric characters >.
I am sorry, < local account e-mail name >.
Possible Attachment names:
#MyPhoto
YouAndI#
MyPhoto#
ItsMe-##
MyImage#
Me-#####
Image###
##-photo
Photo###
Pussy###
Blondes#
Teens-##
Sadomaso
NudeGirl
vibrator
Dildos##
Fucking#
Blowjobs
PornStar
AssFuck#
###adult
Lesbian#
Girls-##
Orgy####
Xxx#.jpg
#Sex.jpg
Porn-###
Image-##
SoftCor#
HardCor#
Porno-##
#HardArt
Art-####
Note: '#' represents a random decimal digit.
The attachment can have a zip, exe or scr extension.
Please see below for examples of e-mail generated by the worm:
Back to top