eScan : Secure � Scalable � Reliable : Antivirus, Content Security and Firewall Protection for Servers and Endpoints

This mass-mailer was written in Visual C++ 7 and packed with UPX 1.24. It arrives in an email in the following format: From: [forged email address] Subject: with a 8% chance the subject line consists of 3 to 17 random letters; otherwise (92% chance) it is one of the following: test hi hello Returned Mail Confirmation Required Confirmation Registration Confirmation please reply please read Read this message Readme Important Your account has expired Expired account Notification automatic responder automatic notification You have 1 day left Warning Information For your information For you Something for you Read it immediately Read this Read it immediately! Your credit card Schedule Accident Attention stolen news recent news Wanted fake unknown bug forget read now! Current Status Your request is being processed Your order is being processed Your request was registered Your order was registered Re: (censored) Undeliverable message Love is... Love is Your account is about to be expired Your IP was logged You use illegal file sharing... Thank You very much hi, its me Approved Re: Approved Details Re: Details Thank you Re: Thank you Announcement (sometimes - 60% chance - the first letter of the above texts is capitalized; or - 10% chance - the entire subject line is capitalized). Body: One of the following: test Details are in the attached document. You need Microsoft Office to open it. See the attached file for details Please see the attached file for details The document was sent in compressed format. Check the attached document. Everything ok? OK Okay I\m waiting Read the details. Here is the document. I wait for your reply. Is that from you? Is that yours? You are a bad writer I have your password :) Something about you Kill the writer of this document! We have received this document from your e-mail. Here it is See you Greetings Information about you Please, reply Reply Take it You are bad Attachment: One of the following: - [name].exe file (13% chance); - [name].zip file (34.8% chance); - [name].{txt, doc, htm, rtf, xls, jpg, gif, png}[40 to 159 spaces].{pif, scr, exe} (52.2% chance). In 12% of cases, [name] is made up of 3 to 7 random characters; in the other 88% of cases, it is one of the following: msg doc document readme text file data test message body details creditcard attachment stuff me post posting textfile info information note notes product bill check ps money about story mail list joke jokes friend site website object mail2 part1 part4 part2 part3 misc disc paypal approved details your_document image resume photo When first run, it creates HKLM/HKCU_ \Software\Microsoft\Windows\CurrentVersion\Shell; this will be checked to see if the virus is already installed; a thread is created; in 70% of cases, this thread displays one of the following messages: File is corrupted. File cannot be opened. Unable to open specified file. In the other 30% of cases, it creates a temporary file named "Mail", "Body", "Text" or "Data", fills it with random rows of text and opens it with Notepad; when the user closes Notepad, the temporary file is deleted. A mutex called "jmydoat[computer name]mtx" is used to avoid running multiple copies of the virus. It drops and executes a DLL with a name of 4 to 8 random letters in the system folder (or in the folder for temporary files). This DLL has the following functionality: - on Win9x systems, calls the RegisterServiceProcess function to hide the process; - opens a backdoor server on port 1080; a connecting user can send an executable file that the backdoor will save and run; she can also order the infected machine to connect to a specified host and port and await commands on that connection; - terminates processes that contain the following substrings in the name: "reged", "taskmo", "taskmg", "avp.", "avp32", "norton", "navapw", "navw3"

Virus Information

Products

Partner

Support

About Us