|When run, the worm copies itself to Windows System directory with a random name (JFMV.EXE for example) and adds a startup key for this file to the Registry:
The worm also drops a keylogging component as a DLL file with a randomly-generated name (ZLQPUPP.DLL for example) to Windows System folder. The worm also creates 2 more DLL files and stores some encrypted data there. The worm creates 2 randomly named DAT files in root Windows folder too.
The worm spreads in e-mail messages as an attachment with randomly-generated names and with one or more extensions. Subjects and bodies of infected e-mails are also different. The mass-mailing routine is quite complex.
The worm's messages can contain IFrame exploit that allows it to run automatically on some computers when an infected e-mail is viewed (for example, with Outlook and IE 5.0 or 5.01). This vulnerability is fixed and a patch for it is available on Microsoft site:
The worm looks for e-mail addresses in INBOX (Netscape incoming e-mail database) and in files with the following extensions:
Sometimes the worm picks up e-mail messages from infected user's database and sends them out with its copy attached. Also the worm can place contents of a random text file from an infected hard drive to an infected message's body. The worm can send itself in a message with one of the following subjects:
Get 8 FREE issues - no risk!
Your News Alert
$150 FREE Bonus!
New bonus in your cash account
Tools For Your Online Business
Daily Email Reminder
CALL FOR INFORMATION!
25 merchants and rising
My eBay ads
Market Update Report
click on this!
Lost & Found
Get a FREE gift!
I need help about script!!!
Correction of errors
Just a reminder
The worm doesn't send itself to addresses that contain the following strings (to avoid bounces and other unwanted events):
The worm can send itself as an attachment with with double extensions. The first extension can be one of the following:
The worm sets the content type of an infected attachment according to the above file types. Content type can be one of the following:
The second extension of an infected attachment can be one of the following:
Also the worm can 'borrow' the name for its attachment from one of files on an infected hard drive and then to add an executable extension to it, for example it can send itself as AGREEMENT.DOC.PIF file. Also the name of an infected attachment can contain one of the following strings:
The worm has local network spreading capabilities. The worm enumerates network resources and tries to locate \Start Menu\Programs\Startup\ folder on remote systems. If such path is found, the worm copies itself there with a random name. When a remote system is restarted, the worm's file gets control and infects a system.
The worm continuosly looks for and terminates processes with the below-given names:
The worm uses separate routines for process killing on Windows 9x- and NT-based systems. In most cases the worm effectively disables security and anti-virus software that fail to detect it entering a system.
The worm listens to port 36794 and can provide access to an infected system and the network it is connected to via an internal backdoor component. The backdoor component allows an attacker to access an infected system through a web-based interface. The worm generates HTML pages on-the-fly when an attacker browses directories on an infected remote computer.
The worm contains several icons in gif format that it uses to identify the type of remote drives and files. The backdoor component also allows to browse shared network resources that an infected computer has access to. The worm also uses icons to identify network resources.
The worm allows an attacker to get certain control and information about an infected system: operating system(if it is windows based), fixed and network drives, list and kill processes. It can also delete, download, copy and execute files on the host.
The worm has password stealing capabilities. It installs a keylogging component to a system, records keystrokes and saves them into a file. Then the worm sends this file to a few e-mail addresses that are stored in encrypted for in the worm's body. The smtp server names that the worm uses to send the files are also stored in encrypted form in the worm's body.
According to reports, network printers start to print a lot of garbage when the worm infects a network. This might be the side-effect of the worm's attempts to infect a network.