Upon first execution the worm copies itself to %SYSDIR%\msctools.exe.
It may create the files %SYSDIR%\cats2.jpg and %SYSDIR%\cats.jpg and use them to store its date, such as harvested e-mail addresses.
Note: %SYSDIR% refers to the System directory. The default path for the respective operating systems is as follows:
- Windows 95/98/Me - C:\Windows\System
- Windows NT/2000 - C:\Winnt\System32
- Windows XP - C:\Windows\System32
It adds the value:
"nsdevice" = "%SYSDIR%\msctools.exe"
to the following registry keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
to make sure it's executed at startup.
It creates the key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL]
and adds the value:
"mls" = 0
to it as an infection marker.
It tries to download and execute files from the Internet.
It harvest e-mail addresses from the infected computer and sends itself to these addresses.
The e-mails content is choosen randomly from one of these templates.
Subject: Soccer fans killed five teens
Body: Soccer fans killed five teens, watch what they make on photos. Please report on this all who know.
Attchment: soccer_fans.jpg.exe
Subject: Crazy soccer fans
Body: Crazy soccer fans killed two teens, watch what they make on photos. Please report on this all who know.
Attchment: soccer_pics.jpg.exe
Subject: Please reply me Tomas
Body: Halo Markus, i sent my nude pics. Please reply me with you nude photos ;). Best regard You Sweet Kitty
Attchment: kelly_nude_imgs.jpg.exe
Subject: My tricks for you
Body: I wait you photos from New York. I sent my pics where i naked for you. Please reply me. Linda Salivan
Attchment: linda_bigtit.gif.exe
Subject: Naked World Cup game set
Body: Nudists are organising their own tribute to the world cup, by staging their own nude soccer game, though it is not clear how the teams will tell each other apart. Good photos ;)
Attchment: soccer_nudist.bmp.exe
Subject: My sister whores, shit i dont know
Body: Emily Carr was an artist known for her prudery, but now the Portrait Gallery of Canada has acquired a nude self-portrait. View photos.
Attchment: emily_selfphoto.jpg.exe
in all cases the attachment is a copy of the worm.
The worm avoids sending itself to e-mail addresses containing any of the following substrings:
spam
abuse
root
.mil
.gov
admin
webmaster
support
submit
service
sendmail
secur
samples
ripe.
privacy
postmaster
pgp
panda
page
nothing
not
nodomai
nobody
mydomai
mozilla
linux
kernel
info
inpris
icrosof
ibm.com
help
gov.
google
foo.
aol
fido
example
contact
certific
bug
bsd
borlan
berkeley
avp
anyone
.edu
policy
anti
apache
cops
fbi
webmin
webmist
random
local
echo
anonymous
addres
user
defend
kaspersk
mcafee
microsof
norton
symantec
virus
reply
report
The worm enumerates all running processes and terminates the following if they are found running:
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
iamapp.exe
iamserv.exe
FRW.EXE
blackice.exe
blackd.exe
zonealarm.exe
vsmon.exe
VSHWIN32.EXE
VSECOMR.EXE
WEBSCANX.EXE
AVCONSOL.EXE
VSSTAT.EXE
OUTPOST.EXE
REGEDIT.EXE
NETSTAT.EXE
TASKMGR.EXE
MSCONFIG.EXE
NAVAPW32.EXE
NAVW32.EXE
UPDATE.EXE
| 