Filesystem
When first run, the worm copies itself to %WINDIR%\system32\smsks.exe and executes it before terminating itself.
It harvests e-mail addresses on all available hard drives, in all files having one of the following extensions:
txt
htm
sht
jsp
cgi
xml
php
asp
dbx
tbb
adb
html
wab
Registry
Adds the value:
"Microsoft Services Manual Contrl"="smsks.exe"
To the keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce]
To make sure it's run at Windows startup.
Creates the key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft Services Manual Contrl]
and adds several subkeys and values to it so that the worm is run as service at startup.
Queries the key:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts]
in an attempt to locate a mail server.
Queries the key:
[HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name]
to try to find the user's addressbook.
Mail routine
The worm sends itself as an attachment to an e-mail with the following characteristics:
The worm may spoof the from address.
Attached is a file named %name%.zip containing the file %name%.%dbl_ext%. Where %name% is one the following:
account-details
account-info
account-report
document
email-details
important-details
information
readme
and %dbl_ext% is one of the following extensions:
doc
txt
htm
tmp
followed by lots of blank spaces then followed by one of the following:
.bat
.cmd
.exe
.scr
.pif
The worm avoids sending itself to e-mail addresses containing any of the following substrings in the name field:
root
info
samples
postmaster
webmaster
noone
nobody
nothing
anyone
someone
your
you
bugs
rating
site
contact
soft
somebody
privacy
service
help
not
submit
feste
gold-certs
the.bat
page
admin
icrosoft
support
ntivi
unix
bsd
linux
listserv
certific
google
accoun
spm
fcnz
www
secur
abuse
support
administrator
accounts
mail
service
admin
info
register
webmaster
or containing any of the following substrings in the domain field:
avp
syma
icrosof
msn.
hotmail
panda
sopho
borlan
inpris
example
mydomai
nodomai
ruslis
.gov
gov.
.mil
foo.
berkeley
unix
math
bsd
mit.e
gnu
fsf.
ibm.com
google
kernel
linux
fido
usenet
iana
ietf
rfc-ed
sendmail
arin.
ripe.
isi.e
isc.o
secur
acketst
pgp
tanford.e
utgers.ed
mozilla
Prepends the following strings to the domain name, in an attempt to locate a mail server:
gate.
mail.
mail1.
mx.
mx1.
mxs.
ns.
relay.
smtp.
| 