The worm sends itself as an attachment to an e-mail with the following characteristics:
From address is spoofed with hard-coded addresses and domains.
Subject is one of the following:
Do not reply to this email
Mail Delivery System
Mail Transaction Failed
Body of the message is one of these:
Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sent as a binary attachment.
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Do not visit these sites!!!
You have visited illegal websites.
I have a big list of the websites you surfed.
You think it's funny? You are stupid idiot!!! I'll send the attachment to your ISP and then I'll be watching how you will go to jail, punk!!!
Your credit card was charged for $500 USD. For additional information see the attachment
ESMTP [Secure Mail System #334]: Secure message is attached.
Encrypted message is available.
Delivered message is attached.
Can you confirm it?
Binary message is available.
am shocked about your document!
Are you a spammer? (I found your email on a spammer website!?!)
Bad Gateway: The message has been attached.
Attention! New self-spreading virus!
Be careful, a new self-spreading virus called "RTSW.Smash" spreading very fast via e-mail and P2P networks. It's about two million people infected and it will be more.
To avoid your infection by this virus and to stop it we provide you with full information how to protect yourself against it and also including free remover. Your can find it in the attachment.
p 2004 Networks Associates Technology, Inc. All Rights Reserved
New terms and conditions for credit card holders
Here a new terms and conditions for credit card holders using a credit cards for making purchase in the Internet in the attachment. Please, read it carefully. If you are not agree with new terms and conditions do not use your credit card in the World Wide Web.
The World Bank Group
2004 The World Bank Group, All Rights Reserved
Thank you for registering at WORLDXXXPASS.COM
All your payment info, login and password you can find in the attachment file.
It's a real good choise to go to WORLDXXXPASS.COM
Attention! Your IP was logged by The Internet Fraud Complaint Center
Your IP was logged by The Internet Fraud Complaint Center.
There was a fraud attempt logged by The Internet Fraud Complaint Center from your IP.
This is a serious crime, so all records was sent to the FBI.
All information you can find in the attachment. Your IP was flagged and if there will be anover attemption you will be busted.
This message is brought to you by the Federal Bureau of Investigation and the National White Collar Crime Center
Here is your documents you are requested.
Attached is a file named %name%.%ext% where %name% is one of these:
and %ext% is one of the following: