The worm creates the the directory "WinSecurity" in %WINDIR% and there it creates three copies of itself under the names "services.exe","smss.exe" and "csrss.exe". It also drops the files "socket1.ifo", "socket2.ifo", "socket3.ifo", "mssock1.dli", "mssock2.dli", "mssock3.dli" and "nexttroj.tro" in the same directory.
The files:
socket1.ifo
socket2.ifo
socket3.ifo
are base-64 encoded copies of the worm.
The worm uses the files:
mssock1.dli
mssock2.dli
mssock3.dli
nexttroj.tro
to store harvested e-mailing information.
When first run the worm displays the following error message:
after which it executes the files:
"%WINDIR%\WinSecurity\services.exe"
"%WINDIR%\WinSecurity\smss.exe"
"%WINDIR%\WinSecurity\csrss.exe"
and terminates.
It adds the values:
" Windows"="%WINDIR%\WinSecurity\services.exe"
"_Windows"="%WINDIR%\WinSecurity\services.exe"
to the keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
respectively, so that the worm is executed every time Windows starts.
It then harvests e-mail addresses on available hard drives from files with the following extensions:
pmr
phtm
stm
slk
inbox
imb
csv
bak
imh
xhtml
imm
imh
cms
nws
vcf
ctl
dhtm
cgi
pp
ppt
msg
jsp
oft
vbs
uin
ldb
abc
pst
cfg
mdw
mbx
mdx
mda
adp
nab
fdb
vap
dsp
ade
sln
dsw
mde
frm
bas
adr
cls
ini
ldif
log
mdb
xml
wsh
tbb
abx
abd
adb
pl
rtf
mmf
doc
ods
nch
xls
nsf
txt
wab
eml
hlp
mht
nfo
php
asp
shtml
dbx
The worm sends itself to the harvested addresses as an e-mail attachment.
| 