Creates the the directory "ConnectionStatus" in %WINDIR% and copies itself there as "services.exe". It also drops the files "netslot.nst" and "socket.dli" to the same directory.
"netslot.nst" is a base-64 encoded copy of the worm.
Adds the following values:
"WinINet"="%WINDIR%\ConnectionStatus\services.exe"
"_WinINet"="%WINDIR%\ConnectionStatus\services.exe"
To the keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
respectively, so that the worm is executed every time Windows starts.
When first run the worm displays the this error messages:
After which it executes the file "%WINDIR%\ConnectionStatus\services.exe" and terminates.
Harvests e-mails from available hard drives from files with the following extensions:
pmr
phtm
stm
slk
inbox
imb
csv
bak
imh
xhtml
imm
imh
cms
nws
vcf
ctl
dhtm
cgi
pp
ppt
msg
jsp
oft
vbs
uin
ldb
abc
pst
cfg
mdw
mbx
mdx
mda
adp
nab
fdb
vap
dsp
ade
sln
dsw
mde
frm
bas
adr
cls
ini
ldif
log
mdb
xml
wsh
tbb
abx
abd
adb
pl
rtf
mmf
doc
ods
nch
xls
nsf
txt
wab
eml
hlp
mht
nfo
php
asp
shtml
dbx
The worm sends itself as an attachment to e-mail with following characteristics:
E-mails subject is "Your new Password".
The body of the e-mail contains the following text:
Your password was successfully changed!
Please see the attached file for detailed information.
The attachment is a zip-compressed file named "pword_change.zip" the zip-file contains the worm under the filename "PW_Klass.Pic.packed-bitmap.exe".
| 