The worm creates the the directory "ConnectionStatus" and its subdirectory "Microsoft" in %WINDIR% and copies itself there as "services.exe". It also drops the files "concon.www" in the same directory.
"concon.www" contains a list of harvested e-mail addresses it finds on the infected system.
Adds the values:
" WinCheck"="%WINDIR%\ConnectionStatus\Microsoft\services.exe"
"_WinCheck"="%WINDIR%\ConnectionStatus\Microsoft\services.exe"
to the keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
respectively, so that the worm is executed every time Windows starts.
The worm can be sent alone or a dropper for it can be sent. If a dropper is executed then it displays a bogus error message and starts the worm. One of the droppers for the worm displays the error message:
after which it executes the file "%WINDIR%\ConnectionStatus\Microsoft\services.exe" and terminates.
It then harvests e-mail addresses on available hard drives from files with the following extensions:
pmr
phtm
stm
slk
inbox
imb
csv
bak
imh
xhtml
imm
imh
cms
nws
vcf
ctl
dhtm
cgi
pp
ppt
msg
jsp
oft
vbs
uin
ldb
abc
pst
cfg
mdw
mbx
mdx
mda
adp
nab
fdb
vap
dsp
ade
sln
dsw
mde
frm
bas
adr
cls
ini
ldif
log
mdb
xml
wsh
tbb
abx
abd
adb
pl
rtf
mmf
doc
ods
nch
xls
nsf
txt
wab
eml
hlp
mht
nfo
php
asp
shtml
dbx
The worm sends itself to the harvested addresses as an e-mail attachment.
| 