The first thing the worm does after it has been executed is to copy itself to the windows directory under the following name
msccn32.exe
It creates the following registry keys to ensure that each time the computer is restarted the worm is executed.
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"System Tray = %WindowsDir%\msccn32.exe"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"System Tray = %WindowsDir%\msccn32.exe"
The worm enumerates all the network drives and if the following folders are on the network drive it copies itself there.
Windows\All Users\Start Menu\Programs\StartUp
Documents and Settings\All Users\Start Menu\Programs\Startup
The worm searches the local drive for files with the following endings and harvests from them email addresses.
.wab
.dbx
.htm
.html
.eml
.txt
It uses its own SMTP engine to send the emails and composes the messages from the following objects.
In the from field there is always
support@microsoft.com
Then the subject is chosen from the following list.
Your details
Approved (Ref: 38446-263)
Re: Approved (Ref: 3394-65467)
Your password
Re: My details
Screensaver
Cool screensaver
Re: Movie
Re: My application
Message body is always:
All information is in the attached file.
And the attached file name is chosen from the following list:
your_details.pif
ref-394755.pif
approved.pif
password.pif
doc_details.pif
screen_temp.pif
screen_doc.pif
movie28.pif
application.pif
The worm attempts to download four files from the internet. Currently the domain owner has closed these links so the worm is unable to do so.
| 