The worm copies itself to the Windows folder as
cftrb32.exe
and adds the following registry key:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SFtrb Service = %WindowsDir%\cftrb32.exe
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SFtrb Service = %WindowsDir%\cftrb32.exe
so that it's launched every time Windows starts.
Mass mailing
This variant uses the same mass mailing component as the previous one, Sobig.C. The default e-mail address used is "admin@support.com".
Message subjects are chosen from:
Re: Documents
Re: App. 00347545-002
Re: Movies
Application Ref: 456003
Re: Your Application (Ref: 003844)
Re: Screensaver
Re: Accepted
Your Application
Re: Application
Attachment names are chosen from:
Document.pif
app003475.pif
movies.pif
ref_456.pif
Application844.pif
Screensaver.scr
Accepted.pif
Applications.pif
Application.pif
The body of the messages is always fixed:
See the attached file for details.
Gathers e-mail addresses from files with extensions:
'.wab'
'.dbx'
'.htm'
'.html'
'.eml'
'.txt'
Local Area Network propagation.
It also tries to infect computers with open shares, copying itself to the following locations:
Windows\All Users\Start Menu\Programs\Startup\
Documents and Settings\All Users\Start Menu\Programs\Startup
Updating
This variant appears to listen in several ports for messages from its creator. Those message will contain URLs from where to download additional components. | 