Upon first execution the worm drops the file %SYSDIR%\mszsrn32.dll (also detected as W32/Zasran.A).
Note: %SYSDIR% refers to the System directory. The default path for the respective operating systems is as follows:
- Windows 95/98/Me - C:\Windows\System
- Windows NT/2000 - C:\Winnt\System32
- Windows XP - C:\Windows\System32
It creates the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mszsrn32]
and adds the following values to it:
"Asynchronous" = 1
"DllName" = "%SYSDIR%\mszsrn32.dll"
"Impersonate" = 0
"Startup" = "Startup"
"Type" = 2
to make sure its always running.
It harvests e-mail addresses from all files on local drives having one of the following extensions:
wab
tbb
tbi
doc
xls
txt
csv
htm
html
xml
adb
asa
asc
asm
asp
cgi
con
csp
dbx
dlt
dwt
edm
hta
htc
inc
jsp
jst
lbi
php
rdf
rss
sht
ssi
stm
vbp
vbs
wml
xht
xsd
xst
It sends itself as an e-mail attachment to the harvested addresses. The e-mail's body and subject are in German. It avoids sending itself to e-mail addresses containing any of the following substrings:
admin
info
support
soft
webmaster
help
web
postmaster
root
bugs
rating
site
contact
privacy
service
abuse
register
cisco
gnu.org
bsd.it
debian
linux
berkeley
google
fido
ibm.com
microsoft.com
php.net
.mil
.gov
borland.com
sun.com
virus
kaspersky
sophos
ripe.
iana.
drweb.
secure
avp.
.arpa
| 