Packed PE executable like before, it has the minimum size of 29.548 bytes, which is twice as large as the variants before.
Gaining a mass-mailing routine, the worm is a step closer to W32/Mytob than previous variants. This allows the worm to infect more versions of Windows as previously stated in the brief description.
It uses spoofing to trick the user into opening the infected e-mail. For that purpose it contains lists of possible subjects, content, filenames (for attachment) and senders :
Possible subjects :
-
Confirmed...
-
Hello
-
Important!
-
Warning!!
-
**Warning**
Possible e-mail content :
-
0K here is it!
-
hey!!
-
looooool
-
That's your photo!!?
-
We found a photo of you in ...
Possible attachment name :
-
image
-
loool
-
photo
-
picture
-
sample
-
webcam_photo
-
your_photo
Possible attachment extensions :
-
PIF, SCR, EXE, CMD and BAT.
Possible senders (domains are harvested from the infected computer) :
-
abuse
-
accoun
-
admin
-
administrator
-
anyone
-
bsd
-
bugs
-
ca
-
certific
-
contact
-
feste
-
gold-certs
-
google
-
help
-
icrosoft
-
info
-
linux
-
listserv
-
me
-
no
-
nobody
-
noone
-
not
-
nothing
|
-
ntivi
-
page
-
postmaster
-
privacy
-
rating
-
root
-
samples
-
secur
-
security
-
service
-
site
-
soft
-
somebody
-
someone
-
spam
-
spm
-
submit
-
support
-
the.bat
-
unix
-
webmaster
-
www
-
you
-
your
|
Using the same shell code for the exploit as before,
the worm can only infect Windows 2000 using that
method.
| 