Selected viruses, spyware, and other threats: sorted alphabetically
Installation
When executed, the worm copies itself in the %system% folder using the following filename:
msnmsg.exe
The following file is dropped in the same folder:
svchost.dll
Size of the file is approximately 22 kB.
In order to be executed on every system start, the worm sets the following Registry entry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsg" = "%system%\msnmsg.exe"
Spreading via e-mail
E-mail addresses for further spreading are searched for in local files with one of the following extensions:
doc
htm
html
txt
vbs
Addresses containing the following strings are avoided:
@addres
@antivi
@avp
@bitdefender
@f-pro
@f-secur
@fbi
@freeav
@kaspersky
@mcafee
@messagel
@microsof
@norman
@norton
@pandasof
@sophos
@spam
@symantec
@viruslis
abuse@
noreply@
ntivir
reports@
spam
spam@
user@
Subject of the message is the following:
Audio-message
The attachment is an executable of the worm. Its filename is the following:
audio_001.mp3.exe
Spreading via shared folders
The worm searches for computers in the local network. It tries co copy itself in the root folder of the C: drive on a remote machine using the following filename:
Setup.exe
It may also make changes to the following file in the same folder:
AutoExec.bat
This will cause the worm to be executed on every system start.
Other information
The worm is able to log keystrokes. The dropped DLL file is responsible for this. The worm can upload the information to a remote machine. The FTP protocol is used.
NOD32 detected Win32/Delf.Z using advanced heuristics. A signature was added in version 1.1703.
