Selected viruses, spyware, and other threats: sorted alphabetically
Installation
When executed, the worm copies itself in the %system% folder using one of the following filenames:
Another executable with a random name is dropped. Size of the file is 6295 B. In order to be executed on every system start, the worm sets the following Registry entries:alsys.exe
ppl.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Agent
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Agent
The entries contain path to the executable of the worm.
Spreading via e-mail
E-mail addresses for further spreading are searched for in local files with one of the following extensions:
Addresses from Windows Address Book are used too. Addresses containing the following strings are avoided:.hta
.htm
.txt
Some of the following strings may be used to form the sender address:.gov
.mil
microsoft
Subject of the message is the following:Aldora
Alysia
Amorita
Anita
April
Ara
Aretina
Barbra
Becky
Bella
Bettina
Blenda
Briana
Bridget
Caitlin
Camille
Cara
Carla
Carmen
Clarissa
Damita
Danielle
Daria
Diana
Donna
Dora
Doris
Ebony
Eden
Eliza
Emily
Erika
Eve
Evelyn
Faith
Gale
Gilda
Gloria
Haley
Helga
Holly
Chelsea
Ida
Idona
Iris
Isabel
Ivana
Ivory
Janet
Jewel
Joanna
Julie
Juliet
Kacey
Kali
Kara
Kassia
Katrina
Kyle
Lara
Laura
Linda
Lisa
Lolita
Lynn
Maia
Mary
Melody
Mimi
Myra
Nadia
Naomi
Natalie
Nicole
Nina
Nora
Nova
Olga
Olivia
Pamela
Peggy
Queen
Rae
Rachel
Rita
Rosa
Ruby
Sharon
Silver
Ula
Uma
Valda
Valora
Vanessa
Vicky
Violet
Vivian
Wendy
Willa
Xandra
Xenia
Xylia
Zenia
Zilya
Zoe
Body of the message is empty. The attachment is an executable of the worm. Its filename is the following:Happy New Year!
postcard.exe
Other information
The following programs are terminated:
The worm tries to download several files from the Internet. The files are then executed.anti
avg
avp
blackice
f-pro
firewall
hijack
lockdown
mcafee
msconfig
nav
nod32
rav
reged
spybot
taskmgr
troja
viru
vsmon
zonea
