Action : Delete email - do not open attachment
Type : mass mailing worm
Date : 2/18/2004
--------------------------------------------------------------------------------
This mass mailing worm arrives with the following information:
Subject: (any of the following)
hello
read it immediately
something for you
warning
information
stolen
fake
unknown
Message body: (any of the following)
anything ok?
what does it mean?
ok
i'm waiting
read the details.
here is the document.
read it immediately!
my hero
here
is that true?
is that your name?
is that your account?
i wait for a reply!
is that from you?
you are a bad writer
I have your password!
something about you!
kill the writer of this document!
i hope it is not true!
your name is wrong
i found this document about you
yes, really?
that is bad
here it is
see you
greetings
stuff about you?
something is going wrong!
information about you
about me
from the chatter
here, the serials
here, the introduction
here, the cheats
that's funny
do you?
reply
take it easy
why?
thats wrong
misc
you earn money
you feel the same
you try to steal
you are bad
something is going wrong
something is fool
Attachment:
The file name can be any of the following:
msg
doc
talk
message
creditcard
details
attachment
me
stuff
posting
textfile
concert
information
bill
swimmingpool
product
topseller
ps
shower
aboutyou
nomoney
found
story
mails
website
friend
jokes
location
final
release
dinner
ranking
object
mail2
part2
disco
party
misc
#n#o#t#n#e#t#s#k#y#-#s#k#y#n#e#t#!
The first extension, which may or may not appear, can be any of the following:
RTF
DOC
HTM
The second extension can be any of the following:
SCR
COM
PIF
This worm Creates 40 .zip files in the %Windir% folder, which contain copies of the worm. The names of these files match the Attachment Names above.
--------------------------------------------------------------------------------
Technical Details:
Creates a mutex named "AdmSkynetJKIS003." This mutex allows only one instance of the worm to execute.
May display a dialog box with the text:
The file could not be opened!
Copies itself as %Windir%\services.exe.
*Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
Adds the value:
"service" = "%Windir%\services.exe -serv"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
Deletes the values:
"Taskmon"
"Explorer"
from the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Deletes the values:
"KasperskyAV"
"System."
from the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Deletes the registry key:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
Mcafee definitions files 4325
Symantec definition files dated: February 18th
