Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

 

Installation

When executed, the worm copies itself in the %system% folder using the following filename:

msnmsg.exe

The following file is dropped in the same folder:

svchost.dll

Size of the file is approximately 22 kB.
In order to be executed on every system start, the worm sets the following Registry entry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsg" = "%system%\msnmsg.exe"

 

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

doc
htm
html
txt
vbs

Addresses containing the following strings are avoided:

@addres
@antivi
@avp
@bitdefender
@f-pro
@f-secur
@fbi
@freeav
@kaspersky
@mcafee
@messagel
@microsof
@norman
@norton
@pandasof
@sophos
@spam
@symantec
@viruslis
abuse@
noreply@
ntivir
reports@
spam
spam@
user@

Subject of the message is the following:

Audio-message

The attachment is an executable of the worm. Its filename is the following:

audio_001.mp3.exe

Spreading via shared folders

The worm searches for computers in the local network. It tries co copy itself in the root folder of the C: drive on a remote machine using the following filename:

Setup.exe

It may also make changes to the following file in the same folder:

AutoExec.bat

This will cause the worm to be executed on every system start.

 

Other information

The worm is able to log keystrokes. The dropped DLL file is responsible for this. The worm can upload the information to a remote machine. The FTP protocol is used.