Selected viruses, spyware, and other threats: sorted alphabetically
When executed, the worm copies itself in the %system% folder using the following filename:
The following file is dropped in the same folder:
Size of the file is approximately 22 kB.
In order to be executed on every system start, the worm sets the following Registry entry:
"msnmsg" = "%system%\msnmsg.exe"
Spreading via e-mail
E-mail addresses for further spreading are searched for in local files with one of the following extensions:
Addresses containing the following strings are avoided:
Subject of the message is the following:
The attachment is an executable of the worm. Its filename is the following:
Spreading via shared folders
The worm searches for computers in the local network. It tries co copy itself in the root folder of the C: drive on a remote machine using the following filename:
It may also make changes to the following file in the same folder:
This will cause the worm to be executed on every system start.
The worm is able to log keystrokes. The dropped DLL file is responsible for this. The worm can upload the information to a remote machine. The FTP protocol is used.
NOD32 detected Win32/Delf.Z using advanced heuristics. A signature was added in version 1.1703.