Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


Aliases: W32/Moe, I-Worm.Desos.a, W95.Stoogy.6031

Win32/Onamu.6031.A is a worm spreading as a file attachment of email messages.  For its operation it requires the operating system Windows 95 or a newer version.
The worm arrives as a file with a size of 38912 bytes.  The name of the file is variable.  When the worm sends out its copy it chooses the name from the following possibilities: s_CAP3.EXE, HUMANO.EXE, MUSIC.EXE, MUJER.EXE, HOMBRE.EXE, CONFESION.EXE, INFIEL.EXE, BELLEZA.EXE, LISTArc.EXE, DESEOS.EXE, SECRETO.EXE, CLAVE.EXE, YO.EXE, FEOS.EXE, PASION.EXE, CITA2.EXE, GORDA.EXE, CUERPO.EXE, MONSTRUO.EXE and JOVEN.EXE.  Subject and body of the message are variable, as well.

Note: In the following text a symbolic inscription %windir%. is used instead of name of the directory in which the Windows operating system is installed. Naturally, this can be different with any single installation

When the file attachment is executed the worm is activated and puts copies into the directory %windir% under the name egino.exe.  In the system registry, in the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run it creates the item egino and sets its value to the file %windir%/egino.exe.  By doing this it ensures its activation after each operating system start.
The worm sends its copies to all email addresses it finds in the contacts list of the Windows address book.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.