Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

When executed, the worm copies itself in the %windir% folder using the following filename:

rsmbx.exe

The following files are dropped in the same folder:

rsmbx.dll
rsmbx.gfx
rsmbx.wax

The following files are dropped in the %system% folder:

cmut449c14b7.dll
hpzl449c14b7.exe
msji449c14b7.dll

In order to be executed on every system start, the worm sets the following Registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rsmbx" = "%windir%\rsmbx.exe s"

The following Registry entry is set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "msji449c14b7.dll"

A Notepad window with random text is displayed.

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.sht
.shtm
.stm
.tbb
.txt
.uin
.wab
.wsh
.xls
.xml

Addresses containing the following strings are avoided:

.edu
.gov
.mil
@avp
@foo
admin
anyone@
berkeley
bsd
bugs@
cafee
certific
contact
contract@
example
fido
gnu
gold-certs
google
help
help@
ibm.com
icrosoft
info@
kasp
kernel
linux
local
master
mozilla
mydomai
news
nobody
noone
noreply
panda
pgp
pch
privacy
rating
rfc-ed
ripe.
root@
samples
secure
sendmail
service
smbdy
smn
spam
support
unix
update
update
usnt
winrar
winzip
www
xx
yu
yur

Strings from the following three lists may be used to form the sender address:

adam
alice
anna
betty
bob
brenda
brent
brian
carol
claudia
craig
cyber
dan
dave
david
debby
den
Donn
frank
george
gerhard
helen
helen
james
jane
jayson
jerry
jim
joe
john
karen
linda
lisa
mancy
maria
ruth
sandra
sharon
Susan


adams
allen
anderson
baker
carter
clark
garcia
gonzalez
green
hall
harris
hernandez
hill
jackson
jeremy
joe
kenneth
king
lee
lewis
lopez
martin
martinez
miller
molly
moore
nelson
robinson
robyn
rodriguez
scott
shaan
taylor
thomas
thompson
walker
white
wilson
wright
young


gmail.com
inbox.com
fasmail.fm
yahoo.com
mail.aim.com
mail.lycos.com
care2.com
goowy.com
hotmail.com
email.myway.com

Random strings may be used instead.

Subject of the message is one of the following:

hello
picture
Server Report
Status
test
Good day
Error
Mail Delivery System
Mail Transaction Failed

Body of the message is one of the following:

Mail transaction failed. Partial message is available.
The message contains Unicode characters and has been sentas a binary attachment.
The message cannot be represented in 7-bit ASCII encodingand has been sent as a binary attachment

The attachment is an executable of the worm. Its filename is one of the following:

body
data
doc
docs
document
file
message
readme
test
text

A double extension is used. The first one is one of the following:

dat
doc
elm
log
msg
txt

The second one is one of the following:

bat
cmd
exe
pif
scr