thenerdguy
Newbie
- Joined
- May 20, 2003
- Messages
- 2,457
- Reaction score
- 0
Link
Quote
This is a mass-mailing worm that arrives in an email message as follows:
Subject: (Random)
Body: (Varies, such as)
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Attachment: (varies - often arrives in a ZIP archive) (22,528 bytes)
The icon used by the file tries to make it appear as if the attachment is a text file
When this file is run it copies itself to the local system with the following filenames:
c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr
c:\WINDOWS\Desktop\Document.scr
c:\WINDOWS\SYSTEM\taskmon.exe
It also uses a DLL that it creates in the Windows System directory:
c:\WINDOWS\SYSTEM\shimgapi.dll (4,096 bytes)
It creates the following registry entry to hook Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_
CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe
Quote
This is a mass-mailing worm that arrives in an email message as follows:
Subject: (Random)
Body: (Varies, such as)
The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
Attachment: (varies - often arrives in a ZIP archive) (22,528 bytes)
The icon used by the file tries to make it appear as if the attachment is a text file
When this file is run it copies itself to the local system with the following filenames:
c:\Program Files\KaZaA\My Shared Folder\activation_crack.scr
c:\WINDOWS\Desktop\Document.scr
c:\WINDOWS\SYSTEM\taskmon.exe
It also uses a DLL that it creates in the Windows System directory:
c:\WINDOWS\SYSTEM\shimgapi.dll (4,096 bytes)
It creates the following registry entry to hook Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\_
CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe
