Вирус-червь, распространяющийся через интернет в виде вложений в зараженные электронные письма. Также червь обладает функцией размножения через P2P-сети и доступные HTTP и FTP каталоги.
Основной компонент червя представляет собой PE EXE-файл, размером около 29KB. Червь упакован FSG, размер распакованного файла около 40KB.
Копирует себя в каталог Windows, под именем "fvprotect.exe" и регистрирует данный файл в ключе автозапуска системного реестра:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Norton Antivirus AV" = "%windir\fvprotect.exe"
Также червь создает в каталоге Windows файл "userconfig9x.dll" и файлы с именами:
base64.tmp zip1.tmp zip2.tmp zip3.tmp zipped.tmp
Данные файлы представляют собой копии червя в формате UUE, а также ZIP-архивы, содержащие копии червя. Заархивированные файлы могут иметь следующие названия:
data.rtf.scr details.txt.pif document.txt.exe
Червь создает уникальный идентификатор "_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_" для определения своего присутствия в памяти.
Червь ищет файлы с расширениями из списка:
adb asp cgi dbx dhtm doc eml htm html jsp msg oft php pl rtf sht shtm tbb txt uin vbs wab wsh xml
ищет в них адреса электронной почты и рассылает свои копии по найденным адресам. Для отправки писем червь использует собственную SMTP-библиотеку. Червь пытается осуществить прямое подключение к серверу получателя зараженного письма.
Зараженные письма формируются из произвольных комбинаций:
Выбирается произвольно из числа найденных на зараженной машине.
0i09u5rug08r89589gjrg Administrator approved Congratulations! corrected Do you? Does it matter? Error Fwd: Warning again hello here hi I cannot forget you! I love you! Illegal Website important Important m$6h?3p improved Information Internet Provider Abuse Is that your password? Mail Account Mail Authentication Mail Delivery my News Notice again patched Postcard Private document Protected Mail System Re: A!p$ghsa Re: Administration Re: Approved document Re: Bad Request Re: Delivery Protection Re: Delivery Server Re: Developement Re: Encrypted Mail Re: Error Re: Error in document Re: Extended Mail Re: Extended Mail System Re: Failure Re: Free porn Re: Hello Re: Hi Re: Is that your document? Re: Its me Re: List Re: Mail Authentification Re: Mail Server Re: Message Re: Message Error Re: Notify Re: Old photos Re: Old times Re: Proof of concept Re: Protected Mail Delivery Re: Protected Mail Request Re: Protected Mail System Re: Question Re: Request Re: Sample Re: Secure delivery Re: Secure SMTP Message Re: Sex pictures Re: SMTP Server Re: Status Re: Submit a Virus Sample Re: Test Re: Thank you for delivery Re: Virus Sample Re: Your document read it immediately Shocking document Spam Spamed? Stolen document Thank you! thanks! You cannot do that! your Your day
или произвольный набор символов.
9u049u89gh89fsdpokofkdpbm3-4i am shocked about your document! Are you a spammer? (I found your email on a spammer website!?!) Authentication required. Bad Gateway: The message has been attached. Binary message is available. Can you confirm it? Delivered message is attached. Do not visit this illegal websites! Encrypted message is available. Encrypted message is available. ESMTP [Secure Mail System #334]: Secure message is attached. First part of the secure mail is available. Follow the instructions to read the message. For further details see the attachment. For more details see the attachment. For more details see the attachment. Forwarded message is available. Here is it! Here is my icq list. Here is my phone number. Here is the website. ;-) I have attached it to this mail. I have attached the sample. I have attached your document. I have corrected your document. I have received your document. The corrected document is attached. I have visited this website and I found you in the spammer list. Is that true? I hope you accept the result! Important message, do not show this anyone! Let'us be short: you have no experience in writing letters!!! lovely, :-) Message has been sent as a binary attachment. Monthly news report. My favourite page. New message is available. Now a new message is available. Partial message is available. Please answer quickly! Please authenticate the secure message. Please confirm my request. Please confirm the document. Please confirm! Please r564g!he4a56a3haafdogu#mfn3o Please read the attached file! Please read the attached file. Please read the attachment to get the message. Please read the document. Please read the important document. Please see the attached file for details po44u90ugjid-k9z5894z0 Protected Mail System Test. Protected message is attached. Protected message is attached. Protected message is available. Requested file. Secure Mail System Beta Test. See the file. See the ghg5%&6gfz65!4Hf55d!46gfgf Server Error #203 SMTP Error #201 SMTP: Please confirm the attached message. Thank you for your request, your details are attached! Thanks! The sample is attached! Try this, or nothing! Waiting for a Response. Please read the attachment. Waiting for authentification. You got a new message. You have downloaded these illegal cracks? You have received an extended message. Please read the instructions. You have written a very good text, excellent, good work! You were registered to the pay system. Your archive is attached. your big love, ;-) Your bill is attached to this mail. Your details. Your document is attached to this mail. Your document is attached. Your document is attached. Your document is attached. Your document. Your file is attached. Your important document, correction is finished! Your photo, uahhh.... , you are naked! Your requested mail has been attached. Greetings from france, your friend. Have a look at these. I noticed that you have visited illegal websites. See the name in the list! You have visited illegal websites. I have a big list of the websites you surfed. Your mail account is expired. See the details to reactivate it. Your mail account has been closed. For further details see the document. The file is protected with the password ghj001. I have attached your file. Your password is jkl44563. The sample file you sent contains a new virus version of mydoom.j. Please clean your system with the attached signature. Sincerly, Robert Ferrew Best wishes, your friend. Congratulations!, your best friend. I found this document about you. I cannot believe that. Try this game ;-) I hope the patch works.Также червь может дописывать в конец зараженного письма ложное сообщение о том, что данное письмо было проверено каким-либо антивирусом:
+++ Attachment: No Virus found +++ MessageLabs AntiVirus – www.messagelabs.com +++ Attachment: No Virus found +++ Bitdefender AntiVirus – www.bitdefender.com +++ Attachment: No Virus found +++ MC-Afee AntiVirus – www.mcafee.com +++ Attachment: No Virus found +++ Kaspersky AntiVirus – www.kaspersky.com +++ Attachment: No Virus found +++ Panda AntiVirus – www.pandasoftware.com ++++ Attachment: No Virus found ++++ Norman AntiVirus – www.norman.com ++++ Attachment: No Virus found ++++ F-Secure AntiVirus – www.f-secure.com ++++ Attachment: No Virus found ++++ Norton AntiVirus – www.symantec.de
Имя вложения имеет множество различных вариантов. Зачастую это файлы с двойным расширением, где первое "doc" или "txt", а второе выбирается из списка:
exe pif scr zip
Также червь способен посылать свои копии в виде ZIP-архивов.
Червь не посылает себя на адреса, в которых имеются подстроки:
@antivi @avp @bitdefender @fbi @f-pro @freeav @f-secur @kaspersky @mcafee @messagel @microsof @norman @norton @pandasof @skynet @sophos @spam @symantec @viruslis abuse@ noreply@ ntivir reports@ spam@
Червь может посылать письма, содержащие IFRAME Exploit (аналогично червям Klez.h или Swen). В таком случае, при просмотре письма из уязвимого почтового клиента – произойдет автоматический запуск вложенного файла червя.
Червь создает множество своих копий во всех подкаталогах, содержащих в своем названии слова из списка:
bear donkey download ftp htdocs http icq kazaa lime morpheus mule my shared folder shar shared files upload
Создаваемые файлы червю имеют следующие названия:
1001 Sex and more.rtf.exe 3D Studio Max 6 3dsmax.exe ACDSee 10.exe Adobe Photoshop 10 crack.exe Adobe Photoshop 10 full.exe Adobe Premiere 10.exe Ahead Nero 8.exe Altkins Diet.doc.exe American Idol.doc.exe Arnold Schwarzenegger.jpg.exe Best Matrix Screensaver new.scr Britney sex xxx.jpg.exe Britney Spears and Eminem porn.jpg.exe Britney Spears blowjob.jpg.exe Britney Spears cumshot.jpg.exe Britney Spears fuck.jpg.exe Britney Spears full album.mp3.exe Britney Spears porn.jpg.exe Britney Spears Sexy archive.doc.exe Britney Spears Song text archive.doc.exe Britney Spears.jpg.exe Britney Spears.mp3.exe Clone DVD 6.exe Cloning.doc.exe Cracks & Warez Archiv.exe Dark Angels new.pif Dictionary English 2004 – France.doc.exe DivX 8.0 final.exe Doom 3 release 2.exe E-Book Archive2.rtf.exe Eminem blowjob.jpg.exe Eminem full album.mp3.exe Eminem Poster.jpg.exe Eminem sex xxx.jpg.exe Eminem Sexy archive.doc.exe Eminem Song text archive.doc.exe Eminem Spears porn.jpg.exe Eminem.mp3.exe Full album all.mp3.pif Gimp 1.8 Full with Key.exe Harry Potter 1-6 book.txt.exe Harry Potter 5.mpg.exe Harry Potter all e.book.doc.exe Harry Potter e book.doc.exe Harry Potter game.exe Harry Potter.doc.exe How to hack new.doc.exe Internet Explorer 9 setup.exe Kazaa Lite 4.0 new.exe Kazaa new.exe Keygen 4 all new.exe Learn Programming 2004.doc.exe Lightwave 9 Update.exe Magix Video Deluxe 5 beta.exe Matrix.mpg.exe Microsoft Office 2003 Crack best.exe Microsoft WinXP Crack full.exe MS Service Pack 6.exe netsky source code.scr Norton Antivirus 2005 beta.exe Opera 11.exe Partitionsmagic 10 beta.exe Porno Screensaver britney.scr RFC compilation.doc.exe Ringtones.doc.exe Ringtones.mp3.exe Saddam Hussein.jpg.exe Screensaver2.scr Serials edition.txt.exe Smashing the stack full.rtf.exe Star Office 9.exe Teen Porn 15.jpg.pif The Sims 4 beta.exe Ulead Keygen 2004.exe Visual Studio Net Crack all.exe Win Longhorn re.exe WinAmp 13 full.exe Windows 2000 Sourcecode.doc.exe Windows 2003 crack.exe Windows XP crack.exe WinXP eBook newest.doc.exe XXX hardcore pics.jpg.exe
Если в ключе реестра:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
имеются следующие ключи и значения:
au.exe d3dupdate.exe direct.exe direct.exe Explorer gouday.exe jijbl msgsvr32 OLE rate.exe Sentry service srate.exe ssate.exe sysmon.exe system. Taskmon Windows Services Host winupd.exe winupd.exe
То червь удаляет их из системного реестра Windows.
Также из ключа:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
Удаляются ключи:
system. Video
А также значения ключей:
[HKLM\SYSTEM\CurrentControlSet\Services\WksPatch]
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\PINF]
[HKCR\CLSID\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
Данные ключи и значения реестра связаны с другими почтовыми червями (семейство I-Worm.Bagle).