|
|
|
VIRUS NAME: W32/Porkis@MM
Internet
Worm Characteristics
This mass-mailing worm
contains its own SMTP engine, and is designed to use the system default
SMTP server for spreading itself to addresses found in the Windows Address
Book. The worm failed to mail itself when executed on English/US operating
systems. If successfully mailed, strings within the worm reveal the message
details to be as follows:
Subject:
'Divertimento assicurato'
or,
'Leggete urgentemente questa e-mail (se avete tempo da perdere)' or,
'Storielle'
From: <>
Attachment:
49,664 byte executable
(not packed), named:
PORKIS.EXE or,
PIPPO.EXE or,
BAR.EXE
Once executed on the
victim machine, the worm displays a series of message boxes (in Italian,
progressing through a dialogue).
The worm copies itself to the Windows directory as DLLMGR.EXE. It also adds
a Registry key to run this copy of the itself at subsequent system startups:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\_
Run "Dll Manager" = C:\WINDOWS\DLLMGR.EXE
Upon restarting, after
a small time delay, the worm attempts to connect to the system default SMTP
server (retrieved from the Registry), and mail itself to all entries in
the Windows Address Book (the location of which is also retrieved from the
Registry). As noted above, in testing on English/US operating systems, the
worm did connect to the SMTP server, but failed to mail itself successfully.
Symptoms
Existence of the following file:
C:\WINDOWS\DLLMGR.EXE
(49,664 bytes in length).
Method
Of Infection
The worm infects the victim machine upon its execution, by copying itself
to the Windows directory, and hooking the Registry to run at system startup.
The worm attempts to mail itself to entries found in the Windows Address
Book.
|
|
|
