|
|
|
VIRUS
NAME: W32/Shrew@MM
Internet
Worm Characteristics
This mass-mailing
worm is also a utility (dubbed 'Active Mouse' by its author), designed
to simulate activity on the host machine. However, once running, it also
mails itself to recipients listed in the Outlook Address Book.
The email messages contain the following information:
Subject: Try this, pretty cool
Attachments: ActiveM.exe (and list.txt if this list exists)
The worm is hardcoded with the filename 'ACTIVEM.EXE' and so if it is
renamed and executed, the only file attached to the email messages is
LIST.TXT (if this exists). The renamed copy of the worm was not attached
during testing.
Any additions made to LIST.TXT by successive victims will get propagated
with this worm, so the length of this text file is unpredictable.
Symptoms
Existence of the 'Active Mouse' application on the machine, the application
consisting of a single Visual Basic 6 binary 61,440 bytes in length
Method Of Infection
The worm spreads via email as an attachment, which must be executed in
order to further propagate from the victim machine.
|
|
|
