New Topic/Question
This topic is locked
This mass-mailing worm drops a BackDoor trojan (BackDoor-AAF) on WindowsNT/2K/XP system. The worm itself carries no destructive payloads. It arrives in an email message containing the following information:
Subject: new photos from my party!
Body: Hello!
My party... It was absolutely amazing!
I have attached my web page with new photos!
If you can please make color prints of my photos. Thanks!
Attachment: www.myparty.yahoo.com (29,696 byte PE file)
The attachment name may trick some users into thinking that if they click on the file, they will be taken to a Yahoo website. Certain email clients, especially those that underline the filename, may make this attachment appear more like a URL than the above Microsoft Outlook example which is more clearly distinguishable. The attachment is an executable file with a .COM extension, not a URL. Running the attachment infects the local machine.
On Windows9x/ME
If the date is between January 25-29, 2002, the virus copies itself to C:Recycledregctrl.exe and executes that file.
On WinNT/2K/XP
If the date is not between January 25-29, 2002, the worm copies itself to C:Recycled as F-[random number]-[random number]-[random number] with no extension
If the date is between January 25-29, 2002, the worm copies itself to C:regctrl.exe and drops the file MSSTASK.EXE in the STARTUP folder. MSSTASK.EXE is a BackDoor trojan. After the initial file is run, it is deleted. If the executables filename is ACCESS, the user is directed to the www.disney.com website.
This virus only attempts to massmail itself on January 25, 26, 27, 28 or 29, 2002. The users default SMTP server is retrieved from the registry.
HKEY_CURRENT_USERSoftwareMicrosoftInternet Account ManagerAccounts�0000001
The virus uses this SMTP server to send itself out to all addresses found in the Windows Address Book and addresses found within .DBX files.
MultiQuote
| 