Upon execution, this worm drops the following files in the current directory where it is executed:
The random filename, %Filename%, is chosen from the following list:
- Anti 0190 Dialer
- Borland Delphi 6 Key
- Borland Delphi(all) Crack
- Britney Spears Nude
- Cube Emulator
- Email Bomber
- FTP Cracker
- Hotmail Hacker Tool
- Jenifer Lopez Naked
- Ps2 Crack
- Ps2 Emulator
- Shakira Nude
- WinMx Hack
- XBox Emulator
%Filename2%.THEME can take any of the following filenames:
- Shakira Nude.theme
The .SCR, .EXE, and .PIF files are copies of this worm. The dropped files
%Filename%.BAT, %Filename2%.THEME, and TEMP.THEME are non-malicious files and are actually copies of a batch file that contains these two lines:
The file, EMAIL.TXT, contains email addresses that this worm collects from files in the Temporary Internet folder.
This worm also attempts to download a utility file from the URL:
It saves this file as the dropped file, ZIPPY.EXE, in the current directory. If the download is unsuccessful, the same file is left with no content and a file size of zero.
This worm also drops a copy of itself in the Windows directory as kn0x.exe. It then adds the following registry entry so that this dropped copy executes at every Windows startup:
WinSrv = "%Windows%\kn0x.exe"
*Where %Windows% is the Windows directory, which is usually C:\Windows or C:\WINNT.
The worm checks for the presence of the following folders:
- C:\KaZaA\My Shared Folder\
- C:\Program Files\KaZaA\My Shared Folder\
If found, it drops at least one of the following copies of itself in the said folders:
- All GamesHack.exe
- Credit Cards.exe
- ICQ Password Hack.exe
- Macromedia Flash MX.exe
- Swat 3 Full Download.exe
- Unreal Tournament 3 FullDownloader.exe
- WarCraft III Full.exe
- WIN XPCrack.exe
This worm also assigns the filename for its email attachment from the above list.
This worm uses its own SMTP engine and gets the default SMTP server of the infected machine. It tries to send e-mail to addresses that it has logged in the file EMAIL.TXT. It was designed to send email with the following characteristics:
Message Body: files for you � from <Infected user's name>
Attachment: <dropped copy of this worm>
However, due several bugs in its code, it fails to execute this mass-mailing routine.
This worm contains the text strings:
(c) thynK - tac1