This multithreaded worm uses its own SMTP (Simple Mail Transfer Protocol) engine to send copies of itself. It also propagates via network-shared drives and folders.
This worm arrives as a UPX-compressed file. Upon execution, it drops a copy of itself in the Windows system directory using a 4-character, semi-randomly generated file name.
To ensure its automatic execution every system startup, it adds the following randomly-named registry entry:
<random string> = %System%\<random filename>.EXE
(Note: %System% is the Windows system, which is usually C:\Windows\System or C:\WINNT\System32.)
To further ensure that it executes at startup, this worm copies itself in the Windows Startup folder using a 3-character, randomly-generated file name. It uses the following registry entry to find the location of the Startup folder:
This worm also drops three .DLL files with random file names in the Windows system folder and two .DAT files with random file names in the Windows folder.
One of the dropped .DLL files is the a keylogger component. The other dropped files are encrypted non-malicious files that contain data, such as gathered email addresses, passwords and keystrokes.
After installing itself on the system, this worm creates several threads that behave as the following:
- Local network infector
- Backdoor server
- Antivirus and security programs killer
- Password stealer
It usually sets up the fifth thread on its initial execution to send out cached system passwords and logged keystrokes to certain email addresses.
This worm uses its own Simple Mail Transport Protocol (SMTP) engine and reads the following registry key to obtain an SMTP server:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager\
It obtains the list of email addresses from cached email messages, address books, and mail boxes found on the infected machine. It searches the whole root drive of the infected machine for files bearing the following substrings to find such repositories:
This worm carries with it three similar SMTP engines to supplement its communication activities. It uses two of the engines to send forged emails containing an encoded version of the worm to selected email addresses.
The two SMTP engines send out email messages with spoofed sender information, no message body, and any of these possible subjects:
- $150 FREE Bonus!
- 25 merchants and rising
- bad news
- CALL FOR INFORMATION!
- click on this!
- Confirmation of Recipes�
- Correction of errors
- Daily Email Reminder
- empty account
- free shipping!
- Get 8 FREE issues - no risk!
- Get a FREE gift!
- history screen
- I need help about script!!!
- its easy
- Just a reminder
- Lost & Found
- Market Update Report
- Membership Confirmation
- My eBay ads
- New bonus in your cash account
- New Contests
- new reading
- Payment notices
- Please Help...
- SCAM alert!!!
- Sponsors needed
- Today Only
- Tools For Your Online Business
- Your Gift
- Your News Alert
The worm has the option to pick email messages from an existing database of an infected system. It sends the forged email messages to the first 170 email addresses it finds. This worm ensures that it does not send an email to the currently infected user by checking the following registry entry for the email address that it needs to avoid:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager\
Accounts\%Default Mail Account%
�SMTP Email Address�
The above registry entry usually refers to the current user�s email address.
It spoofs the FROM field of the email in two steps. First, it borrows the display name from the currently logged on user using the following registry entry:
Internet Account Manager\Accounts\%Default Mail Account%
�SMTP Display Name�
Then, it composes the actual address in the FROM and TO fields from the email addresses it has found.
It prepares the email attachment to contain its encoded form with SETUP.EXE as its default file name. There are instances, however, when this worm searches the user�s personal folder and gets the first file found in the folder. It appends the extensions SCR, PIF, or EXE to the file name of the found file to obtain the attachment name. This results in attachments with double extensions.
The path of this folder is usually "C:\My Documents" or "C:\ Documents and Settings\%User Name%\My Documents" and the worm obtains it from querying this registry entry:
Since the personal folder often contains a DESKTOP.INI file to hold customization settings for a given folder, the worm skips .INI files from the list of possible attachment names.
In the event that it does not find a file in the current user�s personal folder, it combines the following text strings with the SCR, PIF, or EXE extensions:
This worm�s two SMTP engines differ in the way they compose email.
One SMTP engine sends the encoded version of the worm on a plain email message with the content type �application/x-msdownload�.
The other SMTP engine has a content type of �audio/x-midi� and also formats the blank message body to contain html code that exploits the Incorrect Multipurpose Internet Mail Extensions (MIME) header vulnerability, which allows attachments of HTML-formatted email messages to automatically execute when a user reads or previews the email in Microsoft Outlook or Outlook Express. When the worm is executed upon previewing the email, it installs itself on the target system without prompting the target user. The Incorrect MIME header vulnerability is known to affect Microsoft Internet Explorer 5.01 and 5.5.
Note: More information on this exploit is available in the Microsoft article, Incorrect MIME Header Can Cause IE to Execute E-mail Attachment.
Local Network Infection
This worm spreads across local networks via shared folders. It has a thread that continually scans for shared network resources, which include shared folders. When it finds one, it attempts to copy itself as the following:
\\<Shared resource name>\%Startup%\<random filename>.exe
(Note: %Startup% refers to the path to the Startup folder of the infected machine. <random filename> is the same filename used by the file dropped in the Startup folder.)
It does not check the type of shared resource that it infects so that it also copies itself to other network resources such as printers. When this happens, it causes an accumulation of print jobs in the network printer queue. The print jobs associated with this worm have document sizes equal to the size of the worm.
Backdoor Server Component
This worm also behaves like a backdoor malware server. It opens port 36794 on the infected machine and allows remote users to connect to the opened port. The connecting remote users may perform any of the following actions on the infected machine:
- Download and execute files
- Copy/delete files
- List running process
- Kill running processes
- Find/Display files
- Setup an http server
- Return information on the infected machine
The returned information on the infected machine are as follows:
- Machine name
- Currently logged on user
- Processor type
- Operating system version and build
- Amount of memory available
- Specifications of storage media (hard drives, CD-ROM drives) and mapped network resources
- Listing of network resources visible from the infected machine � shared folders, domains, workstations, printers, etc.
Because of the complexity at which the instructions need to be sent to this backdoor server, it is possible that a client program exists to manipulate the worm.
Whenever the backdoor feature of this worm is set-off, usually when somebody attempts to connect to the listening port 36794, the following temporary files are created in the Windows temporary folder:
The dropped file, ~PHGGUM.TMP, contains a 20-character string, which is used by this backdoor worm as a session ID to communicate with its client. A connecting user cannot send commands to this worm without this ID.
This worm terminates the following processes, which are mostly antivirus applications, on target systems:
Keylogger Component and Password Stealer
This worm thread is commonly triggered when the worm is first run on the system. The worm gathers cached passwords on the system using system APIs.
It also uses its .DLL file component to intercepts keystrokes made on the infected machine and saves the keystrokes encrypted into the other dropped .DLL files. This keylogger component is also detected as WORM_BUGBEAR.A.
This worm sends the stolen passwords and the logged keystrokes, together with the machine name and name of the currently logged-on user to any of the following email addresses:
The subject of the notification email is the domain name obtained from the �SMTP Default Address� previously retrieved from the registry. Thus, if the default SMTP email address is �email@example.com,� then the subject of the email is �nowhere.�
The following text strings can be seen in this worm's body:
Analysis by: Daniel M. Biado