Sharp increase in Worm.SomeFool

By Ewan

June 28, 2005

This worm spreads via the Internet as an attachment to infected emails.

The worm itself is a Windows PE EXE file of approximately 18KB, packed using UPX and written in Microsoft Visual C++.

Message header (chosen at random from the list below)

Approved
Hello
Hi
Important
My details
Re: Approved
Re: Hello
Re: Hi
Re: Important
Re: My details
Re: Request
Re: Thanks you!
Re: Your details
Re: Your document
Re: Your information
Request
Thank you!
Your details
Your document
Your information

Message body (chosen at random from the texts below)

Approved, here is the document.
For more details see the attached document.
For more information see the attached document.
Hello!
Here is the "...".
Here is the document.
Hi!
I have found the "...".
I have sent the "...".
I have spent much time for the "...".
I have spent much time for your document.
My "..." is attached.
My "...".
Note that I have attached your document.
Please have a look at the "...".
Please have a look at the attached document.
Please notice the attached "...".
Please notice the attached document.
Please read quickly.
Please read the "...".
Please read the attached document.
Please see the "...".
Please, "...".
See the document for details.
Thank you
Thanks
The "..." is attached.
The "...".
The requested "..." is attached!
Your "..." is attached.
Your "...".
Your file is attached to this mail.
Yours sincerely

The worm inserts random characters from the list below between the quotation marks.

abuse list
account
answer
approved document
approved file
archive
bill
concept
contact list
corrected document
description
detailed document
details
developement
diggest
document
e-mail
excel document
file
final version
homepage
icq number
important document
improved document
improved file
info
information
instructions
letter
list
mail
message
movie document
new document
note
notice
number list
old document
order
personal message
phone number
photo document
picture document
postcard
powerpoint document
presentation document
release
report
requested document
sample
secound document
story
summary
text
textfile
user list
word document

Attachment

A file with a .pif extension and a randomly generated name.

The worm is activated when the user opens the attached file.

Once launched, the worm installs inself to the system and starts propagating.

Installation

When installating, the worm copies itself to the Windows directory under the name EastAV.exe and registers this file in the system registry auto-run key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "EastAV"="%windir%\EastAV.exe"

Mass mailing

The worm searches for files with the extensions listed below:

adb
asp
cfg
cgi
dbx
dhtm
doc
eml
htm
html
jsp
mbx

mdx
mht
mmf
msg
nch
ods
oft
php
pl
ppt
rtf
sht

shtm
stm
tbb
txt
uin
vbs
wab
wsh
xls
xml

harvests email addresses and sends copies of itself to all addresses found.

The worm uses its own SMTP library to send messages.

Other

The worm will attempt to conduct DoS attacks on the following sites in accordance with the system clock local settings:

www.cracks.am
www.emule.de
www.freemule.net
www.kazaa.com
www.keygen.us

More News

Comments (0)

No comments.

Add Comment