Du brauchst Hilfe? Frage die Community oder wende dich an einen Experten.
Zu Avira Answers
Alias:I-Worm.Desos.a, PE_MOE.A, W32/onamu@MM, W95/Onamu.A@mm, W95.Stoogy.6031
Type:Worm 
Size:38,922 Bytes or 38,931 Bytes 
Origin: 
Date:00-00-0000 
Damage:Sent by email. 
VDF Version:  
Danger:Low 
Distribution:Low 

DistributionWorm/Desos searches for email addresses in .ht* files and in Windows Address Book. The email sent by the worm has the following structure:

Subject:
Seduccion
Humano
Musica
Mujer
Hombre
Confesion
Infidelidad
Belleza
Relaciones casuales
Tus deseos
Mi secreto
La clave
Enojo
Perdon
Responde!
Cita
Papelon
Renuncio
Monstruo
Joven

From:
Name:
Mario
Enzo
Nadia
Gabriel
Federico
Andrea
Laura
Patricia
Osvaldo
Sofia
Sandra
Javier
Cristina
Pablo
Cecilia
Ariel
Silvia
Emilio
Flavia
Jorge

Innitials:
E.
M.
O.
R.
T.
A.
H.
P.
L.

Surname:
Macchi
Rizzo
Rodriguez
Narvaez
Mosquera
Montagna
Miranda
Armitano
Kohan
Lewin
Machado
Miller
Ibarra
Gutierrez
Castro
Godoy
Ferreira
Ferrer
Chiappe
Chiesa

Sender's email address:
aldu5n_02@yahoo.com
mor8l_88@netscape.com
lime@illusive.org
lemax7@compuserve.com
xnto_678@hotmail.com
lecs2462@yahoo.com
4588bell@netscape.com
vvgro55@illusive.org
4653_trey@compuserve.com
wer937@hotmail.com

Body:
This is the patch you asked for.
Cap.3 El arte de provocar.
El Ser Humano que pudiste ser.
Esta es la musica que te prometi.
La mujer mas bella...
Un hombre entero.
Ya sabes que fui yo?.
Las imagenes de tu infidelidad.
No estas conforme con tu apariencia?
Esta es la lista para esta semana.
Si te conforman, puedo enviar mas.
Recorda tu promesa!
No la vuelvas a perder, no abuses.
Cuando veas esto, se te pasa.
Crei que ya lo habia enviado.
Nunca respondiste. No seas cruel.
Me gusto lo que enviaste. Si te gusta, arreglamos.
Te dije que es demasiado gorda. Mira!
No puedo mejorarlo, ya es perfecto.
Ahora te creo. Pobre mujer!
Disculpa, sos demasiado joven para mi.

Attachment:
S_Cap3.exe
Humano.exe
Music.exe
Mujer.exe
Hombre.exe
Confesion.exe
Infiel.exe
Belleza.exe
Listarc.exe
Deseos.exe
Secreto.exe
Clave.exe
Yo.exe
Feos.exe
Pasion.exe
Cita2.exe
Gorda.exe
Cuerpo.exe
Monstruo.exe

Technical DetailsWhen the attachment is opened, the worm is copied in \Windir directory. For the file name, it uses 5 letters out of the following strings:
leginolasoPeyeguiEsmtpeglAdklityghbcxskalBxvqe
The file has the extension .exe.
The following registry entry ensures the sutostart of the file:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Then it chooses 6 letters from the string: KeutlipoeRidewantResentriolamjOwertexpionKirtyun PEGALSOMANTIDENTUSENSATOAPLEUTOWKLEMICOSNLIGHDRTE
These are used for a registry key name in HKEY_LOCAL_MACHINE\Software\.
In this subkey, the worm makes two entries for saving internal information. The names of these entries are also composed out of random letters. For example:
the registry entry is HKEY_LOCAL_MACHINE\Software\poeRid
and the names are MANTIDE and OMANTID.

The worm looks for email addresses in all files of type .ht* and uses these addresses for its massmail list. Then, the virus component infects the .exe and .scr files. But this infection does not contain the worm components.

Die Beschreibung wurde erstellt von Crony Walker am Dienstag, 15. Juni 2004

zurück . . . .