Virus:Worm/Samony.B.3
Date discovered:24/10/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low
Static file:Yes
File size:3.173 Bytes
MD5 checksum:15740c6fb5814c032d534b9d34bb4ae1
VDF version:6.32.00.110

 General Method of propagation:
   • Email


Aliases:
   •  Symantec: w32.lOOKSKY.a@MM
   •  Kaspersky: eMAIL-wORM.wIN32.lOOSKY.A
   •  TrendMicro: worm_looksky.a
   •  Bitdefender: wIN32.lOOSKY.a@MM


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Uses its own Email engine

 Files The following file is created:

– A file that is for temporary use and it might be deleted afterwards:
   • %malware execution directory%\temp.bak

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is the user's Outlook account.


To:
– Email addresses gathered from WAB (Windows Address Book)


Subject:
The following:
   • Skylook for Skype



Body:
– Contains HTML code.
The body of the email is the following:

   • Hello, You asked me to send you Skylook - here it is:
     
     With Skylook, you can get 1 hour of world-wide calls FREE!
     
     Skype? Voice Calls (as MP3), Instant Messages, Email, Appointments, Contacts all organized and under control in Microsoft? Outlook?!
     
     Halloween Special!
     
     Try it before October 31 and receive 1 hour of free world-wide calls (SkypeOut). Also You`ll get 40% off a business license or 30% off a home license.
     
     Use Skylook 1.0 to record Skype? VoIP Calls to MP3!
     
     Skylook attache


Attachment:
The filename of the attachment is:
   • skylook_1.exe

The attachment is a copy of the malware itself.

The attachment is a copy of the created file: %malware execution directory%\temp.bak



The email looks like the following:


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • FSG

Description inserted by Iulia Diaconescu on Wednesday, October 26, 2005
Description updated by Iulia Diaconescu on Thursday, October 27, 2005

Back . . . .