Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32.Snapper.A@mm, I-Worm.Snapper [Kaspersky], W32/Snapper@MM [McAfee], Snapper [F-Secure]
Type:Worm 
Size:9kB 
Origin: 
Date:00-00-0000 
Damage:Sent by email. 
VDF Version:6.23.00.00 
Danger:Low 
Distribution:Low 

DistributionThe worm uses its own SMTP engine for sending itself to email addresses from Windows Address Book. The email contains:
Subjekt: Re:
Body: HTML Code, which appears as empty, to most of the email clients.

Technical DetailsWorm/Snapper.A contains a .dll file, which may be found as:
%WinDIR%\ieload.dll
%SystemDIR%\ieload.dll

If ieload.dll is loaded, the worm copies itself as %System%\ieload.dll and registers as Browser Helper Object: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cu rrentVersion\ Explorer\Browser Helper Objects\% random clsid%HKEY_CLASSES_ROOT\CLSID\%random clsid%

%random clsid% is a random entry of type: "{########-####-####-####-############}".
The worm is activated every time Internet Explorer starts.

For saving configuration information, the following entries are made:
HKEY_CURRENT_CONFIG\Software\Microsoft\Windows\CurrentVersion\Internet Settings\PopupsLoaded
HKEY_CURRENT_CONFIG\Software\Microsoft\Windows\CurrentVersion\Internet Settings\TimerTicks

Then, the following processes are terminated:
NAVAPW32.EXE
CCAPP.EXE
OUTPOST.EXE
SPIDERML.EXE

Regularly, a website is opened on TCP port 80.
By opening the html file of the email, a file named Banner.htm is downloaded. This is an empty website, which contains a link to the worm. This site uses the Internet Explorer Object Tag vulnerability (described in Microsoft Security Bulletin MS03-032) and downloads a malicious html file named Htmlhelp.cgi. This file contains a worm copy and a VBSkript, which installs the worm as %WinDIR%\ieload.dll.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .