Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:
Type:Worm 
Size:18,200 Bytes 
Origin: 
Date:09-09-2004 
Damage:It sends a worm copy by email and it drops a Trojan. 
VDF Version:6.27.00.52 
Danger:Medium 
Distribution:Medium 

General DescriptionOperating Systems:
Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, Windows Server 2003

DistributionThe worm looks for email addresses in files with the extension:
wab
xls
vbs
uin
txt
tbb
stm
sht
php
msg
mht
jsp
htm
eml
dht
dbx
cgi
cfg
asp

The worm sends itself to the email addresses found. The email contains:
Subject:
hello
here
hi
Hi!
important
Information
my
News
Notice again
Private document
Re: Hello
Re: Hi
Re: Message
Re: Proof of concept
Re: Question
Re: Status
Re: Your document
read it immediately
Thank you!
thanks!
You win!

The body begins with one of the following lines:
apply patch.
Can you confirm it? You win!
For further details see the attachment.
For more details see the attachment.
fun game!
fun photos
fun!
game
I have attached document.
lol!
Monthly news report.
New game
Please confirm the document.
Please confirm! Please answer quickly!
Please read the attached file!
Please read the attached file.
Please read the attachment.
Please read the document.
Please read the important document.
Please see the attached file for details
relax
Run this exe apply this patch!
screensaverlol!
See attached file for details.
See the file.
Thanks!
Virus removal tool
Waiting for a Response.
You are infected by virus.
Your archive is attached.
Your requested mail has been attached.

Most of the emails also contain the following last line:
+++ Attachment: No Virus found

followed by one of the lines below:
+++ Norton AntiVirus - www.symantec.de
+++ F-Secure AntiVirus - www.f-secure.com
+++ Norman AntiVirus - www.norman.com
+++ Panda AntiVirus - www.pandasoftware.com
+++ Kaspersky AntiVirus - www.kaspersky.com
+++ MC-Afee AntiVirus - www.mcafee.com
+++ Bitdefender AntiVirus - www.bitdefender.com
+++ MessageLabs AntiVirus - www.messagelabs.com

Technical DetailsWe are currently analysing the worm...

After activating the worm, the following registry entries are made:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinSPF"="\\winspf32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent]
"Version"="FrankenShteiN"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]
"Version"="FrankenShteiN"

Worm copies are created in the following directories:
%sysdir%\winspf32.exe
%startup%\rx32hh00.exe

The worm also contains the string: "We searching 4 work in AV industry."

Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .