Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
I-Worm.Tanatos.a, W32/BugBearQMM, W95/BugBear.A@mm, W32.BugBear@mm
50,688 Bytes UPX gepackt oder
Spreads by email and over shared networks, Keylogger function.
The worm sends itself to all email addresses it can find on the local system. It uses words and file names collected from the system, to name its emails.
The email can look like this, or they can be formed out of arbitrary text lines:
25 merchants and rising
CALL FOR INFORMATION!
click on this!
Correction of errors
Daily Email Reminder
Get 8 FREE issues - no risk!
Get a FREE gift!
I need help about script!!!
Just a reminder
Lost & Found
Market Update Report
My eBay ads
New bonus in your cash account
Re: $150 FREE Bonus!
Tools For Your Online Business
Your News Alert
Body: it is variable.
Attachment: it is also variable, but it can be formed out of the following texts:
It has a double extension:.doc.pif
The worm tries to copy itself as .exe file on network connected computers.
When activated, the worm copies itself as .exe file in the Windows system directory. For example:
It changes the registry entry, for automatic start:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersionRunOnce "%random letters%" = %random filename%.EXE (Win9x)
The worm copies itself as .exe file in the startup directory. For example:
C:\Documents and Settings\(username)\Start Menu\Programs\Startup\CYC.EXE
The worm opens port 36794 TCP on the computer and tries to terminate active processes on the system. It creates a .dll named PWS-Hooker.dll.
Description inserted by Crony Walker on Tuesday, June 15, 2004