i-worm.beglur.-def1
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
I-Worm.Beglur.b
This is a worm which spreads via the Internet and local networks as an attachment to infected emails. The worm itself is a Windows PE EXE file of approximately 20KB. The file is compressed using UPX and Yoda, and the uncompressed size is approximately 35KB. It is written in Visual C++ The worm has the following 'copyright' text string:
W32.Narita
Infected messages will contain text in the message fields which is randomly selected from the following:
From:
Microsoft support@microsoft.com
Terrorist George W. Bush president@whitehouse.gov
Terrorist Ariel Sharon pm_eng@pmo.gov.il
careless ch@care.net
media
Rumsfeld rumsfeld@pentagon.net
Maybank security@maybank2u.com
condemn fool@first.gov
Bin Laden osama@fbi.gov
BushScare president@white.gov
Subject:
Hi!
Bad news!
Free porn!
Report!
Hack me!
Bussiness
News!
Warning!
hello
Buy 1 Free 2
Need help!
plz!
Re:
great!
you are!
Your resume
Update
Spend Money
Too easy
oh wow
nice job!
High security
Command lineCreate own disk
keep the File
Help Section
Unknown Header
Possible Word
My Webs
Protokol
Compress Sample
Sensitive Name
Deliver
System Error
microsoft
installer
personal info
sample music
internet proxy
Message body:
check your attachment now!
(empty)
Hey! It's that what you want! I hope so! Check the file first then reply back if you have problem!
Alex Pravoks
For the truth of love! I have suprise to you! Please baby forgive me!
Ronn Elika
Oh my god! It's that you! Helo! Helo! So, this is gift for christmas day!
Orlian Jieg
Hello friend,
I have a problem here. I have encrypt the file that contain my message problem. The password is 'helpx'. Plz reply back!
A message you have received has been converte to an attachment. I sorry cause that problem.
The name of the attached file is also randomly selected, and will have one of the following extensions: .scr .pif .exe .com .bat
The worm uses the 'IFRAME' security breach to launch itself from infected messages.
Installation
The worm copies itself to the Windows system directory under a random name and registers the file in the SYSTEM.INI auto-run key in the [boot] section in the 'shell' key.
Distribution via email
To get victim email addresses the worm scans files with the following extensions: .TXT .MHT .HTM .HTML .EML .JSE .ASP .DBX .MBX .MMF .TBB .NCH .ODS .VCF .WAB
To send infected messages the worm uses a built-in SMTP engine.
Distribution via networks
The worm copies itself to shared network drives and to all logical drives under a random name, or named 'setup' or 'installer', with one of the following extensions: .scr .pif .exe .com .bat
Other
The worm contains a backdoor routine which will allow a hacker to create, delete, rename files and directories, and execute commands on affected machines.
The worm also attempts to terminate several anti-virus and firewall programs.
Copyright @2006 i-worm.beglur.-def1