i-worm.gopwor
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
I-Worm.GOPWorm
This is a virus-worm that spreads via the Internet attached to infected e-mails and through a local network by copying to shared drives. The worm itself is a Windows PE EXE file about 60Kb in length (compressed by UPX), and it is written in Delphi Microsoft Visual C++.
The worm is an improved variant of the PSW Trojan {"GOPtrojan":Trojan_PSW_GOPtrojan}.
The infected message's Subject and Body are in Chinese. The attached file name is different, and has a double extension:
filename.jpg.exe
filename.jpeg.exe
filename.gif.exe
filename.txt.exe
filename.doc.exe
filename.rtf.exe
filename.bmp.exe
To run from an infected message, the worm uses an IFrame security breach.
While installing, the worm uses the same method as "GOPtrojan", the additional feature is an affected Registry key:
HKCR\exefile\shell\open\command
To send infected messages, the worm uses direct access to an SMTP server. The worm obtains victim e-mail addresses by scanning *.HTML, *.HTM, and *.JS files, as well as by scanning TheBat, Aerofox and RimArts e-mail databases.
Copyright @2006 i-worm.gopwor