Jest to robak internetowy rozprzestrzeniaj膮cy si臋 jako za艂膮cznik zainfekowanych wiadomo艣ci e-mail, a tak偶e za po艣rednictwem komumikator贸w Yahoo Pager oraz MSN Messenger Szkodnik powsta艂 przy u偶yciu j臋zyka programowania Visual Basic, ma posta膰 pliku PE EXE, a jego rozmiar w bajtach to 76 060 (kompresja UPX, rozmiar po rozpakowaniu - oko艂o 130 KB).

Zainfekowane wiadomo艣ci e-mail

Typ pierwszy zainfekowanej wiadomo艣ci e-mail:

  • Temat:

    • <<~SEX~>>
    • Asses Mpeg's
    • FW: (-Sucking-)
    • FW: **Hot Movie**
    • FW: File - WebCam.mpeg
    • FW: Lesbian & gays Mpeg
    • Fw: My Funny Ass
    • FW:RE: Least *21* Years
    • FW:Re:Hot Erotic
    • Re: Double suck (movie)
    • RE: FW: Women Mpeg
    • Re: Why? Form Back.mpg
    • very hot XXX
    • Video Clip

  • Tre艣膰:

    • Babe sucking black Dog MPEG
    • funny movie
    • hey guys my name is April Goostree i am a sexy 22 yr old bbw , 5'9, 48 dd , big ole booty, jus lovin life, until i get my pics posted in here you can either check out my profile or join my own yahoo group, either way works for me..i hope to become very active in this group, i like to get to know people, like to get on cam once in a while, jus to chill, when they aint none home..thats why its once in a while yaknow..anyways jus holla at me... n thanks for lettin me join!!! kisses kandee..Bye
    • Dozens of Free Video Clips to download.Many Niches. Updated regularly and more added daily.Taken From Vivi's Lovely Briefcase.
    • very good movie >>> Video's Media Player. SEX SEX * Sluts Tits Video Mpeg's Mpeg Video Clips
    • Cum and check this fun group out...Sexy ladies!! Come post your ad,..this is a real swingers group!! I'm attatching a Video Clip of my wife if interested in checking it out!
    • -==This server does not support Transfer Big Movies==- wo Hotttt gurls sucking a hansum cock Softly
    • Watch the Paris Hilton Sex Tape for Free!
    • Video's Girls Erotic WebCam's Tits Mpeg's Girls Ass SEX Pussy Video Clips
    • Here is another Vclip of my daily group :|
    • All kinda Women Can be Found Here To Satisfy Women Lovers' Eyes
    • u Love asses? Here is a great ass open wide waitin for ur lil Cock Bye
    • movie attached open by media Player 7.1
    • when i saw my ass i slept 3 hours why?? check my ass sorry my movie LOOOOOOOOL joke (^!^) Bye
    • Check This ?ucking Babe ;D ?ucking = Sucking=Fucking

  • Nazwa za艂膮cznika:

    • 17Ag_double_suck__part[2].MPEG_.scr
    • April_FromTexas.MPEG_.scr
    • Video_briefcase_Group[13].MPEG_.scr
    • Julia_1997_Fucking.MPEG_.scr
    • juanita_in_the_kitchen.MPEG.scr
    • After_2AM_small_room[4].MPEG__.scr
    • Graham_Hilton_Sex[4].MPEG__.scr
    • WebCam_12girls_Ass.mpeg_.scr
    • Shakira_Anal_very_old.MPEG.scr
    • why_fuck_anal_back.MPEG.scr
    • open_girl_21year.MPEG.scr
    • Ricky_Gay_ass.MPEG______________.scr
    • GrahamCluley_freakin_Ass_.MPEG__.scr
    • Sexual_Crimes.MPEG____.scr

Typ drugi zainfekowanej wiadomo艣ci e-mail:

  • Temat:
    Fw: Virus Alert
  • Tre艣膰:
    Dear User ,
    This is A very High Resk Virus Alert.
    This email is sent to you because one 
    or some of your friends has been 
    infected with The W32.BlackWorm.A@mm 
    Virus. And you could be infected too. 
    This Virus has the ability to damage 
    the hard disk. This Virus infects 
    computers using many new ways :
    1- it arrives as an email attachment 
    inside of jpg pictures.
    2- it infects the ip address without 
    the victim's knowledge.
    3- it infects Microsoft Word Documents 
    using a new exploit in hex 
    Symantec Consumer products that support 
    Worm Blocking functionality automatically 
    detect this threat as it attempts to spread.
    Symantec Security Response has attached 
    a removal tool to clean and prevent 
    the infections of W32.BlackWorm.A@mm.
    Norton AntiVirus

  • Nazwa za艂膮cznika:

    • SCAN.ZIP (wewn膮trz znajduje si臋 plik FIX_BLACKWORM.COM)
    • SCAN.TGZ (wewn膮trz znajduje si臋 plik FIX_BLACKWORM.COM)


Po uruchomieniu robak kopiuje si臋 do foldera systemowego Windows. Do stworzenia nazwy kopii robak wybiera jedn膮 z istniej膮cych nazw plik贸w, po czym dodaje na ko艅cu znak spacji.

Nast臋pnie szkodnik tworzy w rejestrze systemowym klucz auto-run.

Podczas uruchamiania robak uruchamia aplikacj臋 Windows Media Player.


Adresy ofiar pobierane s膮 z list kontakt贸w komunikator贸w Yahoo oraz MSN Messenger, a tak偶e z plik贸w HTM i DBX.

W celu wysy艂ania zainfekowanych wiadomo艣ci robak wykorzystuje w艂asne biblioteki (ossmtp.dll, oswinsck.dll).

Informacje dodatkowe

Robak usuwa z rejestru systemowego poni偶sze klucze, co uniemo偶liwia uruchamianie wielu program贸w antywirusowych:

  • ccApp
  • ScriptBlocking
  • MCUpdateExe
  • VirusScan Online
  • MCAgentExe
  • VSOCheckTask
  • McRegWiz
  • McVsRte
  • PCClient.exe
  • PCCIOMON.exe
  • pccguide.exe
  • PccPfw
  • PCCIOMON.exe
  • tmproxy
  • McAfeeVirusScanService
  • NAV Agent
  • PCCClient.exe
  • Taskmon
  • KasperskyAv
  • system.
  • msgsvr32
  • Windows Services Host
  • Explorer
  • Sentry
  • ssate.exe
  • winupd.exe
  • au.exe
  • OLE

Dodatkowo robak podejmuje pr贸b臋 przeprowadzenia ataku DoS na serwerze