Archief - De topics van lang geleden

W32/Klexe@MM

30-06-2003, 14:37 door jubo, 1 reacties
Internet Worm Characteristics:
This is a mass-mailing worm, which spreads via Microsoft outlook.

It arrives with this email message:

Subject: Re:
Message: You received this email because you where sent a 'pass this on e-messenger card' through one of our valued partners. If you believe you received this message in error or would no longer like to receive e-mail from us click here
http://www.geocities.com/ecardmessenger/us.htm

To download your card click on the link below:

http://www.geocities.com/ecardmessenger/blocked.zip

P.S. If you received this message but do not know the sender or wish to unsubscribe or if you have any questions, please mail to [email]services@emmsconline.com[/email].


Clicking on the link downloads these two files:

[list][*]ecmsetup1.exe
[*]kl.exe [/list]

Running of the ecmsetup1.exe will send the above email message to all addresses from Outlook Global Address List.

It copies kl.exe to following:

[list][*]c:windowsstartm~1programsstartupWindows Explorer.exe
[*]d:windowsstartm~1programsstartupWindows Explorer.exe
[*]e:windowsstartm~1programsstartupWindows Explorer.exe
[*]f:windowsstartm~1programsstartupWindows Explorer.exe [/list]

It uses the default SMTP server to send a message to this address:

[email]cardvict@rediffmail.com[/email]
The message contains local machine name, ip address, username and current time.
Reacties (1)
30-06-2003, 15:34 door Anoniem
Ja en ????
Reageren

Deze posting is gelocked. Reageren is niet meer mogelijk.