Details
I-Worm.Sober.e

This worm spreads via the Internet as an attachment to infected messages.
Characteristics of infected messages
Message header:
Chosen at random from the list below:
Hey!
hey?
Hi
hi
Hi
Ok
OK OK
OK Ok OK!
Message body:
The message body consists of a few words, chosen at random from the list below:

HA
ha!
lol
LoL
LOL
thx
THX
Thx!
yo!
Attachment:
A file named graphic_textdocument.pif.
Installation
When launching, the worm opens a Microsoft Paint window.
The worm copies itself to the Windows system directory under a randomly created name (e.g. smss32dir.exe or diagspool.exe) and adds an autorun key for this file to the registry.
Propagation
The worm searches files with extensions .rtf, .doc, .xls, .txt, .wab, .eml, .php, .asp, .shtml, .dbx etc., and sends infected messages to all email addresses harvested from these files.

Details
I-Worm.Sober.c
Sober.c is a worm that spreads via the Internet as an attachment to infected emails. The worm itself is Windows PE EXE file about 73KB (the file size can be changed by the worm during installation). The worm file is compressed by UPX, decompressed size - about 260KB.
The infected messages have various subjects, body texts and attached file names. The attached file extension is randomly selected from variants: “bat”, “cmd”, “pif”, “scr”, “exe” and “com”.
For example:
Subject:
why me?
Body:
You say in the www. that i’m a terrorist!!!
No way out for you. I REPORT YOU !
You’ve said THAT about me
Attachment:
terror-list.com
The worm activates from infected email only if a user clicks on attachment.
Installation
During installation the worm copies itself three times to the Windows system directory with random names and registers these files in the system registry auto-run keys:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“” = “%System%\”
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“” = “%System%\”
for example: “jv32dirxpcon = xqdrv.exe”
The worm then displays a fake error message:

Propagation
The worm looks for disk files with following extensions:
htt
rtf
doc
xls
ini
mdb
txt
htm
html
wab
pst
fdb
cfg
ldb
eml
abc
ldif
nab
adp
mdw
mda
mde
ade
sln
dsw
dsp
vap
php
asp
shtml
shtm

and scans them for email-like text strings, and then sends infected messages to the email addresses it finds using an SMTP engine.
The subject in infected emails is randomly selected from following variants:
Sorry, that’s your mail
hi, its me
Thank You very very much
you are an idiot
why me?
I hate you
Preliminary investigation were started
Your IP was logged
You use illegal File Sharing all
A Trojan horse is on your PC
a trojan is on your computer!
Anime, Pokemon, Manga, …
Registration confirmation
registration confirmation
The body text is selected from the following variants:
Sorry, that’s your mail
hi, its me
Thank You very very much
you are an idiot
why me?
I hate you
Preliminary investigation were started
Your IP was logged
You use illegal File Sharing …
A Trojan horse is on your PC
a trojan is on your computer!
Anime, Pokemon, Manga, …
Registration confirmation
registration confirmation
The body text is selected from the following variants:
i’m very very sorry, anybody have sent your mail to my address.

sorry for my bad english, I am a Swede!

excuse for my bad english, but I’m a Dutchman

I’ve got your mail, but its came on my mail address??? i’ve read this mail
,,, sorry about that excuse for my bad english, but I’m a Dutchman
I don’t know how to start this! I’m dull,, can you test!?
Here, the DigiCam photos. A few are overexposed.
That you’ve killed this bastard. Your reward:
That you have paid for me! And that’s your

Caution: To all gamers A new worm spread via online gaming! You must change your internet
configuration!! see: www.onlinegamerspro-worm.com set_config.

Attention: To all gamers
More than 75.000 freeware games!!! Genre: -> 8500 online games = 3D
Shooter, RPG, Action, Adventure, … non online games: -> Action = 4200
games -> 3D Shooter’s = 7500 games -> RPG’s = 6800 games -> Adventure’s =
5400 games -> ROM’s for NES, SNES, PS1&2, GC ,GB, MD, SMS, .. = 29.000
ROM’s - others = 16900 games all free!! Download and enjoy downloader.exe
www.freegames4you-gzone.com
I-Worm.Sober

You say in the www. that i’m a terrorist!!! No way out for you. I REPORT YOU ! You’ve said THAT about me

Thanks for your registration. ( We say Sorry again, the first mail was delivered to an unknown
mail address. This was a bug in our mailing system! ) The amount of 239.- USD was deducted by
your xxx Welcome, you can now visit more than 1200 very very hot web pages! Your registration,
pages and passwords are xxx in the attachment.

I said, I love you..,, and you said NOTHING. And now,,, Go Away From Me Here are my
love-letter((s)) mock me mock me again and again . Enjoy it. blablabla GO!

You get the charge in writing, in the next days.
In the next days you will receive the charge in writing.
In the next days, you’ll get the charge in writing.
In the next days, you’ll get the charge in writing.

Ladies and Gentlemen, Downloading of Movies, MP3s and Software is illegal
and punishable by law. We hereby inform you that your computer was scanned
under the IP xxx. The contents of your computer were confiscated as an
evidence, and you will be indicated. In the next days, you’ll get the
charge in writing. In the Reference code: #xxx, are all files, that we
found on your computer. The sender address of this mail was masked,
xxx- You get more detailed information by the Federal Bureau of
Investigation -FBI– Department for Illegal Internet Downloads, Room 7350 -
935 Pennsylvania Avenue - Washington, DC 20535, USA - (202) 324-3000

In the next days, you’ll get the charge in writing.
e.t.c.
The attachment name is also randomly selected.

Details
I-Worm.Sober.a
Sober is a network worm that spreads via email in message file attachments. It is written in Visual Basic and is 63KB in size. The file is compressed by UPX.
Infected email messages have arbitrary subjects and body texts in English and German. The name of the file attachment can vary with different file extensions - .bat, .com, .exe, .pif, .scr
Exmaples:

Subject: New Sobig-Worm variation (please read)

Body text: New Sobig variation in the net.
You must change any settings before the worm control your computer!
But, read the official statement from Norton Anti Virus!

File attachment: NAV.pif

Installing
The Sober worm only become active if a user opens the file attachment. Upon being launched the Sober network worm displays on the screen a false error message:

It then creates three copies of itself in the system’s Windows directory using the following names:
similare.exe
systemchk.exe
winrea.exe
Next, Sober registers itself in the system registry’s auto-run key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
syspath=%System%\drv.exe

Spreading
Sober searches for files that have one of the following file extensions:
htt
rtf
doc
xls
ini
mdb
txt
htm
html
wab
pst
fdb
cfg
ldb
eml
abc
ldif
nab
adp
mdw
mda
mde
ade
sln
dsw
dsp
vap
php
asp
shtml
shtm

In these files, Sober searches for victim email addresses with which to send itself to. Sober uses a direct connection to the SMTP server.
Infected message subjects are chosen at random from the following list:

“You send spam mails (Worm?)”
“A worm is on your computer!”
“Now, it’s enough”
“You have sent me a virus!”
“Hi darling, what are you doing now?”
“Be careful! New mail worm”
“Re: Contact”
“RE: Sex”
“Sorry, I’ve become your mail”
“Hey man, long not see you”
“Re: lol”
“Viurs blocked every PC (Take care!)”
“Surprise”
“I’ve become your mail!”
“Advise who I am!”
“New Sobig-Worm variation (please read)”
“Back At The Funny Farm”
“I love you (I’m not a virus!)”
“Neuer Virus im Umlauf!”
“Sie versenden Spam Mails (Virus?)”
“Ein Wurm ist auf Ihrem Computer!”
“Langsam reicht es mir”
“Sie haben mir einen Wurm geschickt!”
“Hi Schnuckel was machst du so ?”
“VORSICHT!!! Neuer Mail Wurm”
“Re: Kontakt”
“RE: Sex”
“Sorry, Ich habe Ihre Mail bekommen”
“Hi Olle, lange niks mehr geh”
“Re: lol”
“Viurs blockiert jeden PC (Vorsicht!)”
“_berraschung”
“Ich habe Ihre E-Mail bekommen !”
“Jetzt rate mal, wer ich bin !?”
“Neue Sobig Variante (Lesen!!)”
“Back At The Funny Farm”
“Ich Liebe Dich”

The file attachment is chosen from the following list (the following list is not comprehensive):

AntiVirusDoc.pif
Check-Patch.bat
Screen_Doku.scr
Removal-Tool.exe
Perversionen.scr
Bild.scr
robot_mail.scr
RobotMailer.com
Privat.exe
AntiTrojan.exe
Mausi.scr
NackiDei.com
Anti-Sob.bat
screen_doc.scr
potency.pif
perversion.scr
pic.scr
CM-Recover.com
playme.exe
robot_mailer.pif
little-scr.scr
security.pif
Funny.scr
Liebe.com
Odin_Worm.exe
anti_virusdoc.pif
check-patch.bat
removal-tool.exe
love.com
nacked.com
Hengst.pif
schnitzel.exe
anti-trojan.exe
NAV.pif

Infected message normally have the following signature:

Automatic Mail notification: Robot-System__#”

Other details
The Sober worm contains the following text strings:

Programmer of the -Sobig Worm-
Congratulations!! Your Sobig Worms are very good!!!
You are a very good programmer!
Yours faithfully
Odin alias Anon
Odin_Worm.exe

Details
I-Worm.Smilex

This worm spreads via the Internet as an attachment to infected emails. It is written in Visual Basic and is a Windows PE EXE file, approximately 75KB in size.
Contains the text string:
Smile Internet Explorer CD_Open
Installation
When launched, the virus copies itself to C:\WINDOWS\Start Menu\StartUp\Smile.exe, ensuring that it will gain control every time Windows is started.
It also creates a copy of itself named Poems.exein the C:\ root directory.
It deletes the following files from the Windows directory:
Defrag.exe
Tuneup.exe
Regedit.exe
It also deletes C:\Program Files\Internet Explorer\Iexplorer.exe
It deletes all LNK files in C:\Windows\Desktop.
It also deletes Norton Antivirus files and directories:
C:\Program Files\Symantec Shared
C:\Program Files\Norton AntiVirus\v32scan.dll
C:\Program Files\Norton AntiVirus\Navtask.dll
C:\Program Files\Norton AntiVirus\Navtasks.dll
C:\program files\common files\Symantec Shared\scriptblocking
and copies itself under the names of the deleted files.
It also deletes Media Player:
C:\Program Files\Windows Media Player\wmplayer.exe
Propagation via email
Every time the virus is launched, it sends itself to all addresses found in the MS Outlook address book.
Other
The worm creates an empty directory named OK on disk A:\

Details
I-Worm.Sircam

This is a dangerous worm that spreads via the Internet and local network. The worm itself is a Windows application written in Delphi about 130K in size. While spreading, the worm may append to its file an additional DOC, XLS, ZIP and other files (see below), so the attached file length can be more than 130K.
Upon being executed (by clicking on the attached file for instance), it installs itself into the system, then sends infected messages (with its attached copy), infects local network computers (if there are drives shared for full access), and depending on system date, runs its payload routine.
E-mail Spreading
The worm sends itself from infected machines as an attached file with a variable name and double extension:
filename.ext1.ext2
where “ext1″ can be one of the following variants: DOC, XLS, ZIP, or EXE.
The worm from the following variants randomly selects the “ext2″ extension: PIF, LNK, BAT, COM. For example:
feb01.xls.pif
normas.doc.bat
The “filename.ext1″ comes from the original files that are located on an infected machine. The worm looks for a “ext1″ file on a machine and obtains its name as an attach name. The worm then obtains the file contents and appends them to itself, and sends the result. So the infected files that are sent out of an infected machine contain two parts: 1: the worm’s EXE code; 2: appended extra data that are a randomly selected DOC/XLS/ZIP/EXE file from an infected machine. This appended file is then used by the worm to disguise its activity (see below).
As a side effect such an “appended file” spreading method may cause confidential info disclosure.
The worm message Subject is “filename” as above (exactly the “filename” of the attached file).
The Body can be in two languages: English and Spanish. The first and last lines of the message body are always the same:
first line:Hi! How are you?Hola como estas ?
last line:See you later. ThanksNos vemos pronto, gracias.

The variants of text between these lines are:
I send you this file in order to have your advice
I hope you can help me with this file that I send
I hope you like the file that I send to you
This is the file with the information that you ask for
Te mando este archivo para que me des tu punto de vista
Espero me puedas ayudar con el archivo que te mando
Espero te guste este archivo que te mando
Este es el archivo con la información que me pediste
The worm obtains a victim’s e-mail addresses by scanning files that may contain them: SHO*, GET*, HOT*, *.HTM, *WAB, and some others. The result of the search is then stored by the worm in fake DLL files in a system directory:
SCD.DLL file contains list of “ext1″ files
SCH1.DLL, SCI1.DLL files contain a list of e-mail addresses located in scanned files.
There can also be SCT1.DLL and SCY1.DLL files found in a system directory, the worm stores additional data there.
To send infected messages the worm connects to a SMTP server. The name of SMTP server the worm gets from default system settings. If the worm fails to get default server, it tries following ones:
dobleclick.com.mx
enlace.net
goeke.net
Installation to System
The worm copies itself to:
\RECYCLED directory on a Windows drive with the SirC32.exe name, for example:
C:\WINDOWSC:\RECYCLED\SirC32.exe
Windows system directory with the SCam32.exe name.
Windows directory with the ScMx32.exe name.
Windows start-up directory with the “Microsoft Internet Office.exe” name.
Note that not all these steps are performed by the worm upon the first start-up - some of the files are created there depending on different conditions.
The attributes of all these files are then set to “Hidden”.
Two first files then are registered in the system-registry auto-run keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Driver32 = %windows system directory%\SCam32.exe

HKCR\exefile\shell\open\command
SirC32.exe
The worm then extracts an appended “decoy” file (see above) to the Windows TEMP directory, with the “decoy” file having the “filename.ext1″ name. The worm then opens this file with WINWORD.EXE or WORDPAD.EXE, EXCEL.EXE, WINZIP.EXE depending on “ext1″.
The worm also creates additional registry keys and stores its internal data in here, with the name of the key being HKLM\SOFTWARE\SirCam.
Network Spreading
To spread over a local network, the worm enumerates all network resources (obtains all shared directories on remote machines), and then copies itself to here. If there is a “\recycled” directory in the victim’s shared directory, the worm copies itself to this directory with the SirC32.exe name:
\recycled\SirC32.exe
The worm then appends to the end of the AUTOEXEC.BAT file the following command:
@win \recycled\SirC32.exe
If there is a “\Windows” directory, the worm renames the RUNDLL32.EXE file to the RUN32.EXE name, and then overwrites the original RUNDLL32.EXE with its own copy.
The worm then sets hidden attributes to its copies.
Payload
Depending on the system date and time, the worm in one case out of 20, randomly deletes all files in all directories on drive where Windows is installed, and removes all directories in there as well.
Upon each start-up in one case out of 50, the worm randomly creates a SirCam.Sys file in the root of the current drive and writes one of following texts there:
[SirCam_2rP_Ein_NoC_Rma_CuiTzeO_MicH_MeX]
[SirCam Version 1.0 Copyright L 2001 2rP Made in / Hecho en - Cuitzeo, Michoacan Mexico]
It appears to be that the worm writes these texts many times to fill free disk space.
These strings (as well as most of the other text stings) are encrypted in the worm’s body.
Fortunately, there is a mistake in virus code and these routines are not executed in this way. However the first routine (erasing files on Windows drive) is executed in case worm’s copies SIRC32.EXE, SCAM32.EXE, RUNDLL32.EXE are renamed to any else name and run.

Details
I-Worm.Sint

This is email worm spreading by affecting MS Outlook. The worm itself is Win32 executable file about 30K of length. The worm is written in Visual Basic language.
When the worm is run it copies itself to Windows directories with the names:
C:\Windows\Vicevi_teza_odvala.txt.exe
C:\windows\system\Vicevi_teza_odvala.txt.exe
The second file is then registered in system registry auto-run key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sintesys = c:\windows\system\Vicevi_teza_odvala.txt.exe
The “C:\Windows” directory name is hardcoded in worm code, so it is not able to affect the system in case Windows directory name is not like that one.
The worm also copies itself with the same name to root directories of all available logical drives (local or remote).
The worm then connects to MS Outlook by using MAPI functions, gets all addresses from Address Book and sends messages to all of them. The messages have:
Subject: Vicevi!
Attach: Vicevi_teza_odvala.txt.exe
Text body is randomly selected from four variants:
Cao! Izvini sto te uznemiravam ovako, ali evo saljem ti neke viceve koji cete sigurno oraspoloziti!
Vozdra! Evo pogledaj ove viceve koje sam i ja dobio neki dan! Pravo su smijesni!
Cao korisnice! Znam da sigurno nemas vremena da pogledas ove viceve koje ti saljem. Nadam se da ces imati vremena da ih pogledas!
Zdravo! Nemoram ti nista pricatiallsamo pogledaj ovu veliku kolekciju viceva

To hide its activity the worm displays the fake error messages:

Details
I-Worm.Silver

This is a dangerous worm spreading through Internet and IRC channels, as well as infecting local network. The worm itself is Windows application written in Delphi about 90K of size (the worm also may be compressed by a PE EXE compression tool, so result file size can be less than original).
Sending emails
To send infected emails from affected computers the worm tries two different methods. First of all, it looks for Eudora mailer installed in the system. If there is one, the worm scans Eudora outgoing email database (OUT.MBX file), gets email addresses from there and sends infected emails with attached worm copy to these addresses. The worm’s messages have:
Subject: concerning last week all
Text: Please review the enclosed and get back with me ASAP.
Double click the Icon to open it.
Attach: c:\silver.exe
Next the worm tries installed email system not depending on the brand. To do that the worm uses MAPI functions: it connects to installed email system, gets messages from there, reads email addresses and uses them to send its copies. In this case the messages have:
Subject: Re: now this is a nice pic
Text: Thought you might be interested in seeing her
Attach: naked.jpg.exe
Infecting mIRC and PIRCH clients
To affect IRC clients the worm looks for C:\MIRC, C:\MIRC32, C:\PIRCH98 directories and overwrites IRC scripts in there with a program that sends worm copy to each user who enters affected channel.
The mIRC script also has additional features. When a user sends to IRC channel a message that contains the text “silverrat”, the worm replies to that user with “I have the Silver Rat virus” message (so the worm reports to the master about infected computers). If the “pyrealrat” text is found in the channel, the script opens the C: drive on affected machine as file server (that gives to worm master access to all data on the C: drive).
Spreading through local network
To infect remote computers on the network the worm scans all drives from C: till Z: and looks for WINDOWS directory in there. If there is one, the worm copies itself to there and registers in Windows auto-run section in WIN.INI file, or in system registry depending on Windows version (Win9x or WinNT). So the worm is able to infect remote computers in case their drives are shared for reading/writing.
Installing into the system
To install itself into the system the worm copies itself to directories with the names:
to Windows dir: SILVER.EXE, SILVER.VXD, NAKED.JPG.EXE, NAKED.JPG.SCR
to C: drive root dir: SILVER.EXE
The worm then registers itself in auto-run fields in the system registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKU\Software\Microsoft\Windows\CurrentVersion\Run
All these fields will contains the instruction:
“Silver Rat” = WinDir\silver.exe
where “WinDir” is the name of Windows directory.
As a result the worm copy is executed four times on each Windows startup. To run itself more times (and to send more infected emails as a result) the worm also affects more registry keys.
Affecting registry keys
Windows applications are linked with filename extensions by special records in the system registry. These records point to application that is run to process files with specified extension. When a file is opened, Windows gets its extension and then refers to system registry to get the name of application that processes files of that type.
The worm uses that Windows feature and modifies more that 100 such registry keys - it replaces original reference to applications with a reference to its own copy (SILVER.VXD). The worm does that for three different keys per application:
\shell\open\command
\shell\edit\command
\Shell\play\command
The patched registry keys looks like follows:
HKCR\AIFFFILE\shell\open\command = “C:\WINDOWS\silver.vxd 33157 “%1″ %”
HKCR\AIFFFILE\shell\play\command = “C:\WINDOWS\silver.vxd 53157 “%1″ %”
HKCR\ASFFILE\shell\open\command = “C:\WINDOWS\silver.vxd 379157 “%1″ %”
where digits in the line are IDs to run the host file (see below).
The list of affected applications (registry keys that link filename extension with application) is rather large and looks like follows:
accesshtmlfile iqyfile regedit fonfile
accessthmltemplate IVFfile regfile GatewayFile
AIFFFILE jpegfile SHCmdFile htafile
AllaireTemplate JSFile SoundRec icsfile
anifile ldap tgafile mhtmlfile
artfile mailto txtfile MMS
aspfile mic VBSFile MMST
AudioCD MIDFile wab_auto_file MMSU
aufile money Winamp.File NSM
AVIFile MOVFile WinRAR MSBD
Briefcase MPEGFILE WinRAR.ZIP motiffile
cdafile MPlayer WinZip Msi.Package
Chat mscfile wrifile Msi.Patch
CSSfile msee WSFFile ofc.Document
curfile msgfile x-internet-signup ofx.Document
Drive MSProgramGroup xbmfile pjpegfile
DrWatsonLog Net2PhoneApp xmlfile PNM
Excel.Workspace NetscapeMarkup xnkfile qwb.Document
ftp news xslfile rtsp
giffile nntp m3ufile scpfile
helpfile Notes.Link ASFFile scriptletfile
hlpfile ossfile ASXFile SSM
htfile outlook BeHostFile ThemeFile
htmlfile PBrush ChannelFile TIFImage.Document
http pcxfile chm.file ttffile
https pngfile CMCD WangImage.Document
icofile powerpointhtmlfile Connection Manager Profile Whiteboard
icquser ramfile eybfile WIFImage.Document
inifile RealMedia File fndfile WSHFile

The worm stores original keys in the another registry key:
HKLM\Software\Silver Rat
This key contains the list of all keys that were replaced as it was shown above. This list is used by the worm to run original application: the worm gets application name and command line from that “backup” list, and spawns it.
Such method of system registry affecting is very dangerous. In case the worm copy is remover from the system, Windows cannot pass files to application that are listed above. As a result, Windows stays mostly nonfunctional after that. In case a file from affected list is opened, it reports a error message that the associated SILVER.VXD cannot be found.
The worm pays special attention to system backup files and gets rid of them to prevent restoring the registry files from backup. To do that the worm corrupts (overwrites first 5K of each file with trash data) and deletes the files:
USER.DA0 and SYSTEM.DA0 in Windows directory
SYSTEM.1ST in root directory of C: drive
“Uninstall” payload
The worm has a payload routine that is run in a case of “uninstalling”.
The worm creates the “uninstall” key in system registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Silver Rat
DisplayName = “Silver Rat Virus”
UninstallString = “c:\silver.exe /uninstall”
As a result, the worm record is visible in ControlPanel/AddRemovePrograms window as “Silver Rat Virus”. In case “Remove” button is pressed, the worm displays the message box:
Blood
“I have to return some videos” - American Psycho
and fills with garbage the header line in RecycleBin window (see picture).
Other features
The worm looks for active anti-virus applications and terminates them by their names:
AVP Monitor
Norton AntiVirus Auto-Protect
Norton AntiVirus v5.0
VShieldWin_Class
NAI_VS_STAT
McAfee VirusScan Scheduler
ZoneAlarm
WRQ NAMApp Class
It also looks for anti-virus files (databases) and deletes them:
*.AVC (AVP)
*.DAT (NAI)
BAVAP.VXD, NAVKRNLN.VXD (NAV)
The worm also tries to affect VBS files but fails because of a bug.

Details
I-Worm.Sidex

This is a virus-worm that spreads via the Internet attached to infected e-mail, infecting the local network. The worm itself is a Windows PE EXE file about 107K in length (compressed PCShrink, 202K decompressed), and is written in Delphi.
Infected messages contain:
Subject: Sites Pornos
Body: Tudo bem to te enviando uma lista dos melhores sites pornos da,br> uma olhada depois me avisa c voce gostou até mais um Abração Do
seu melhor amigo
Attachment: SitesDeSexo.doc.exe

The worm activates from infected e-mail only when a user clicks on an attached file. The worm then installs itself to the system, runs its spreading routine and payload.
Installing
While installing, the worm copies itself to the Windows system directory with the VxBrasil.exe name, and registers that file in the auto-run command in the following WIN.INI file:
[windows] run=%SystemDir%\VxBrasil.exe

where %SystemDir% is the Windows system directory.
Spreading
To send infected messages, the worm uses Windows MAPI functions and “answers” messages from e-mail boxes.
Local Network
The worm scans network shared drives, looks for directories with a WIN.INI file, then copies itself there with the “666hacked.exe” name, and registers this copy in a WIN.INI file in the same “windows/run” key as above.
Other
The worm also installs a backdoor Trojan (”Backdoor.DRA”) on an infected machine. To do this, it extracts backdoor code from its resources, saves it to C:\ALEVIRUS.EXE and C:\BACK.EXE files and spawns it.
The worm creates the dekoy file C:\SitesDeSexo.doc, and writes the following text there:
Estes são os melhores sites de SEXO da internet confira
The the worm writes a list of porno sites and opens this file.

Details
I-Worm.Shatrix

This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm also spreads over a local network by copying to shared drives. The worm itself is a Windows PE EXE file about 380Kb in length, and is written in Delphi.
Infected messages contain:
Subject: FW:Shake a little
Body: Hi !
This will shake your world
Regards,
%username%
Attachment: SHAKE.EXE

Where %username% is the name of the infected-machines’s user.
The worm is activated from infected e-mail only when a user clicks on an attached file. The worm then installs itself to the system, runs its spreading routine and payload.
While installing, the worm copies itself to the Windows system directory with a random name, and registers that file in the system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run SystemInfo = %worm file name%
To send infected messages, the worm uses MS Outlook MAPI. To obtain victim addresses, the worm looks for and scans the following files:
*.asp *.html *.htm
Depending on the system date, the worm creates random directories, and drops HTML files with texts randomly constructed from the following strings:
MatriX is out there
MatriX has Youall
MatriX is All around You
01001101011000010111010001110010011010