I-Worm.Tosse
Details
I-Worm.Tossed
This worm spreads in e-mail messages. The worm itself is a DOS EXE file about 30K in length. When run, it installs itself to the Windows directory with the TYPEDEF.EXE name and registers itself in a WIN.INI file in the auto-run section. To hide its activity, the worm then displays a fake message and exits:
PKSFX Self Extraction Utility Version 2.50 03-01-1999
Copr. 1989-1999 PKWARE Inc. All Rights Reserved. Shareware Version
PKZIP Reg. U.S. Pat. and Tm. Off. Patent No. 5,051,745
Error in SFX - Unable to extract !!
While installing, the worm tries four “hardcoded” variants of the Windows directory name: C:\WINDOWS, C:\WIN95, C:\WIN98, C:\WINNT, and fails to install itself when Windows is installed in the directory with different name.
Upo the next Windows start-up, the worm copy is activated as a TYPEDEF.EXE file from the Windows directory. The worm runs a counter that is stored in the TYPEDEF.INI file and is incremented on each TYPEDEF.EXE file start (i.e., on each Windows start-up). Depending on that counter (once per three runs), the worm creates a TYPEDEF.VBS file and writes a VisualBasicScript program to there that sends the worm copy attached to e-mail messages.
That program opens MS Outlook, reads e-mail addresses from the AddressBook and sends messages to all of them. The message subject is: “Check this out”. The message text and attached file name are randomly selected from eight variants:
It seems internet explorer 5 has some kinda bug which leaves some secuirity holes and allows somebody to write files onto your system. I downloaded this fix. I am sending it as an attatchment.
Attach: IE5FIX.EXE
I found something to help get rid of those irritating ads that pop up when you go to some sites. I am sending it as an attatchment.
Attach: NOADS.EXE
Here are some images you might like. You really need to check them out.
Attach: IMAGES.EXE
I am sending some of the coolest pictures known to man. You might want to check them out.
Attach: COOLPICS.EXE
Please take a look at these documents. I am sending them compressed in a self extractor.
Attach: DOCS.EXE
I am sending you the setup of the latest shareware version of PKZip. It gives excellent compression ratios. You might want to install it.
Attach: PKSETUP.EXE
I downloaded a patch to some bug in Internet Explorer. I am sending it as an attatchment.
Attach: PATCH.EXE
I downloaded a screen saver with cool effects. I am sending you its installation. Do try it out
Attach: SCRNSAVE.EXE
Also depending on the counter, the worm displays the text:
—— –
- — - –
— —- —- —- —- –
— — — – — — — —–
— — — —- —- —— — –
— — — — — — — –
—- —- —- —- —– — –
—– — –
— — — –
— — — — –
— — — — —–
— —– — —– — –
— — – — — — — — –
—– — — — — — — –
!!! and scrambled eggs !!!
I-WORM.TSSE
Coded by [Offset]
The worm also contains the text strings:
The Tossed Salad and Scrambled Eggs Worm = I-Worm.TSSE. Coded by [Offset]
Related Posts