I-Worm.Zircon
Details
I-Worm.Zircon.c
This is a worm virus spreading via the Internet in infected e-mails. The worm itself is a Windows PE EXE file about 12Kb in size, written in Assembler.
The infected messages contain the following information:
Subject: ‘Important’ or a Japanese language subject (17 variants)
Body: [empty]
Attach: patch.exe
The worm activates from an infected e-mail only when a user clicks on the attachment.
The worm does not install itself in the system and once run is no longer active - unless a user clicks on the attachment once again.
Spreading
To send out infected messages the worm reads the address of the default Outlook SMTP server from the registry and connects to it. Then the worm reads addresses from the Windows address book. It then sends messages to all addresses found in the Windows address book. If the recipient’s address ends with the string “.jp” the worm inserts a Japanese subject. If not it inserts the subject: “Important”.
The worm contains the text string:
XXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXX I-Worm.Japanize XXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX
Related Posts