The subject of the infected email will be any one of the following;
Let's talk, my friend!
Notify from a known person ;-)
RE: Protected message
Re: Thank you!
Re: Msg reply
Re: Incoming Fax
I just need a friend
RE: Text message
Let's socialize, my friend!
Re: Incoming Message
I'm bored with this life
Re: Thanks :)
I like you
Fax Message Received
I'm a sad girl...
The body of the infected email will be randomly generated by the worm.
The infected email carries two attachments.
1)Contains a picture of a girl in .jpg format.
2)Contains the worm file with any one of the following extension;
Upon execution of the infected attachment. The worm displays a fake dialog box with a message, "Can't find a viewer associated with the file". It drops the following files in Windows System folder;
It also checks for a word 'shar' in the available shared folders in both local and network, if found the worm copies itself to these folders using the following filenames;
XXX hardcore images.exe
Windows Sourcecode update.doc.exe
Windown Longhorn Beta Leak.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno pics arhive, xxx.exe
Opera 8 New!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Office 2003 Crack, Working!.exe
Matrix 3 Revolution English Subtitles.exe
Kaspersky Antivirus 5.0
Ahead Nero 7.exe
Adobe Photoshop 9 full.exe
The worm opens port 2535 to allow access to the infected system.
It alters the windows registry at the following location to load itself during next startup;