The virus contains the following text: ARF! Download Sophos Home Free business-grade security for the home. Endpoint Protection Free 30 Day Trial.
English Languages. Privacy Privacy Notice Cookies. This site uses cookies to improve site functionality, for advertising purposes, and for website analytics. By continuing to use the site you are agreeing to our use of cookies. Learn More Continue.
GIF files found on the local machine to others along with itself. In addition, the virus has maintained some characteristics of its predecessor, including the ability to use mass mailing techniques to send itself to email addresses stored in several places. These email addresses are gathered from the Windows Address Book, Outlook Express mailboxes, and Netscape mailboxes addresses found in email messages within existing mailboxes may also be gathered.
The messages sent by the worm contain various subject headings, body text, and attachments. It may send more than one attachment and may include non.
EXE or non-viral files along with an infectious. When the virus is run from infected message for example, if a user clicks on an infected attachment it installs itself memory resident to Windows memory, then runs in background, sleeps for a few minutes and run its routines: local and network Win32 EXE files infection, email spreading, e. Before run its routines the virus sleeps for 3 minutes. So the virus code is activated on each Windows restart.
That file is infected so that the host program is not activated after virus runs control is not returned back to host program, and an affected application just exits. Thus the virus activates itself from system Registry or from WIN. INI file without any side effect. The virus then runs its infection routines that scan directories and available drives for Win32 PE. EXE and. SCR files and infect them. That routine is randomly activated in 3 times of 4. Next the virus scans all local drives and infects files on them.
INI file. So remote Win9x systems will get infection on next Windows startup. While processing the drives the virus creates a special. DAT file for its own use. The file name and location depends on the network name of current machine, for example:. That file is created in Windows directory, or in 'Program Files' directory, or in root directory of C: drive, or in root directory of system drive.
The virus encrypts its main code with polymorphic engine and writes itself to the end of the file. To get control on an infected file's start the virus patches the entry code with one more polymorphic routine that passes control to the end of the file to main encrypted virus code. To send infected emails the virus reads the settings of installed Email client settings from system registry. It gets info on the following clients:. The virus then scans email database files of the found email clients, gets email addresses from there and sends its copies to the found addresses.
The infected messages may have no body no text in a message , or a randomly constructed text. The same applies to the Subject. The Subject and Body are randomly constructed from words and sentences that are found in. DOC and. TXT files in the system the virus also scans local drives for these files and get texts from there. Randomly as well the virus uses words and sentences from the following list:.
While sending infected messages the virus connects to one of three email servers using SMTP protocol, and send messages to there. The virus also randomly in 4 cases of 5 corrupts second letter in a sender name. The virus stores in its body ten email addresses of already infected users like a history of spreading - 10 latest email addresses the virus was spreading from.
While spreading the virus compares a victim email address with that list, and does not send messages to addresses that are already infected.
0コメント