is an Internet worm written in Microsoft C and packed with UPX. The worm is 50688 bytes long, it spreads via email and via network shares. It drops the trojan horse with keylogging and backdoor capabilities. The worm arrives as a randomly named attachment in email message with variable subjects and body. It uses the well known IFrame exploit that allows it to run automatically on vulnerable computers without patch.
After execution of the infected attachment, the worm copies itself to the WINDOWS\SYSTEM directory under a four-character random name, then copies itself to the Windows STARTUP directory under a three-character random name. Then it tries to copy itself to remote machines with open shared drives over the LAN under a three-character random name. It also opens the port 36794 and listens for the commands from outside. The worm then drops the trojan - keylogger into the following files: C:\WINDOWS\SYSTEM\ICCYOA.DLL, C:\WINDOWS\SYSTEM\LGGUQAA.DLL, C:\WINDOWS\SYSTEM\ROOMUAA.DLL, C:\WINDOWS\OKKQSA.DAT and C:\WINDOWS\USSOWA.DAT. When it tries to spread over the LAN, it can also affect the network printers - these cannot be infected by the worm can print a lot of garbage on them.
The following registry key is created:
The worm also tries to disable some antivirus and firewall programs:
The worm then searches the email addresses in current inbox and in the
files on a the local disk with the following extensions: MMF, NCH,
MBX, EML, TBB and DBX. It uses its own SMTP routine to sned
the mails via the SMTP server found in the following registry key:
It falses the FROM filed in similar way as Win32:Klez-H, so there is no obvious way how to find the real sender with the infected computer.
Any avast! with VPS file dated on or after 30th September 2002 is able to detect this worm.Refer: Avast