W32/Baba-C is a mass-mailing worm with a backdoor Trojan component.
W32/Baba-C sends itself as an email attachment to address obtained
from the infected system. Emails sent by the worm take the following
form:
Subject: Important! XXX sites found on your computer!
Body:
<HTML>
<font color=red><b>
Windows Evidence Checker has found XXX content on your computer.<br>
You can hide your activities with Evidence Cleaner service.<br>
<br>
To run Evidence Cleaner click to quick shortcut attached.<br>
<br>
Warning! Your copy of Evidence Cleaner will be expired after 7 days.<br>
Today you can register for FREE.<br>
<br>
Please check attached instructions for more details.<br>
</b></font>
</HTML>
Attachment name:
"quick shortcut to evidence cleaner length %d bytes
evidence-cleaner-system.com"
where %d is a decimal number.
W32/Baba-C drops the backdoor Trojan component in the C:\ folder and
sets the following registry entry to ensure that this component is
run on computer log-on:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windowsupdate Service =
"C:\csrss.exe"
W32/Baba-C also creates the harmless text file "csrss.bin" in the same
folder.
W32/Baba-C attempts to harvest email addresses from files on the infested
computer with the following extensions:
ASP
CGI
DAT
DBX
DOC
EML
HTM
HTML
MBX
MDB
PHP
RTF
TBB
TXT
WAB
INBOX