W32/Famus-F is a mass-mailing worm.
W32/Famus-F spreads by sending email messages with itself as an attachment. Email addresses to send to are obtained from the infected machine.
Emails are sent with subject
"Mas terrorismo este ano \More terrorism this year"
and contain the following message text:
'Password: "cnn"
Ultimas declaraciones de Bin Laden
Reenvíe este video a todo el mundo.
======================================================
Password: "cnn"
Last speech from Bin Laden
Please forwards this video to everybody.'
W32/Famus-F may display a message box containing the text "File corrupted or bad format".
W32/Famus-F is a mass-mailing worm.
W32/Famus-F spreads by sending email messages with itself as an attachment. Email addresses to send to are obtained from the infected machine.
Emails are sent with subject
"Mas terrorismo este ano \More terrorism this year"
and contain the following message text:
'Password: "cnn"
Ultimas declaraciones de Bin Laden
Reenvíe este video a todo el mundo.
======================================================
Password: "cnn"
Last speech from Bin Laden
Please forwards this video to everybody.'
W32/Famus-F also sends an email to a predefined address, giving details of the infected system.
W32/Famus-F may display a message box containing the text "File corrupted or bad format".
W32/Famus-F copies itself to the Windows system folder. The worm may also drop the file SMTP.OCX in the Windows system folder which appears to be harmless.
W32/Famus-F may also drop a component as MICROSOFT OFFICE.PIF in <Start Menu>\Programs\Startup. Further files may be dropped in C:\recycled\.
W32/Famus-F may create the following registry entries in order to run itself on system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Sav32
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
NortonUtility