W32/Favsin-A is a peer-to-peer and email worm for the Windows platform.
When first run W32/Favsin-A copies itself to the Windows system folder with the filenames NvCpl.exe and Dong_Shi.exe.
W32/Favsin-A harvests email addresses from the Windows address book and from files on the hard disk.
W32/Favsin-A displays a popup window with the text "No Windows. Yes doors and holes."
The worm drops a file named YanZi.vbs into the current folder and runs it. Several JPG files are dropped into the current user's temp folder with filenames SuN<digit>.JPG and SuN<digit>.tmp. The VBS file creates and runs a file named SUN.EXE which displays one of the JPG images.
W32/Favsin-A is a peer-to-peer and email worm for the Windows platform.
When first run W32/Favsin-A copies itself to the Windows system folder with the filenames NvCpl.exe and Dong_Shi.exe and creates the following registry entry in order to run itself when a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
NvCpl = "<Windows system folder>\NvCpl.exe"
The worm also creates copies of itself into any folder with a path that
contains "shar" (eg C:\My Shared Folder\) with filenames from the following:
Sun_YanZi-Huai_Tian_Qi.mpg.exe
Sun_YanZi-I_am_not_sad.mp3.exe
Sun_YanZi-Leave_me_alone.mp3.exe
Sun_YanZi-Mei_You_Ren_De_Fang_Xiang.avi.exe
Sun_YanZi-Shen_Qi.exe
Sun_YanZi-Tao_Wang.mpeg.exe
SunYanZi.mp3.exe
YanZi.Mp3.exe
YanZi_SuN-forever.mp3.exe
W32/Favsin-A harvests email addresses from the Windows address book and from files with the following file extensions:
ADB
ASP
DBX
DOC
HTM
HTML
JSP
RTF
TXT
XML
The email sent by W32/Favsin-A has the following characteristics:
Subject lines:
Great_Asia_Singer
Sun_YanZi
Sun_YanZi_HayranI
Asia_Singer
Sun-YanZi
Sun_Yan_Zi
Stefanie Sun Yanzi
Hoscakal
Sun_YanZi_Hayrani
Sun-YanZi-Mp3-Archive
I_hate_Spyware
SuN_YanZi_innocent
Forever Sun Yanzi
Message bodies:
You must to listen Sun Yanzi. I am enjoying to listen Sun YanZi.
I want to meet Sun YanZi. I am loving Sun-YanZi's Magic. Call me YanZi. But you don't contact me(Turkiye).
My Favourite Singer is Stefanie Sun Yanzi
I want to see Sun YanZi. Call me Sun Yan Zi ;)
I can not contact you. Because, I am far to you(Turkiye)
Please listen to me Stefanie Sun Yanzi.
Attachment filenames: (with extensions PIF, SCR or ZIP)
Sun_YanZi
Huai_Tian_Qi
Sun_Yanzi_Mp3
Great_Asia_Singer
World_Tour_Sun_YanZi
W32/Favsin-A displays a popup window with the text "No Windows. Yes doors and holes."
The worm drops a file named YanZi.vbs into the current folder and runs it. Several JPG files are dropped into the current user's temp folder with filenames SuN<digit>.JPG and SuN<digit>.tmp. The VBS file creates and runs a file named SUN.EXE which displays one of the JPG images.