W32/Theals-A is a mass-mailing and network worm as well as an mid-infecting appending virus for the Windows platform.
Emails sent by W32/Theals-A have the following message text:
"Mail delivery failed due to network error.
Partial message is available. See attachment for details."
W32/Theals-A spreads to other network computers by exploiting the RPC-DCOM (MS04-012) overflow vulnerability.
When W32/Theals-A is installed the following files are created:
C:\stealth.bszip.dll - a clean DLL
C:\stealth.dcom.exe - component to spread via RPC-DCOM vulnerability
C:\stealth.ddos.exe - component to perform network and Hosts DDoS attack
C:\stealth.exe - stealthing component
C:\stealth.injector.exe - zip archive and password creating component
C:\stealth.shared.dll - a malicious library
C:\stealth.spam.exe - mass-mailing component
C:\stealth.stat.exe - infection reporting component
C:\stealth.wm.exe - component that steals information
C:\stealth.worm.exe - the main worm/virus component
W32/Theals-A infects executable files on an infected system. Files are infected in an attempt to maintain the virus' presence on an infected system.
W32/Theals-A may perform distributed denial-of-service (DDoS) attacks on specific security related websites, as well as modifying an infected computer's Hosts file in order to deny access to the same security websites.
W32/Theals-A attempts to hide itself on an infected system.
W32/Theals-A reports information specific to an infected computer to a pre-specified website, and attempts to steal information relating to the WebMoney financial service.
The following registry entry is changed to run stealth.worm.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
explorer.exe c:\stealth.worm.exe