high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 19 June 2006 21:12:05 (GMT) |
| Last updated | 29 September 2006 09:21:43 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Sixem-A is an email worm for the Windows platform.
The worm harvests email addresses from files on the infected computer and sends itself as an email attachment. Email sent by the worm has the following characteristics:
Sender (randomly chosen from):
hotnews@cnn.com
kellyjast@hotmail.com
lindasal@gmail.com
mr.robs@yahoo.com
newsreader@hotmail.com
todaynews@cnn.com
Subject line (randomly chosen from):
Soccer fans killed five teens
Crazy soccer fans
Please reply me Tomas
My tricks for you
Naked World Cup game set
My sister whores, shit i dont know
Message text (randomly chosen from):
Soccer fans killed five teens, watch what they make on photos. Please report on this all who know.
Crazy soccer fans killed two teens, watch what they make on photos. Please report on this all who know.
Halo Markus, i sent my nude pics. Please reply me with you nude photos ;). Best regard You Sweet Kitty
I wait you photos from New York. I sent my pics where i naked for you. Please reply me. Linda Salivan
Nudists are organising their own tribute to the world cup, by staging their own nude soccer game, though it is not clear how the teams will tell each other apart. Good photos ;)
Emily Carr was an artist known for her prudery, but now the Portrait Gallery of Canada has acquired a nude self-portrait. View photos.
Attached file (randomly chosen from):
soccer_fans.jpg.exe
soccer_pics.jpg.exe
kelly_nude_imgs.jpg.exe
linda_bigtit.gif.exe
soccer_nudist.bmp.exe
emily_selfphoto.jpg.exe
W32/Sixem-A is an email worm for the Windows platform.
The worm harvests email addresses from files on the infected computer and sends itself as an email attachment. Email sent by the worm has the following characteristics:
Sender (randomly chosen from):
hotnews@cnn.com
kellyjast@hotmail.com
lindasal@gmail.com
mr.robs@yahoo.com
newsreader@hotmail.com
todaynews@cnn.com
Subject line (randomly chosen from):
Soccer fans killed five teens
Crazy soccer fans
Please reply me Tomas
My tricks for you
Naked World Cup game set
My sister whores, shit i dont know
Message text (randomly chosen from):
Soccer fans killed five teens, watch what they make on photos. Please report on this all who know.
Crazy soccer fans killed two teens, watch what they make on photos. Please report on this all who know.
Halo Markus, i sent my nude pics. Please reply me with you nude photos ;). Best regard You Sweet Kitty
I wait you photos from New York. I sent my pics where i naked for you. Please reply me. Linda Salivan
Nudists are organising their own tribute to the world cup, by staging their own nude soccer game, though it is not clear how the teams will tell each other apart. Good photos ;)
Emily Carr was an artist known for her prudery, but now the Portrait Gallery of Canada has acquired a nude self-portrait. View photos.
Attached file (randomly chosen from):
soccer_fans.jpg.exe
soccer_pics.jpg.exe
kelly_nude_imgs.jpg.exe
linda_bigtit.gif.exe
soccer_nudist.bmp.exe
emily_selfphoto.jpg.exe
When run, the worm copies itself to the Windows system folder as "msctools.exe" and sets the following registry entries in order to run each time a user logs on:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Nsdevice
"<Windows system folder>\msctools.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Nsdevice
"<Windows system folder>\msctools.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Nsdevice
"<Windows system folder>\msctools.exe"
The worm downloads an additional component (also detected as W32/Sixem-A) to the Windows system folder as "vmonts.exe". The vmonts.exe file sets the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
"0"
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
dword:00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL
dnk
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
dword:00000000
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
dword:00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
msverify
"<Windows system folder>\vmonts.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
msverify
"<Windows system folder>\vmonts.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
msverify
"<Windows system folder>\vmonts.exe"
|
