A vulgar new worm has been found spreading that is taking advantage of the 2006 World Cup Soccer games. The worm arrives as an E-mail attachment with one of the following subjects and message bodys:
Subjects:
1. Soccer fans killed five teens
2. Crazy soccer fans
3. Please reply me Tomas
4. My tricks for you
5. Naked World Cup game set
6. My sister whores, shit i dont know
Message Bodies:
1. Soccer fans killed five teens, watch what they make on photos. Please report on this all who know.
2. Crazy soccer fans killed two teens, watch what they make on photos. Please report on this all who know.
3. I wait your photos from New York. I sent my pics where i naked for you. Please reply me. Linda Salivan
4. Nudists are organising their own tribute to the world cup, by staging their own nude soccer game, though it is not clear how the teams will tell each other apart. Good photos 😉
5. Emily Carr was an artist know for her prudery, but now the Portrait Gallery of Canada has aquired a nude self-portrait. View photos.
Upon execution, the worm copies itself to the following location:
%Sysdir%msctools.exe
Attempts to download additional malware:
http://couple{removed}.com/tumbs/dianaimg.exe
The worm also attempts to disable the following processes:
AVP32.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
iamapp.exe
iamserv.exe
FRW.EXE
blackice.exe
blackd.exe
zonealarm.exe
vsmon.exe
VSHWIN32.EXE
VSECOMR.EXE
WEBSCANX.EXE
AVCONSOLE.EXE
VSSTAT.EXE
OUTPOST.EXE
REGEDIT.EXE
NETSTAT.EXE
TASKMGR.EXE
MSCONFIG.EXE
NAVAPW32.EXE
UPDATE.EXE
msctools.exe
The worm then uses a built-in mail engine to send copies of itself to addresses that have been harvested from the infected machine. The worm avoids sending itself to addresses containing the following strings:
temps
abuse
admin
webmaster
support
submit
service
sendmail
secur
samples
ripe
privacy
postmaster
panda
nothing
mydomai
mozilla
linux
kernel
inpris
icrosoft
ibm.com
google
example
contact
certific
borlan
berkeley
anyone
policy
apache
webmin
webmist
random
local
anonymous
addres
kaspersk
microsof
norton
symantec
virus
reply
report
Adam Thomas
Malware Research