| Description:
|
Details
I-Worm.Shatrix
This is a virus-worm that spreads via the Internet attached to infected e-mails. The worm also spreads over a local network by copying to shared drives. The worm itself is a Windows PE EXE file about 380Kb in length, and is written in Delphi.
Infected messages contain:
Subject: FW:Shake a little
Body: Hi !
This will shake your world :-)
Regards,
%username%
Attachment: SHAKE.EXE
Where %username% is the name of the infected-machines's user.
The worm is activated from infected e-mail only when a user clicks on an attached file. The worm then installs itself to the system, runs its spreading routine and payload.
While installing, the worm copies itself to the Windows system directory with a random name, and registers that file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun SystemInfo = %worm file name%
To send infected messages, the worm uses MS Outlook MAPI. To obtain victim addresses, the worm looks for and scans the following files:
*.asp *.html *.htm
Depending on the system date, the worm creates random directories, and drops HTML files with texts randomly constructed from the following strings:
MatriX is out there
MatriX has Youall
MatriX is All around You
01001101011000010111010001110010011010 |
