W32/Porkis-A

Name: W32/Porkis-A
Aliases: I-Worm.Borzella, W32/Porkis@mm, W32.Atram@mm,
W32.Storiel@mm
Type: Win32 worm
Date: 27 March 2002

At the time of writing Sophos has received just one report of
this worm from the wild.

Description:

W32/Porkis-A is an internet worm which emails itself to
everybody in your Windows address book (WAB).

The email will have the following characteristics:

Subject line:
Divertimento assicurato..
Leggete urgentemente questa e-mail!! (se avete tempo da perdere)
or
Storielle..

Message body:
Ciao, guarda l'allegato... ti potrebbe interessare.
Ciao, devi assolutamente vedere il file che ti ho allegato
or
Ciao, dai un'occhiata all'allegato e ti farai due risate

Attached file:
bar.exe, pippo.exe or porkis.exe

When run the worm displays a series of messages in Italian
beginning with "Quiz. Cosa dice un vettore ad un altro".

It copies itself to the Windows directory as dllmgr.exe and sets
the following registry key so that the worm is run automatically
each time the machine is restarted:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DllManager
= \dllmgr.exe

On 6th September the worm will display a message box with the
text "Accadde il 6 ettembre, Attenzione signori!!! Oggi non e'
mica un giorno fesso come gli altri: spegnete il computer e
uscite,godetevi la vita,abbracciate e baciate la persona a voi
piu' cara. Viva l'amore. ".

The worm is known to work on Italian versions of Windows with
Outlook Express as the default mail client. On many other
systems it will fail to spread.


Read the analysis at
http://www.sophos.com/virusinfo/analyses/w32porkisa.html