W32/Fishlet-A

Discussion in 'malware problems & news' started by FanJ, Jun 14, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: W32/Fishlet-A
    Aliases: WORM_FISHLET.A
    Type: Win32 worm
    Date: 14 June 2002


    At the time of writing Sophos has received no reports from users
    affected by this worm. However, we have issued this advisory
    following enquiries to our support department from customers.

    Description:

    W32/Fishlet-A is an internet worm that spreads via email by
    sending itself to email addresses found in the Windows address
    book.

    The email will have the following characteristics:
    Sender's address: eMarket Services
    Recipient: e-Market customer
    Subject line: Order report
    Message body:
    The body of the email starts with the following lines:

    "Dear eBay customer,

    Thank you for using eBay services.
    _____________________________
    Your order Num. is: 31547
    Delivery time: 7 days

    Order subject: Inventory # 476

    PENTIUM 4 1.6GHz 40GB/32VID
    128MB PC800 NON-ECC RDRAM
    1.44 MB Floppy Disk Drive
    48X RW CD-ROM Drive
    Software: Norton Antivirus
    Software: Microsoft Windows XP HOME Edition
    All Components Assembled and Ready to Go!

    Price: 738.00$"

    Attached file: <randomname>.exe

    When this file is run an eBay advertisement is displayed. The
    worm copies itself into the Windows folder as ssh261.exe. It
    also drops the files fishlet.bin, SndVx.exe and ccfp.exe into
    the same folder. The worm sets the following registry entry so
    that it will be automatically started when Windows starts up:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SndVX=
    <Windows folder>\SndVx.exe


    Read the analysis at
    http://www.sophos.com/virusinfo/analyses/w32fishleta.html
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.