Name: W32/Fishlet-A Aliases: WORM_FISHLET.A Type: Win32 worm Date: 14 June 2002 At the time of writing Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Description: W32/Fishlet-A is an internet worm that spreads via email by sending itself to email addresses found in the Windows address book. The email will have the following characteristics: Sender's address: eMarket Services Recipient: e-Market customer Subject line: Order report Message body: The body of the email starts with the following lines: "Dear eBay customer, Thank you for using eBay services. _____________________________ Your order Num. is: 31547 Delivery time: 7 days Order subject: Inventory # 476 PENTIUM 4 1.6GHz 40GB/32VID 128MB PC800 NON-ECC RDRAM 1.44 MB Floppy Disk Drive 48X RW CD-ROM Drive Software: Norton Antivirus Software: Microsoft Windows XP HOME Edition All Components Assembled and Ready to Go! Price: 738.00$" Attached file: <randomname>.exe When this file is run an eBay advertisement is displayed. The worm copies itself into the Windows folder as ssh261.exe. It also drops the files fishlet.bin, SndVx.exe and ccfp.exe into the same folder. The worm sets the following registry entry so that it will be automatically started when Windows starts up: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SndVX= <Windows folder>\SndVx.exe Read the analysis at http://www.sophos.com/virusinfo/analyses/w32fishleta.html