Discussion in 'malware problems & news' started by Pieter_Arntz, Jan 15, 2003.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Apr 27, 2002
    W32.Horo@mm is a mass-mailing worm that uses Microsoft Outlook to spread. This worm is written in Microsoft Visual Basic, version 6, and is packed with FSG. The email message has the following characteristics:

    Subject: Today's free horoscope

    Message: Open this screen saver file to see today's horoscope. No registrions. No fees. And No ugly lady in front of you! ABSOLUTE FREE!!!!!!!!!!!!!!!!

    Attachment: Horoscope.scr

    Also Known As: W32/Horo@MM [McAfee], WORM_WCONN.B [Trend]
    Type: Worm
    Infection Length: 14,736 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Macintosh, OS/2, UNIX, Linux

    When W32.Horo@mm is executed, it does following:

    1. Copies itself to the Windows desktop as Horoscope.scr.
    2. Copies itself as multiple versions of C:\Windows\<File name from the Windows folder>.exe<possible multiple exe extensions>. For example, if W32.Horo@mm finds the file C:\Windows\Active Setup log.txt, it copies itself as:
    Active Setup logtxt.exe
    Active Setup logtxtexe.exe
    Active Setup logtxtexeexe.exe
    Active Setup logtxtexeexeexe.exe

    3. Adds the value:

    <part of path> horoscope.scr

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\<rest of path>

    For example, if the path to the Windows desktop is C:\Windows\Desktop, the value would be:

    <desktop> horoscope.scr

    and the key is:


    4. Adds multiple values similar to:

    <file name without .exe> <file name in Windows folder>.exe

    to the registry key:


    5. Sends itself using Microsoft Outlook. The email message has the following characteristics:

    Subject: Today's free horoscope


    Note: you'll have to copy and paste the url


Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.