Discussion in 'malware problems & news' started by Pieter_Arntz, Jan 15, 2003.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Apr 27, 2002
    W32.Horo@mm is a mass-mailing worm that uses Microsoft Outlook to spread. This worm is written in Microsoft Visual Basic, version 6, and is packed with FSG. The email message has the following characteristics:

    Subject: Today's free horoscope

    Message: Open this screen saver file to see today's horoscope. No registrions. No fees. And No ugly lady in front of you! ABSOLUTE FREE!!!!!!!!!!!!!!!!

    Attachment: Horoscope.scr

    Also Known As: W32/Horo@MM [McAfee], WORM_WCONN.B [Trend]
    Type: Worm
    Infection Length: 14,736 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Macintosh, OS/2, UNIX, Linux

    When W32.Horo@mm is executed, it does following:

    1. Copies itself to the Windows desktop as Horoscope.scr.
    2. Copies itself as multiple versions of C:\Windows\<File name from the Windows folder>.exe<possible multiple exe extensions>. For example, if W32.Horo@mm finds the file C:\Windows\Active Setup log.txt, it copies itself as:
    Active Setup logtxt.exe
    Active Setup logtxtexe.exe
    Active Setup logtxtexeexe.exe
    Active Setup logtxtexeexeexe.exe

    3. Adds the value:

    <part of path> horoscope.scr

    to the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\<rest of path>

    For example, if the path to the Windows desktop is C:\Windows\Desktop, the value would be:

    <desktop> horoscope.scr

    and the key is:


    4. Adds multiple values similar to:

    <file name without .exe> <file name in Windows folder>.exe

    to the registry key:


    5. Sends itself using Microsoft Outlook. The email message has the following characteristics:

    Subject: Today's free horoscope


    Note: you'll have to copy and paste the url


Thread Status:
Not open for further replies.