Name: W32/Zoek-D Aliases: I-Worm.Zoek.d, W32/Tcasut Type: Win32 worm Date: 2 July 2002 Sophos has received several reports of this worm from the wild. Note: This IDE file also includes updated detection for Troj/BO-2000. More information about W32/Zoek-D can be found at http://www.sophos.com/virusinfo/analyses/w32zoekd.html
W32/Zoek-D is an email worm. When the worm is run it will send a copy of itself to one entry from the Microsoft Outlook address book. The worm will black out the screen and display 'One moment please' in large yellow letters across the top. After a few seconds a large button will appear with the text 'Windows Restart?'. Clicking on this button will cause Windows to shutdown and restart. The worm arrives in an email with the following charactistics: Subject line: Maxima Screensaver! Attached file: screenmaxima.scr The body of the email will be blank. The worm will copy itself to C:\Windows\Tcasuta.exe, drop another executable in C:\Windows\System\Tcasutb.exe and add the following registry entry so that tcasutb.exe is run each time Windows is started: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\tcasutb.exe Tcasutb.exe is a variant of Troj/BO-2000. The worm will generate several files in C:\Windows containing configuration information about the host computer and encoded copies of the worm. The following files are created: accountboy.ini attachready.ini hoen.txt ipinfo.txt mailboy.ini mailready.ini passboy.ini ratmailready.ini secretsmailready.ini tcasuta.txt Some of these files may have the Hidden attribute set. The worm will email some of this information (such as the IP address) to a remote email address.
mmm..coded with the Dutch audience in mind for sure - coded by a Dutchie without any doubt regards, paul