WORM_GOLTEN.A is a memory-resident network worm. It has no mass-mailing capabilities, but may have been mass-mailed to specific email addresses instead. The email message contains two .EMF file attachments: one shows the burial of Palestinian leader Yasser Arafat and the other contains code that exploits a Microsoft XP vulnerability. The worm propagates via network shares and attempts to connect to network shared folders. It uses a list of user names and passwords to gain access to a machines, to establish a network connection and execute a copy of itself in the accessed network share. This worm runs on Windows 2000 and XP, and is currently spreading in-the-wild. Upon execution, this worm drops the following files in the Windows system folder: * ALERTER.EXE - main component and installer * COMWSOCK.DLL * DMSOCK.DLL * IETCOM.DLL * SPTRES.DLL * SCARDSER.EXE - installs .DLL (Dynamic Link Library) files that inject this worm into LSASS.EXE and IEXPLORE.EXE It also adds a registry entry that allows it to automatically execute at every system startup, and installs the following .DLL files: * COMWSCOK.DLL * DMSOCK.DLL * IETCOM.DLL * SPTRES.DLL These .DLL files inject this worm into the following processes: * LSASS.EXE * EXPLORER.EXE The .DLL files download other components from a remote location, and are responsible for the propagation of this worm. The worm also adds a registry entry that initiates the download of a remote file, which is saved as DMSTI.EXE. WORM_GOLTEN.A propagates through network shares and attempts to connect and execute a copy of itself in the following default network folders: * ADMIN$ * IPC$ It also installs a service named NETLOG. This worm uses the following user names and passwords to gain access to machines connected on the same network: !@#$ !@#$% !@#$% ~!@# 000000 00000000 111 111111 11111111 12 123 123!@# 1234 1234!@#$ 12345 12345!@#$% 123456 1234567 12345678 54321 654321 888888 88888888 admin fan@ing* oracle pass passwd password root secret security stgzs super The worm may have been mass-mailed to specific email addresses. The email arrives with the following: Subject: Latest News about Arafat!!! Message body: Hello guys! Latest news about Arafat! Unimaginable!!!!! The email also contains two .EMF file attachments: ARAFAT_1.EMF is a .JPG file showing the burial of Palestinian leader Yasser Arafat, and ARAFAT_2.EMF contains exploit code that uses the Microsoft Windows XP Metafile Heap Overflow vulnerability. When opened, the file drops this worm into a system. Read more information on this vulnerability. If you would like to scan your computer for WORM_GOLTEN.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/ WORM_GOLTEN.A is detected and cleaned by Trend Micro pattern file 2.247.03 and above.