W32.Siltund.Worm


Aliases: I-Worm.gen, W32/Livcam@MM, Win32.Brother, W32/Livecam-A, Win32/Bibro.A@mm
Variants: WORM_LIVCAM.A, Worm/BigBrother.Pol, Win32:Trojan-gen., I-Worm/Livcam, Win32.Bibro.A@mm

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 01 Aug 2002
Damage: Low

Characteristics: The W32.Siltund.Worm is a mass mailing worm. It looks for email addresses in .htm* files that are in current users personal folder, and sends itself to all address books that it finds.

More details about W32.Siltund.Worm

The W32.Siltund.Worm program is a mass mailing worm. It looks for email addresses in .htm* files that are in current users personal folder, and sends itself to all address books that it finds. When W32.Siltund.Worm opens, it duplicates itself as “C:\%windir%\Temp\000000s.b64” and “C:\%system%\b1g_brother.exe”. The qualities of these 2 files are modified to read only and hidden files. Just take note that “%windir%” is a variable. The W32.Siltund.Worm program looks for the “\Windows” folder (by default, this is C:\Winnt or C:\Windows) and duplicates itself to the “Temp” folder under that particular location. “%system%” is also a variable. The W32.Siltund.Worm program searches for the “\Windows\System” folder (by default, this is C:\Winnt\System32 or C:\Windows\System) and duplicates itself to that specific location. To cause the W32.Siltund.Worm to run when you open your Windows, the worm puts the “run=C:\%System%\b1g_brother.exe” line into the Windows division of the “C:\Windows\Win.ini” file.

The W32.Siltund.Worm program makes the “C:\%windir%\Temp\00000b.rat” files. The .rat file is in e-mail format and has the worm as its attachment. The W32.Siltund.Worm program gets the SMTP server’s info from the registry key. It gets the private folder name of the user from the registry key. The W32.Siltund.Worm program then looks for email addresses in all “.htm” files that are inder the private folder. The worm utilizes its SMTP engine to spread itself to all email addresses that it locates. The email messages have these contents “From: “BIGBROTHER TVN POLSKA" bigbrother@bigbrother.tvn.com.pl, Subject: BIGBROTHER SHOW!, Message: Teraz mozesz ogladac BIGBROTHER SHOW za pomoca komputera! Jak to zrobic? Wystarczy ze uruchomisz specjalny program, ktory zostal dolaczony do wiadomosci. Ponadto za pomoca tego narzedzia mozesz nominowac wybrane przez ciebie osoby, do opuszczenia domu Wielkiego Brata. Co miesiac rozlosowane beda nagrody (telewizory, wieze stereo, komputery ...i wiele ,wiele innych). Prosimy przysylac opinie i komentarze na temat programu. Zyczymy milej zabawy: Redakcja program”.