W32.Sndog@mm


Aliases: Email-Worm.VBS.Triny.m, VBS/MassMail.gen*,
Variants: VBS_SNOOP.A, VBS/Melia.A.worm,

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 20 Sep 2004
Damage: Low

Characteristics: The W32.Sndog@mm program is a generic Visual Basic worm that multiplies using Microsoft Outlook and peer to peer file sharing.

More details about W32.Sndog@mm

The W32.Sndog@mm program is a general Visual Basic worm that multiplies using Microsoft Outlook and peer to peer file sharing. Once the W32.Sndog@mm worm program is opened, it copies itself to “%windir%csrss.exe” as a hidden file. The worm makes the following duplicates of itself in the “%temp%” folder: “Ave.exe”, “Broma.exe”, “Corsa.exe”, “Doors.exe”, “HuevoHussein.exe”, “Huevomaniaco.exe”, “liame.vbs”, “Pkzip.exe”, “Program.exe”, “Proyecto.exe”, “Setup1.exe”, and “Unzip.exe”. Then, it makes the following duplicates of itself in the drive A: “ac&dc.exe”, “archivos.exe”, “Files.exe”, “media.exe”, “mono mario.exe”, “presentacion.exe”, and “source.exe”. The worm then looks for the hard drive for .zip files. If the “Winzip” is already on the computer system, the worm appends any of the .exe files above to any zipped files it locates.

The W32.Sndog@mm worm looks for the following P2P services: “EDonkey”, “P2P Edonkey”, “kazaa”, “Morpheus”, “iMesh”, “BearShare”, “Grokster”, and “Edonkey2000”. If those P2P services are found, the W32.Sndog@mm worm duplicates itself to the download folder as “Crack de winzip 9”, “Neoragex parche para Kof2003”, “Windows Xp Home serial number”, “WinXp Home KeyGenerator”, “Windows Xp Profesional serial number”, “WinXp Profesional Serials”, “Office Xp crack”, “Keygenerator Office Xp”, “Emurayden Xp”, “Half life Keygenerator”, “Setup”, “HLKeygenerator”, “Half life opossing force crack”, “Opossing crack”, “Visual Basic keygenerator”, “Keygenerator”, “Delphi all versions keygen”, and “Norton Antivirus 2004 keygen”. The worm then adds the value "Shockwave" = "%windir%csrss.exe" to the registry key, so that the worm opens each time the Windows Starts. The worm modifies the startup page of Internet Explorer to a local page identified as a “poor dog”. The worm spreads itself to addresses found in the address book of Windows.