Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Music.40960.Worm

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published 21 Nov 2000 03:00:00
Description created 21 Nov 2000 03:00:00
Description updated 21 Nov 2000 03:00:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Music.40960.Worm

Spreading

When executed the worm stays in system memory and appears in the Task List as SysDrv.

The worm displays an animation and plays music. The following two pictures are taken from the animation:


(Image not available)


(Image not available)


W32/Music drops a copy of itself to {WindowsSystemFolder}\SYSMCM.EXE (the default folder is C:\Windows\System) and modifies the following Registry key to load this file each time Windows is started.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run SysDrv = c:\windows\system\sysmcm.exeIt also creates another Registry key to store information about itself:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MCMFirstRun
Status
RunMCM
SMTP
Version = 001110 The file that arrives in the e-mail (music.exe, music.com or music.zip) is not able to propagate by itself. To be able to propagate the worm has to download some files from an Internet site. Two files are downloaded and copied to {WindowsFolder} as SYSTMP.DLL and SYSDRV.EXE, these files are used to obtain e-mail addresses from Microsoft Address book, subsequently to send e-mails with infected attachments to these addresses.

The worm is able to get PlugIns for itself from some web sites.

Payload Details

n/a

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:11