Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Sheer.A@mm


Threat Risk LOW LOW
Destructivity NONE NONE
Detection files published
Description created 31 Dec 2001 09:05:00
Description updated 31 Dec 2001 09:04:00
Malware type WORM
Alias W32/Zoher.A
Spreading mechanism EMAIL
Summary None



The worm uses the same exploit as the W32/Nimda worm in order to execute automatically if the mail is opened or previewed in Outlook or Outlook Express.

When the worm executes, it tries to make itself invisible in the task list by calling the RegisterServiceProcess API; a function which is not available on Windows NT based platforms (NT/2000/XP). On these platforms the worm will crash.

After this, it looks up the users mail account, mail server and address book, and attempts to connect to the Internet. It then attempts to download a file called LIST.TXT from a web site in Italy. This file contains the basis text (including attachment) in the emails to be sent.

If there is no Internet connection, or the web site is unavailable, the worm sleeps for 60 seconds before it tries again.

If everything works OK, the worm will send itself to all users listed in the Windows Address Book.

The file LIST.TXT has now been removed from the italian site, so the worm is effectively dead. However, it will still remain active on infected computers, attempting vainly to get the infectious file to send. In many cases it will send an empty web page instead.

Payload Details






Last Updated: 12 Nov 2015 11:06:12