Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Spester.A@mm

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload Creates empty directories. Shows messages.
Detection files published 17 Jan 2002 03:00:00
Description created 16 Jan 2002 07:41:00
Description updated 19 Feb 2002 04:39:00
Malware type WORM
Alias
Spreading mechanism EMAIL
IRC
Summary None

W32/Spester.A@mm

Spreading

This small email worm arrives normally as a zip archive, which it encourages you to open. Inside there is a small executable called spdtest.exe. If this executable is run, it will create two new files - one file called OneClock.vbs, and one file called script.ini, which is placed in the default MIRC directory, replacing any that already might be there.The OneClock.vbs file sends the SPDTEST.ZIP file to all users found in the Outlook address book.If, for any reason, the script does not find the ZIP archive, it will send itself instead. So, there is a possibility that only the VB script itself will propagate.The script.ini file will cause the popular IRC client mIRC to send the SPDTEST.ZIP to users joining the infected users channel.

Payload Details

The worm has a few date-triggered payloads.10th: Shows a message box saying:"Tip Of The Day: You look really beautiful today."25th: Run the email sending routine again.31th: Creates 50 empty directories named 1o, 1oo, 1ooo etc, 90 named 2n, 2nn, 2nnn etc, and 130 named 3e, 3ee, 3eee etc on the C: drive.12th of September it shows a messagebox saying "Happy Birthday!!!"

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:14