The
worm uses its own SMTP engine to propagate and attempts
to create a copy of itself on accessible network shares,
but fails due to bugs in the code.
Email routine details
The email message has the following characteristics:
From:
Spoofed address (which means that the sender in the
"From" field is most likely not the real
sender). The worm may also use the address, admin@internet.com,
as the sender.
NOTES:
The spoofed addresses and the Send To addresses are
both taken from the files found on the computer. Also,
the worm may use the settings of the infected computer's
settings to check for an SMTP server to contact.
The choice of the internet.com domain appears to be
arbitrary and does not have any connection to the
actual domain or its parent company.
Subject:
Re: Details
Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Thank you!
Your details
Body:
See the attached file for details
Please see the attached file for details.
Attachment:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
NOTES:
The worm de-activates on September 10, 2003. The last
day on which the worm will spread is September 9,
2003.
More
information about this virus can be found here
at Symantec's web site.
>>
More Virus
Information
