October 18th, 2003, 10:24 AM
I have just found this on FOUR computers on my Network!
WORM_REDIST.E is a non-destructive worm that spreads via email using Microsoft Outlook, and via peer-to-peer (P2P) file-sharing networks. It also has password-stealing capabilities. It runs on Windows 95, 98, ME, NT, 2000, and XP.
Upon execution, this worm displays the following message box:
Error Starting Progam
A required .DLL file, MSVBM60.DLL, was not found.
It drops the following copies of itself into the Windows folder:
It drops the following copies of itself into the Windows system folder:
It drops the following copy into the Startup folder:
The worm creates registry entries that allow its dropped copy, WINSCZ32.EXE, to execute at every Windows startup.
This worm propagates by sending a copy of itself to all email addresses found in the infected users' address book. It uses Microsoft Outlook (MAPI) to send email with varying details. A sample of the email it sends, are as follows:
Subject: A new screensaver
Message Body: Take a look at this new screensaver in the attachments that I downloaded from the internet a while ago. If you like it, try setting it as your system screensaver Cya!
Subject: Your file
Message Body: Here is that file that you asked for (in the attachments). Sorry that I sent it late, I had trouble finding it on the computer.
This worm also attempts to propagate to other P2P and chat clients. To do so, it drops the following copies of itself:
Bruce Almighty (Downloader).pif
Legally Blonde 2 (Downloader).pif
Movie - Finding Nemo (Downloader).pif
Movie - Terminator 3 (Downloader).pif
Movie - The Hulk (Downloader).pif
Movie - The Italian Job (Downloader).pif
Sinbad - Legend of the Seven Seas (Downloader).pif
into the following paths, if they exist:
%Program Files%\Grokster\My Grokster
%Program Files%\ICQ\Shared Files
%Program Files%\Kazaa Lite\My Shared Folder
%Program Files%\Kazaa\My Shared Folder
%Program Files%\KMD\My Shared Folder
%Program Files%\Morpheus\My Shared Folder
%Program Files%\WinMX\My Shared Folder
This worm also drops randomly named files into the following paths:
\My Documents\My Music
This worm also attempts to capture and send cached passwords to a remote malicious user. This function only applies on systems running Windows 95 and 98, since the API used is not available on NT-based systems. It appears that the information is being sent to the following email address:
I got this info from Trend Macro.