The threat is spammed through email as a holiday greeting cards. The email contains a link to a website that hosts the worm.
The worm creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"SmartIndex" = "[PATH TO WORM]"
It also creates the following registry entries:
- HKEY_CURRENT_USER\Software\Google\"ID" = "[HEXADECIMAL DIGITS]"
- HKEY_CURRENT_USER\Software\Google\"ID2" = "[HEXADECIMAL DIGITS]"
- HKEY_CURRENT_USER\Software\Google\"ID3" = "[HEXADECIMAL DIGITS]"
The worm then opens a back door on the compromised computer on TCP port 80 and UDP port 445.
The worm may also connect to some of the following IP addresses:
The worm may end certain processes.
It then attempts to download updates of itself from the following URL:
It may also download other executable files.
The worm sends the following spam emails with a link that leads to a malicious file, which is usually a copy of itself:Subject:
Walt has created a New Year ECard.
Your Ecard: [http://]trackside.co.uk/z32iyk[REMOVED]
The greeting card will be stored for you for 14 days.Subject:
Cordelia sent you New Year Wishes!Body:
Cordelia sent a New Year card.
View the card by clicking: [http://]toowoombastampclub.org/r9zk70[REMOVED]
Your eCard will be available for the next 20 days.Subject:
Happy New Year 2011!Body:
Saul mailed an Online greeting card.
To pick up your greeting card, click on the following link:
Your eCard will be available with us for the next 30 days.Subject:
Wish You A Happy New Year!Body:
Jen wants to show you a greeting card.
Your card will be available at: [http://]polyepiplo.gr/8z21bj[REMOVED]
For your convenience, the greeting card will be available for the next 30 days.
The worm may also communicate between compromised computers using HTTP and SNMP.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":