Discovered: August 09, 2004
Updated: July 22, 2004 11:11:13 PM
Systems Affected: Windows
This is a mass-mailing worm that opens a backdoor on TCP port 1234 and
uses its own SMTP engine to spread through email.
This is a mass-mailing worm that installs a backdoor on infected
systems. It's packed using UPX.
When executed, the worm displays the following fake error message:
Can't find a viewer associated with the file
It creates the following 7 mutexes. Some of these will prevent variants
of Netsky from launching:
In order to prevent other worms from executing on Windows startup, it
also deletes the following registry values:
"Zone Labs Client Ex"
"Special Firewall Service"
"Norton Antivirus AV"
from the keys:
The worm then creates the following files:
%System%\FUKULAMER.exeopen, which is a copy of the worm with randomly
%System%\FUKULAMER.exeopenopenopenopen, which is not viral by itself
It will also create a file %System%\FUKULAMER.exeopenopen, which will be
a .zip, .vbs, .cpl, .hta file, or the worm itself. One of the following
actions will occur, depending on the file type:
If the file is a .zip file, it will contain two randomly named files.
One will be a .exe file and the other will be a text file with a .ini,
.cfg, .txt, .vxd, .def, or .dll extension.
If the file is a .vbs file and is executed, it will drop a file named
vss_2.exe into the current folder.
If the file is a .cpl file and is executed, it will drop a file
%Windir\cplstub.exe when executed.
If the file is a .hta file and is executed, it will drop a file named
qwrk.exe into the current folder.
It drops the file, %System%\FUKULAMER.exeopenopenopen. If the file
Gdiplus.dll is present on the computer, this file will be a .jpeg or
.gif. Otherwise it will be a .bmp file.
The following registry entry is created so that it executes every time
If the system date is after January 25, 2005, the worm will exit from
memory and delete its registry value, as well as the key:
The worm attempts to copy itself to all folders whose names contain the
string SHAR with the following names:
Adobe Photoshop 9 full.exe
Ahead Nero 7.exe
Kaspersky Antivirus 5.0
Matrix 3 Revolution English Subtitles.exe
Microsoft Office 2003 Crack, Working!.exe
Microsoft Office XP working Crack, Keygen.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Opera 8 New!.exe
Porno pics arhive, xxx.exe
Porno, sex, oral, anal cool, awesome!!.exe
WinAmp 5 Pro Keygen Crack Update.exe
WinAmp 6 New!.exe
Windown Longhorn Beta Leak.exe
Windows Sourcecode update.doc.exe
XXX hardcore images.exe
It will attempt to send itself to email addresses it gathers from the
system from files with the following extensions on the compromised
The email message constructed by the worm typically has the following
The from address will be spoofed.
Subject may be one of the following:
Re: Msg reply
Re: Thank you!
Re: Thanks :)
RE: Text message
Re: Incoming Message
RE: Incoming Msg
RE: Message Notify
RE: Protected message
If the attachment is a .zip file, then the message body will contain one
of the following messages:
For security reasons attached file is password protected. The password
For security purposes the attached file is password protected. Password
Note: Use password
Attached file is protected with the password for security reasons.
In order to read the attach you have to use the following password:
followed by a 5-digit password or a copy of the image file dropped as
If the attachment is not a .zip file, the message body will be one of
Read the attach.
Your file is attached.
More info is in attach
Please, have a look at the attached file.
Your document is attached.
Please, read the document.
Attach tells everything.
Attached file tells everything.
Check attached file for details.
Check attached file.
Pay attention at the attach.
See the attached file for details.
Message is in attach
Here is the file.
The attachment name will be one of the following:
The attachment extension will be one of the following:
The worm will not send itself to addresses containing the following
The worm also opens a backdoor on TCP port 1234, which allows the infected computer to be used as an email relay.