W32.Salga.A@mm

Printer Friendly Page

Discovered: November 26, 2004
Updated: November 30, 2004 4:20:27 AM
Systems Affected: Windows

W32.Salga.A@mm is a mass-mailing worm that uses Microsoft Outlook to send itself to all the email addresses that it finds in the Outlook Address Book. It also attempts to spread through mIRC, file sharing networks, and network shares.

Discovered: November 26, 2004
Updated: November 30, 2004 4:20:27 AM
Systems Affected: Windows

W32.Salga.A@mm is a mass-mailing worm that uses Microsoft Outlook to send itself to all the email addresses that it finds in the Outlook Address Book. It also attempts to spread through mIRC, file sharing networks, and network shares.

When executed, the worm copies itself as the following, if the folder exists:
.exe
%Windir%\system\system copy.exe
%Windir%\system32\egywormo[gen1].exe
%Windir%\acdsee demo.exe
%Windir%\All Users\Start Menu\Programs\StartUp\ana~1.exe
%Windir%\Start Menu\inter net speeder.zip.exe
%Windir%\start menu\programs\new chat prog.zip.exe
C:\Britny spears marrage with Bnladensun.zip
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\egy~1
C:\Documents and Settings\All Users\DESKTOP\holywood stuff film.zip.exe
C:\Documents and Settings\All Users\Start Menu\nicole kidman sexy cam.zip.exe
C:\Documents and Settings\All Users\Start Menu\Programs\your sexy cam.zip.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\magic graphices maker.zip.exe
C:\Program Files\Accessories\Nicole Kidman.zip...............exe
C:\Program Files\Accessories\BRITNY SPEARS MARRAGE.zip...............exe
C:\Program Files\Accessories\Is Bnladen realy cow boy.zip...............exe
C:\Program Files\Accessories\Details.zip...............exe
C:\Program Files\Accessories\Details of new friends.zip...............exe
C:\Program Files\Accessories\kasper2005.zip...............exe
C:\Program Files\Accessories\hard sex files.zip...............exe
C:\program files\mirc\Britny spears marriage with Bnladen son.zip.exe
C:\program files\mirc32\Britny spears marriage with Bnladen son.zip.exe

The worm then creates the following registry entries so that the worm runs when you restart Windows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system xp = %Windir%\acdsee demo.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows = %%Windir%\system\system copy.exe

Next, it overwrites the following files:
C:\program files\mIRC\script.ini
C:\program files\mIRC32\script.ini
so that it can send the following file to other IRC users who connect to the same channel as the infected machine:
Britny spears marriage with Bnladen son.zip.exe

The worm then creates the following folders:
%Windir%\All Users\Desktop\sex cam
C:\Britny
C:\hard core hook from web
D:\hook all sex movies from webs
D:\new computer worm alert
D:\NEW PROGRAMS
E:\real sex telephones

It also copies itself as the following:
%Windir%\All Users\Desktop\sex cam\sex photoes of monika.zip.exe
C:\Britny\NEW FILM.ZIP.EXE
C:\hard core hook from web\setup.zip.exe
D:\hook all sex movies from webs\setup.zip.exe
D:\FUN.ZIP.EXE
D:\girlfriends emails.zip.exe
E:\blood of fetch sex.zip.exe
E:\real sex telephones\me.zip.exe
E:\Messenger 9.00.ZIP.EXE

Next, the worm creates the file D:\autorun.inf containing the following lines:
[autorun]
open=FUN.ZIP.EXE

It then creates a file E:\autorun.inf containing the following lines:
[autorun]
open=Messenger 9.00.ZIP.EXE

It creates the folder C:\Program Files\Kazaa\My Shared Folder\Shared and copies itself to this folder as the following:
huge sexy brests program v 1.7.00.zip.exe
3d msn version 10.1.zip................exe
this files is very secret files.zip.........exe
new film.zip.........exe
i robot.zip.........exe
anti virus.zip.........exe
fire wall.zip.........exe
news.zip.........exe
yahoo.zip.........exe
aol.zip.........exe
mirc.zip.........exe
hack.zip.........exe
virus.zip.........exe
animal photos.zip.........exe
USA secrets.zip.........exe
photo shop.zip.........exe
deutsh programs.zip.........exe
wwf.zip.........exe
tourism.zip.........exe
fear.zip.........exe
autocade.zip.........exe
3dstoudio.zip.........exe
scince of water.zip.........exe
office 2005.zip.........exe
antibiotics.zip.........exe
viagra.zip.........exe
visual basic projects.zip.........exe
FBI secrets.zip.........exe
FOOTBALL IN ENGLAND.zip.........exe
TOY 2006.zip.........exe
Britny Spears.zip.........exe
Dracola.zip.........exe
pebsi.zip.........exe
news paper.zip.........exe
cocacola.zip.........exe
songs.zip.........exe
norton 2005.zip.........exe
xxl plus.zip.........exe
lesbien.zip.........exe
hard core.zip.........exe
sex plus.zip.........exe
computers in 2010.zip.........exe
ssParis_Hilton_(Nude Screen Saver).scr.............exe
Win32System_Tweaks_v1.0.zip.........exe
ms games.zip.........exe
Virtual_3D_Pinball.zip.........exe
ssPamela_Anderson_(Naked Screen Saver).scr.........exe
Game_Crack_Genie_v0.5.zip.........exe
MsDos_PortScanner.zip.........exe
Wmplayer_Celebrity_Skins.zip.........exe
Shockwave Flash.zip.........exe
SWF_Movie.zip.........exe
FlashMovie.zip.........exe
XXX video.zip.........exe
Cat attacks child.zip.........exe
SWF.zip.........exe
Comedy video.zip.........exe
Simpsons Episode (#36)..zip.........exe
Tutorial Video on Hacking.........exe
MacroMedia Flash 6.0.zip.........exe
[SWF] - The Fast and the Furious.zip.........exe
[SWF] - Swordfish.........exe
[SWF] - Harry Potter and the philosophers stone.zip.........exe
big one in the world.zip.........exe

The worm adds the following registry entry:
HKEY_CURRENT_USER\Software\Kazaa\Transfer\StartKazaa -SilentRun = C:\Program Files\Kazaa\My Shared Folder\Shared

It copies itself as the following to all the folders whose name contain "shar" and their subfolders:
Britny spears and Madona sex viedio in 24 min only.zip.................exe
Iraq war.zip.................exe
last messengers versions.zip.................exe
learn photo shop in 3 days only.zip.................exe
new cupied photos.zip.................exe
new girls emails with there phone numbers.zip.................exe
strong fire wall allover the world with thelast update of norton.zip.................exe
USA discvered water in mars yesterday.doc.zip.................exe

Then it also copies itself as:
c$\windows\system32\pass word of hotmail store.zip................exe
c$\winnt\systemm32\speial films links in net.zip.............................exe
c$\documment and settings\all users\documents\secret documents.zip......................exe
c$\money generator very dengerous and secrt.zip..........................exe
c$\shared\my sallary every mmonth increaser.................................exe
ipc$\secret photoes from my chat.zip...............................exe
admin$\system32\see this it is very intersting.zip...................................exe

It creates a net share "Britny", which maps to C:\Britny.

The worm sends the following message to other users:
Message from [name of infected computer] to [workgroup] on [time]:
* hi welcome in our network you can see the new film of Britny spears from the computer which shown it is very interesting film or see it also from any shared folder <<habby interesting time in our net cafe bi>>

It opens a browser window to:
http://www.originalicons.com/?oi=funnyphotos.php?emailfrom=mgasalgya_4ever@hotmail.com!pi%20c=woman.jpg#topofpage

Next, the worm creates the file D:\new computer worm alert\virus alert.txt, which is a text file containing the following text:
your computer have been infected by:-
Egywormo[gen1]
this worm may lead to increase hard disk space,slow your system and also can destroy your c:\ drive
aim of this worm is catching more victems and give them ip and some email details then destroy hard space with system exclusion
creation by XP10 VIRUS MASTER
contact us in <mgasalgya_4ever@hotmail.com>

Uses Microsoft Outlook to send some emails that may have the following characteristics:

To: mgasalgya_4ever@hotmail.com
Subject: Sir new victem
Message:
Hi:sir i'm your server Egywormo[gen1] this is new victem who has own outlook machine i caputre his contacts and go there to infect them.... ok i'll go now and see you soon when i infect more ......bibi sir

To: mgasalgya_4ever@hotmail.com
Subject: Egywormo give her sir email of victem
Message: password of victem email

Uses Microsoft Outlook to send itself to all the email addresses that it finds in the Outlook Address Book with a copy of itself as an attachment. The email has the following characteristics:

Subject: Nicole kidman secrets
Message:
Hi,this is secret files of <<Nicole Kidman>> contain her sexy photoes in Florida,her credits ,part of her new film {Bn-laden days} and her telephones numers with here email.....see it and replay us please ..... it is very interesting secret files ..bibi

Subject: BRITNY SPEARS MARRAGE
Message:
Hi,this is secret files of <<Britny spears>> contain her marrage photoes in
texas,part of her marrage party and her reactions about madona.....see it and replay us please ..... it is very interesting secret files ..bibi

Subject: Is Bnladen realy cow boy
Message:
Hi: mr or miss some amricans say befor 20 yrs Bnladen was cow boy these photoes and parts of vidioes prove it <<photos and vedioes in attachement file>>

Subject: Chance for holyday
Message:
If u you want to have anice holyday you must call us at this adress USA MITCHGEN and we will give greate offer details in this attachment

Subject: To contact new friends
Message:
Hi:miss or mr you can contact new friends all ever the world deatails in attachmment file

Subject: New version of kasper fire wall
Message:
this is the new update and last version of kasper fire wall it contains more and new advantages

Subject: SEXY FILES
Message:
This attachmment contain very hard sexy photos with part of sexy films interest and replay us

Subject: BRITNY SPEARS MARRAGE
Message:
Hi;this is some photoes of Britney Spears marrage with Bnladen son in flash file so<<<<if the winzip file not run you must change the extention to exe to execute it
Attachment: Britny spears marrage with Bnladensun.zip

This threat is written in Microsoft Visual Basic.