Dynamic worm wreaks havoc

A rather industrious worm has been detected by Trend Micro threat analysts, and it usually infects users who have been careless enough to click on a link offered in a variety of unsolicited emails.

The emails use various approaches. Sometimes it’s a “Document I told you about”. Other times it’s a “Free download of a sex movie” or a job application letter. In any case, the presented link points to the worm.

When executed, the worm does a whole bunch of things:

  • Terminates the running AV solution, and attempts to delete it
  • Creates registries that deactivate security alerts and secure desktop prompting
  • Tries to access users’ Yahoo! Messenger files (possibly trying to harvest Yahoo! Messenger IDs to send copies of itself)
  • Avails itself of the Messaging Application Protocol Interface to send out emails with a copy of itself (but can also spread itself via removable drives)
  • Connects to several malicious websites
  • Forces the sharing of some System folders as Updates

  • Downloads a backdoor.

The interesting thing is that Trend Micro has detected the packed version of this same worm a while back, so they speculate that the criminals behind this version have managed to get their hands on the original code and adjusted it to their needs.