- Virus is 32bit, with a UPX compressed size of 217,600
- When first executed, virus may display an image
and in the background, the virus may initiate WINIPCFG.EXE
in order to capture IP information to a file named
"ipinfo.txt" and save this file into the
- The virus may then write two Uuencoded files which
are then decoded -
c:\WINDOWS\hoen.txt -> hoen.exe - 40Kb Trojan
c:\WINDOWS\tcasuta.txt -> tcasuta.exe - 220Kb virus
The file hoen.exe is executed at next Windows startup and is then copied to the Windows\System folder as "tcasutb.exe", the registry is then modified to load this file at Windows startup and open connections with the Internet on TCP port
tcasutb.exe = "C:\WINDOWS\SYSTEM\tcasutb.exe"
Virus backs up copies of the mailboxes for Outlook Express and prefixes the backup .DBX file with "bek" as in this example -
The virus scavenges these files for email addresses to create a list of targets.
The virus writes additional files to the Windows folder -
* accountboy.ini - contains POP3/SMTP email configuration details in the following format:
* attachready.ini - contains date email propagation routine was initiated, in this format:
* mailboy.ini - contains email addresses, in this format:
Continues for as many address as could be found in the Windows address book
* mailboy2.ini - contains all email addresses found by searching all .DBX folders related to Outlook Express, in this format:
4=email address (and so on)
* passboy.ini - contains email configuration data
Virus attempts to connect to one of several hard-coded SMTP servers and send itself as a single MIME encoded message to each contact listed in the Outlook Address Book in this format (the URL in the body is no longer accessible) -
Subject = Maxima Screensaver
Attachment = "screenmaxima.scr"