From the Swiss KAV website »
www.kav.chI-Worm.Chet
This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is a Windows PE EXE file about 27Kb of length written in Microsoft Visual C++.
The infected messages have following fields:
From: main@world.com
To: You
Subject: All people!!
Attachment: 11september.exe
Message text: Dear ladies and gentlemen! The given letter does not contain viruses, and is not Spam. We ask you to be in earnest to this letter. As you know America and England have begun bombardment of Iraq, cause of its threat for all the world. It isn't the truth. The real reason is in money laundering and also to cover up traces after acts of terrorism September, 11, 2001. Are real proofs of connection between Bush and Al-Qaeda necessary for you? Please! There is a friendly dialogue between Bin Laden and the secretary of a state security of USA in the given photos. In the following photo you'll see, how FBI discusses how to strike over New York to lose people as much as possible. And the document representing the super confidential agreement between CIA and Al-Qaeda is submitted to your attention. All this circus was specially played to powder brains!! You'll find out the truth. Naked truth, instead of TV showed. For your convenience, and to make letter less, all documentary materials (photos and MS Word documents) are located in one EXE file. Open it, and all materials will be installed on your computer. You will receive the freshest and classified documents automatically from our site. It isn't a virus! You can trust us absolutely. We hope, that it will open your eyes on many things occurring in this world.
The worm activates from infected email only in case a user clicks on attached file. The worm then installs itself to the system and runs spreading routine.
Installing
While installing the worm copies itself to Windows system directory with the "synchost1.exe" name and registers that file in system registry auto-run key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ICQ1 = %SystemDir%\synchost1.exe
The original file is then deleted.
Spreading
To get victim emails the worm connects to MS Outlook and sends messages to all addresses found in Outlook address book. It also gets to WAB file(s) and reads victim emails from there.
To send infected messages the worm uses direct connection to SMTP server "mail.ru".
Other
The worm also sends two notification messages to its "master". One notification is sent before spreading (see above), the second message is sent just after spreading routine. These two messages are sent to three addresses:
connectionICQ@mail.ru
Icq_Premium@mail.ru
PremiumServ@mail.ru
They have following subjects:
message1: Otchet from user
message2: Otchet2 from user
The message body contains victim emails list and worm's EXE file full name.