I clicked an e-mail attachment and immediately regretted it

I was very tired, OK?

The funny thing was what the virus/spyware tried to do.

After receiving an e-mail looking like an automated return message, I clicked a .HTA attachment in Microsoft Outlook 98, which launched a barebones IE dialog.

The VBScript in the HTA contained a binary attachment as a string, and then converted the string to binary and wrote it to c:\mware.exe. It executed the new mware.exe, which then created

  • NT32.LGC in the Windows\applog directory
  • nt32.exe and mon32.dll in a Windows\a~d directory

It added an "fgh" entry to the startup tab (accessible by running "msconfig" from the command line and selected the Startup tab, see Q312931), and proceeded to run in the background, loading automatically on every startup.

And maware.exe got deleted.

Now the problem was that this program either was intended for a different Windows version, or coded poorly. The authors intended for it to monitor IE accessing web.da-us.citibank.com, and (I guess this by viewing the code in a plain text editor) store the info (probably username/password) in %windir%\a~d\delete_me.log. I cannot tell if it sends the info from the machine, or considering that the person who was stupid enough to click on it probably doesn't have a firewall, leave the data in the delete_me.log to get grabbed later.

What it actually did was crash my IE. And my Control Panel applets.

So much for stealth.

To remove it, I followed the direction's in the KB article.

And to prevent it in the future, I won't double-click any attachments ever again. You do know that feature is actually a bug, right?

FYI, the package was classified as "Worm/Jeem.1" - and I can't find any info on the payload.


Written by Andrew Ittner in misc on Sun 22 February 2004. Tags: complaint, technology