We have come across a new worm, which has some characteristics that make it suitable for a blog post. The first thing is that it is large, arount 325.120 bytes packed with UPX. This made us wonder what was inside, and what made it so big.
First, we learned that this one loves p2p networks and it changes the registry. The second interesting thing, is that it creates a random amount of compressed files on the "c:WINDOWSshared" folder. Inside them you can find Trj/Spyforms.S.
But, how does it choose the file names? It has more than 37.000 different names hardcoded inside. When we extracted them, it produced a 664-page document!! That explained why it was so big.
Of course we are not going to publish the whole list, it is too big. Here is a small amount of them:
Stingray Studio 2004 v1.0.czip
Stitcher v4.01.czip
STL Editor v1.0.czip
STL Import v1.0.czip
STL Import v1.01 for AutoCAD.czip
StmProps v1.1.2.czip
Stock1 v1.21.czip
Stock1 v1.10.czip
Stock1 v1.09.czip
As usual you can find more information about this worm on the encyclopedia.