Email-Worm.Win32.Quamo, is an email worm that spreads via Microsoft Outlook.
Quamo spreads via the Internet, attached to infected emails. The worm itself is a Windows PE .exe file about 57KB in length, and it is written in VBS.
The infected messages contain different subjects, bodies and attached-file names that are randomly selected from the following variants:
Something very special I know you will like this Yes, something I can share with you Wait till you see this! A brand new game! I hope you enjoy it
Hey you, take a look at the attached file. You won't believe your eyes when you open it! You like games like Quake? You will enjoy this one. Did you see the pictures of me and my battery operated boyfriend?
My best friend, This is something you have to see! Till next time
Is Internet that safe? Check it out
While installing into the system, the worm creates the new directory
C:\EIRAM, and copies itself using the following names:
c:\eiram\quake4demo.exe f:\quake4demo.exe (if this drive exists)
and then registers these files in the Registry auto-run keys:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "quake"="c:\eiram\quake4demo.exe" "Q4"="f:\quake4demo.exe" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Q4"="c:\\eiram\quake4demo.exe" "quake"="f:\quake4demo.exe"
Later, while sending e-mail messages, the worm also may create more of its copies in the Windows directory:
honey.exe quake4demo.exe setup.exe
The e-mail spreading routine is activated only when a user presses the [Cancel] button in the message box.
To send infected messages, the worm uses Microsoft Outlook and sends messages to all addresses found in the Outlook address book.
Upon each start, the worm activates its payload routine, which searches for the following files:
*.exe, *.xls, *.doc, *.mdb, *.htm, *.html, *.txt, *.ocx and overwrites them with the following text:
You've didn't protected [sic] your files well enough Let this be a lesson! Never trust someone else eiram 1999-2001