FANDOM


Email-Worm.Win32.Quamo, is an email worm that spreads via Microsoft Outlook.

Behavior

Arrival

Quamo Email

The worm, along with its email.

Quamo spreads via the Internet, attached to infected emails. The worm itself is a Windows PE .exe file about 57KB in length, and it is written in VBS.

The infected messages contain different subjects, bodies and attached-file names that are randomly selected from the following variants:

Subjects:

Something very special
I know you will like this
Yes, something I can share with you
Wait till you see this!
A brand new game! I hope you enjoy it

Bodies (one-line):

Hey you, take a look at the attached file. You won't believe your eyes when you open it!
You like games like Quake? You will enjoy this one.
Did you see the pictures of me and my battery operated boyfriend?

Multiline texts:

My best friend,
This is something you have to see!
Till next time
Is Internet that safe?
Check it out

Payload

Quamo Installer

The bogus installer.

While installing into the system, the worm creates the new directory C:\EIRAM, and copies itself using the following names:

c:\eiram\quake4demo.exe
f:\quake4demo.exe (if this drive exists)

and then registers these files in the Registry auto-run keys:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"quake"="c:\eiram\quake4demo.exe"
"Q4"="f:\quake4demo.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Q4"="c:\\eiram\quake4demo.exe"
"quake"="f:\quake4demo.exe"

Later, while sending e-mail messages, the worm also may create more of its copies in the Windows directory:

honey.exe
quake4demo.exe
setup.exe

Spreading

The e-mail spreading routine is activated only when a user presses the [Cancel] button in the message box.

To send infected messages, the worm uses Microsoft Outlook and sends messages to all addresses found in the Outlook address book.

Upon each start, the worm activates its payload routine, which searches for the following files: *.exe, *.xls, *.doc, *.mdb, *.htm, *.html, *.txt, *.ocx and overwrites them with the following text:

You've didn't protected [sic] your files well enough
Let this be a lesson! Never trust someone else
eiram 1999-2001

External links

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.