FANDOM


Email-Worm.Win32.Silly or Silly is an email worm that spreads via the Internet as an attachment found inside infected messages. It sends itself to email addresses harvested from the victim computer. The worm itself is a PE EXE file 15462 bytes in size, written in Visual Basic.

Behavior

When installing, the worm copies itself to the Fonts folder in the Windows root directory under a random name (where XXX is a random name):

%Windir%\Fonts\XXX.com

The worm also registers itself in the system registry, ensuring that it will be launched each time Windows is rebooted on the victim machine (XXX is a random name):

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

"TempCom"="%Windir%\Fonts\XXX.com"

The worm modifies the following system registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState

"fullpath"="1"

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

"HideFileExt" = "1"

"Hidden" = "0"

Spreading Routine

The worm will harvest .contact files and other address books and send a copy of the worm to said addresses. They will be in this format

Message Subject: Document
Attachment: Document.exe
Body: <No content>

Sources

Securelist (Kaspersky Labs), Email-Worm.Win32.Silly.e

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.