Email-Worm.Win32.Silly or Silly is an email worm that spreads via the Internet as an attachment found inside infected messages. It sends itself to email addresses harvested from the victim computer. The worm itself is a PE EXE file 15462 bytes in size, written in Visual Basic.
When installing, the worm copies itself to the Fonts folder in the Windows root directory under a random name (where XXX is a random name):
The worm also registers itself in the system registry, ensuring that it will be launched each time Windows is rebooted on the victim machine (XXX is a random name):
The worm modifies the following system registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState "fullpath"="1" HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "HideFileExt" = "1" "Hidden" = "0"
The worm will harvest .contact files and other address books and send a copy of the worm to said addresses. They will be in this format
- Message Subject: Document
- Attachment: Document.exe
- Body: <No content>
Securelist (Kaspersky Labs), Email-Worm.Win32.Silly.e